Expect the Unexpected: A Recap of the BCP + DR Planning Webinar by Todd Atnip

by Hannah Grace Holladay / April 27th, 2023

Unfortunately, one of the only things we can rely on in the cybersecurity world is that threats are always looming.  We know that it is a matter of when, not if, your business will undergo an attack.  Have you planned for that? Is your organization prepared to face the unexpected and still land on it’s feet?

A well developed and properly tested business continuity plan (BCP) and disaster recovery (DR) plan is the best way to prepare to face the unexpected.  In this blog, we’ll recap our BCP + DR webinar by Todd Atnip so your organization can feel prepared to face today’s threats confidently.

Threat Overview

Again, threats are everywhere and they are becoming more advanced every day. The 2023 estimated global cost of cybercrime is $8 trillion.  This is the greatest transfer of economic wealth in human history.  It is more profitable than the global trade of all major illegal drugs combined.

The annual cost of ransomware is expected to cost its victims $265 billion by 2031 with a new attack (on consumers and organizations) every 2 seconds.  Ransomware perpetrators are progressively refining their malware payloads and related extortion activities. If you stacked all of these one dollar bills together, they would be 18,000 miles long – that’s almost as high up into space as the commercial communications satellites.

In addition to these external threats, organizational disconnect is the most common threat businesses face.  There is a huge gap between the business continuity plans created by business execs and the integration of those plans by actual cybersecurity leaders.  92% of business execs agree that business continuity is integrated into enterprise risk management strategies. Only 55% of cybersecurity leaders (those implementing the controls) surveyed agreed.

Luckily, this is also the most solvable threat. By creating and implementing a BCP, testing it properly, and training all involved parties, businesses can be confident in the controls and practices they’ve created to protect their hard work and valuable data.  Let’s dive into how to do that.

The Documents

There are a few documents and procedures that must be created to have a formally documented business continuity or disaster recovery plan: the plan itself, a business impact analysis, and an action plan. 

Let’s define each of these:

What is a Business Continuity & Disaster Recovery Plan?

A deliberate and actionable strategy to ensure service delivery in the event of a major disruptive event impacting essential business functions, processes, or technologies.

What is a Business Impact Analysis?

A business impact analysis (BIA) is the process of determining the criticality of business activities and associated resource requirements to ensure operational resilience and continuity of operations during and after a business disruption.

Why is it important?

You need to understand what you’re protecting, the impact of those things, how long it will take you recover, and the expectations around recovery.

The ability to effectively prioritize activities when executing a BCP/DR plan is driven by the BIA.  Additionally, the BIA assesses and informs on recovery time requirements (RTO / RPO).  These should be performed at function or process levels at least and sometimes at asset levels.  A key outcome of this activity is reconciling any disagreements on recovery priorities.

Most organizations use IT and technology resources as a shared service.  Each major division or function of a company shares the same IT resources.  So, in a disaster scenario, who gets their stuff back first?  The BIA is a major resource your organization can use to inform these types of decisions. 

The second important thing this exercise does is reveal any disconnects between business expectations of recovery and actual capability to meet those expectations.  If you transact a large portion of your business via email and your PST file is 2 TB, you can’t have the business believing in a 2–4-hour RTO unless you’ve implemented a backup and recovery strategy that aligns with that expectation.  Physical limitations must also be discussed in terms of RTO/RPO.

What is an Actionable Plan?

A framework that contains all categories of action required to make sure the essential elements of your service delivery are recovered both timely and effectively.  This plan should be actionable, not overwhelming.

The key elements in this plan are:

  • Clear disaster declaration criteria
    • Make sure you clarify the difference between an incident and a disaster as well as the response plans to each.
  • Role definition
    • Who is leading this team and who else is on it? What are they responsible for?
  • Communication essentials
    • Define how communication should take place, who should be contacted and in what order, and who is responsible for these communications.
  • Restoration procedures
    • You should have more details here about how to restore technology and business processes.  But remember to still make it simple, actionable, and understandable.
  • Testing cycles
    • You have to test your plan at least annually.
    • Normally a tabletop exercise is used, but simulations are also a good option (but generally not required by audit frameworks).
  • Detailed appendices
    • This is generally for reference material that may be needed at some point (e.g., contact lists, technology diagrams) – putting these things in an appendix helps keep the noise out of the main plan since they are not constantly needed.

Key Components of a Business Continuity and Disaster Recovery Plan

While there are several elements of a BCP and DR plan, they all fit into 4 categories:

  1. Technology
  2. People
  3. Facilities
  4. Supply Chain

When these four areas are accounted for, you can be confident that all areas of your business are covered.  Make sure to listen to the recording for more details on these areas!

Test, Test, Test Again!

Plans that are not tested are not plans: they are aspirations. They are ambitions and hopes.

Additionally, most major audit frameworks require testing as one of the controls that should be in operation.

Test relevant scenarios based on your organizational risk assessment.  Ask, “What are the most likely scenarios for you?”

If you have high availability in the cloud, prove it.  Failover a small, low risk part of your service delivery to the high availability (HA) component and make sure it works.

Finally, remember that having something in place doesn’t guarantee capability.  Everything deserves to be tested. Only then can you be confident in its functionality and ability to protect your business.

Expect the Unexpected

Adopt the “when not if” mindset.  Create a business continuity and disaster recovery plan that protects all of your assets.  Communicate it to all parties that need to be involved.  Test it thoroughly.

If you need additional help creating or testing your recovery plans, connect with one of our experts.  Let us review your BCP and make sure you’re ready for the unexpected. 

About the Author

Hannah Grace Holladay

Hannah Grace Holladay is an experienced content marketer with degrees in both creative writing and public relations. She has earned her Certificate in Cybersecurity (CC) certification from (ISC)2 and has worked for KirkpatrickPrice since November 2019, starting first as a Professional Writer before moving to the marketing team as our Content Marketing Specialist. Her experience at KirkpatrickPrice and love for storytelling inspires her to create content that educates, empowers, and inspires the cybersecurity industry.