Organizations have been left reeling from a flurry of business crises over the past two years. Data breaches, natural disasters, economic turbulence and the COVID-19 pandemic have many concerned about how they will withstand additional events in the coming year.
In FTI Consulting's recent Resilience Barometer survey, business leaders in Germany cited a long list of scenarios they're concerned will harm their business in the near term. Nevertheless, efforts to prepare for such events continue to be underprioritized. The survey found that 65% of respondents agreed with the statement that their organization struggles to adequately plan for an increasing number of crisis scenarios. Only one-third said they're investing in updated business continuity (BC) plans.
What's particularly interesting about these figures is that many organizations are making a significant investment in cybersecurity by adding internal and external resources to safeguard their systems and prevent attacks. This is important progress, as cyberthreats present some of the greatest risk to organizations across financial, regulatory compliance, operational and reputational resiliency. However, no system can be 100% secure 100% of the time -- intrusions will still occur. More, cyber-risk aside, there are countless other crisis events that can disrupt and cause significant harm to a business.
The key to reducing these risks is to invest adequately in BC plans, as well as refresh and modernize IT infrastructure. Unfortunately, many decision-makers within a corporation view IT as a cost center and a top target when budgets must be cut.
Keep systems updated for reliable continuity
Many businesses simply bolt on new tools as the business grows without investing in a holistic refresh of systems. This creates an unwieldy IT landscape that can be very difficult to restore if systems are shut down or put under stress during a major incident. This is a common but serious misstep, as IT resilience is critical to keeping everything within an organization up and running, especially in a crisis.
For example, one FTI Consulting client had an IT landscape that hadn't been updated for more than 40 years. As the company grew organically and by acquisition, the IT infrastructure was never integrated or updated. Instead, more and more systems were added over the decades. When the company was faced with a large, high-stakes investigation, they had no map of internal applications and systems that potentially contained important or sensitive data. This led to a lengthy and costly investigation, and exposed the company to unnecessary risk.
In another matter, a client's business was completely shut down for more than three weeks following a cyberincident. The attacker encrypted all the client's systems and, because the organization didn't have a working BC plan, it was impossible for business operations to continue until the incident was fully resolved. For this client -- and many organizations like it -- a lengthy standstill spiraled to severe business consequences, including potential insolvency.
These examples illustrate that surviving a major crisis requires a robust BC plan and countermeasures that are up to date and supported by a sophisticated IT infrastructure. Business leaders must rethink their IT strategy to ensure their organization's systems are modernized and resilient enough to withstand a wide range of disasters.
5 ways to strengthen business continuity
There are five steps organizations can take to shore up the gaps in their IT infrastructure to ensure operations can be quickly and wholly resumed in the wake of a significant cyberattack or other major disruption.
1. Map the entire environment.
Organizations need to know what IT systems are in use, how they're used and accessed across the business, and what kind of information is stored within them. Creating and maintaining an up-to-date IT environment will inform teams of what functions rely on legacy systems and what parts of the internal landscape are likely to be the hardest hit during a crisis.
2. Conduct a risk analysis.
IT and cybersecurity teams can work with other business decision-makers to assess risk levels for each system. This involves comparing the organization's business model against the IT infrastructure to determine which systems are mission-critical to operations. During the risk analysis, key considerations -- such as whether the organization can survive without email for a week, what systems are regularly backed up and what systems are cloud-based vs. on premises -- should be weighed and addressed. Organizations may want to assign tiers to each system to define which ones must be restored the fastest.
3. Consider colocation.
It's often the safest course to colocate critical systems or keep certain backup systems offline. Ensure the colocation isn't connected to the corporate network via Active Directory and that it's segmented from other systems, as compromises can occur if the colocation is the primary environment for data storage and has a connection to the corporate network. Colocation lets organizations bring the most essential systems back online and continue operations, even if core systems have been breached or otherwise disrupted.
4. Evaluate and refresh the backup and recovery strategy.
Many organizations keep backups, but backups aren't always frequent enough to provide effective recovery. The backup and recovery strategy should be closely evaluated and refreshed to support business continuity. Key considerations include the frequency of backups (daily, weekly monthly), what resources are needed to enable a quick recovery if something goes wrong and outside providers that should be contracted to provide servers, other hardware and recovery services in an emergency. In addition to these considerations, best practices should include protecting access to backups through multifactor authentication, storing copies of backups offline or offsite, and testing the integrity of backups on a regular basis.
5. Review the BC plans of target companies.
One of the most common ways security, governance and business continuity can be undermined is when the IT practices of acquired companies aren't properly vetted or integrated. During an acquisition, it's important to evaluate the target's BC plans and IT landscape and to create a detailed plan for integration or remediation after the transaction has been completed.
Business risks are becoming more frequent and severe, and no organization can ever be completely insulated from a crisis. A plan for business continuity is paramount and starts with taking care of IT. IT teams are often under immense pressure to deliver results but with limited resources. Organizations need to understand that strong security safeguards are only part of the puzzle and that investing in a modern IT infrastructure that enables a plan to rebound quickly after an incident is just as important.
About the authors
Renato Fazzone is a senior managing director at FTI Consulting and has worked exclusively in the technology field since the early 2000s.
David Dunn is a senior managing director and Head of EMEA Cybersecurity at FTI Consulting. He is an expert in data privacy and cybersecurity resilience, prevention, response, remediation and recovery.