Making Your Business Continuity Plan – Tips for Success

DRI ANZ

To view this article in its original location, please click here.

You’ve had the training, you know your subject, now it’s time to get that business continuity plan down on paper – or into your PC. However, what seems crystal clear in your head when you start may not turn out quite the same way after you’ve written it out. To help construct a plan that does justice to your vision of how things should be, start with the scope of your business continuity plan. First, make sure that your plan addresses business continuity for processes, not for isolated incidents: for example, ‘denial of access to premises’, rather than ‘fire at the main entrance’. Second, make sure your plan covers all the essential processes – and not just the ones for IT or a central factory, for example.

The style you use is important too – people may need to consult your plan in emergency situations where every minute counts. That means avoiding unnecessary complexity. What readers need to know are the essentials: what should be done, by which person, when and why. Remember also that ‘wish lists’ have no place in a business continuity plan. For example, indicating that part of the plan will be completed later, for example a list of main suppliers and services organisations, means the plan is not finished. Finish it first, then make it available.

Likewise, make sure that the plan covers reasonable possibilities without making any unjustified assumptions. It is quite possible for example that an organisation suffers both IT server crashes and denial of access at the same time. Don’t assume that incidents only happen one at a time, rather than in parallel. And once your business continuity plan is written and distributed to those who need to know, test it and update it regularly. Remember also to send out the updated version of the plan. There are few things worse than staff scrambling to execute an outdated business continuity plan whose vital information is no longer valid!

Making Your Business Continuity Plan – Tips for Success

DRI ANZ

To view this article in its original location, please click here.

You’ve had the training, you know your subject, now it’s time to get that business continuity plan down on paper – or into your PC. However, what seems crystal clear in your head when you start may not turn out quite the same way after you’ve written it out. To help construct a plan that does justice to your vision of how things should be, start with the scope of your business continuity plan. First, make sure that your plan addresses business continuity for processes, not for isolated incidents: for example, ‘denial of access to premises’, rather than ‘fire at the main entrance’. Second, make sure your plan covers all the essential processes – and not just the ones for IT or a central factory, for example.

The style you use is important too – people may need to consult your plan in emergency situations where every minute counts. That means avoiding unnecessary complexity. What readers need to know are the essentials: what should be done, by which person, when and why. Remember also that ‘wish lists’ have no place in a business continuity plan. For example, indicating that part of the plan will be completed later, for example a list of main suppliers and services organisations, means the plan is not finished. Finish it first, then make it available.

Likewise, make sure that the plan covers reasonable possibilities without making any unjustified assumptions. It is quite possible for example that an organisation suffers both IT server crashes and denial of access at the same time. Don’t assume that incidents only happen one at a time, rather than in parallel. And once your business continuity plan is written and distributed to those who need to know, test it and update it regularly. Remember also to send out the updated version of the plan. There are few things worse than staff scrambling to execute an outdated business continuity plan whose vital information is no longer valid!

‘Selling’ Your Business Continuity Plan to Your Organisation

You know the business continuity theory, you’ve made the BC plan, but have you thought about how your target audience will receive your message? Dry documents tend to get filed in dusty places, never to be looked at again. So how can you capture and hold the attention of people in your organization? Perhaps a few tips from sales and marketing experts will help you to ‘sell’ your BC plan to the people who are the most important to its successful execution when it’s needed. That means managers and employees in your organisation, and possibly suppliers and business partners too.

The first step is to make sure you get the reader’s interest from the start. We’re not talking about sensational newspaper headlines, although even they might be useful sometimes. But one or two well-chosen, provable statistics can get people to pay attention. An example might be: ‘In a recent survey, 24% of companies said they had experienced a full data disaster’ (from Forrester Research, a well-known survey and research company).

Once you have your reader’s attention, you’ll want to keep that person involved while reading the rest of your plan.

  • Use active verbs rather than passive ones. For example, ‘the HR director will ensure that all employees continue to report for work using the company’s internal website if physical access to the premises is not possible’.
  • Use the pronoun ‘You’ when you can reasonably do so, to make sure readers understand that you are communicating to each one of them. For example, ‘You know how important it is to maintain business continuity for your activities and objectives at work’.
  • Make sure that the results to be achieved are clearly expressed, not just the actions to be taken. For example, instead of just writing ‘apply the evacuation procedure’, write ‘make sure that all employees go to their safe assembly point, by applying the evacuation procedure’.

And finally, happy ‘selling’ of your business continuity plan!

A Social Engineering Primer for Business Continuity Managers

DRI ANZ

To view this article in its original location, please click here.

We live in a digital age with high-tech solutions everywhere. Yet cyber threats to business continuity don’t just come from vulnerabilities in machines, but in people too. Social engineering (a strange term that simply means ‘conning’ people in this context) is one of the most effective techniques that hackers and cyber criminals use. In fact, it’s often much easier for them to play confidence tricks on people to get confidential user and password information, than to try to break the latest encryption software.

‘Social engineers’ use human emotions to get each victim to react in a way that gives them access they should never have.

  • Laziness. We’re not just talking about failure to define strong computer passwords or resist the temptation to write them on a sticky note on your PC. Sometimes trust is in fact laziness in disguise. Allowing the pizza delivery person to roam internal corridors or holding a security door open for someone who ‘seems to have forgotten their access badge’ are examples.
  • Guilt. Pressure to react in a certain way after an accident or taking pity on someone who is apparently in distress are instances here. The difficulty is in deciding whether or not a case is genuine, and social engineering criminals know that piling on the pressure and urgency (“I’m bleeding!”) is a good way to fluster victims. A similar technique is distraction, where a receptionist’s attention is diverted momentarily so that a would-be intruder can glean information on names or phone numbers from the internal directory.
  • Greed. Something for nothing always has a strong attraction. Victims are asked to provide an email address, click on a link or download what appears to be an innocuous file. Hackers then use one employee’s email address to guess others, make the link go to a web phishing page, or attach a virus to the download file.

While you make your business continuity plans, consider building in procedures or solutions that will avoid human characteristics like these becoming a ‘single point of failure’ for your organisation.

Training and Certification in Societal Security – What’s That?!

DRI ANZ

To view this article in its original location, please click here.

You can stop holding your breath. Societal security as in the standard ISO 22301:2012 is remarkably similar to business continuity management. Before this standard, there was another one called BS 25999-2 that was clearly positioned as the reference for BC management. The ISO standard replaces BS 25999-2. The ISO 22301: 2012 standard however makes provision for an organisation to be certified by an accredited body. That means the organisation can show proof of compliance to its different stakeholders, including investors, customers, employees, investors and senior management.

So why the ‘rebranding’, as marketing people would say? Societal security was proposed as an idea by the Copenhagen School of security studies. The aim was to give a concise name to the ‘ability of a society to persist in its essential character under changing conditions and possible or actual threats’. This notion of resilience extends beyond previous notions of business continuity, which were often restricted to enterprises or public sector organisations. In using the ‘societal security’ name, ISO (the International Organisation for Standardisation) broadens the application of business continuity principles to a much wider spectrum.

Training in the ISO 22301: 2012 standard is therefore of value to both existing and new business continuity practitioners. Those who already know and practice BC (and who may know the BS 25999-2 standard well) will see how an organisation can prepare itself for certification to the newer ISO standard. Others who are just beginning their careers in business continuity will get the advantage of professionally created training based on the latest standard in this domain, as well as information about moving to certification. Whichever sector you currently work in and whatever your experience, contact DRI-ANZ for information about scheduled training courses covering ISO 22301: 2012 and the availability of places.