The path to digital leadership. The fundamentals of business continuity management
Some events can disrupt business processes and even paralyze them indefinitely.
- A steel manufacturer implemented an IT platform to automate its production. But the platform vendor left the market, and the plant had to urgently convert to an alternative solution.
- An online store was actively using clouds to quickly scale to the changes in demand. However, the cloud provider was hacked, and the store lost some of its data.
- A company invested in systems to protect against cyberattacks but disregarded the risk of a power outage. One day, a blackout happened, and the entire business got stalled for several hours.
Businesses can stay resilient to such events by implementing an array of tools for business continuity management (BCM).
They are aimed at detecting critical incidents, preparing anticrisis measures and recovery plans. Further, BCM tools provide the ability to focus on specific consequences of process interruptions. This allows a company to make more targeted decisions and save on excessive interventions.
Such tools can be implemented in different ways depending on the organization’s needs. For example, you can build a full‑fledged business continuity management framework or integrate BCM tools into the existing IT and cybersecurity processes.
Implementing BCM enables the company to act as a single organism capable of maintaining seamless processes, predicting threats, and mitigating their consequences with minimal losses.
This guide will help you gain a quick understanding of business continuity management and, specifically, improve the cyber resilience of your organization.
In the guide, you will find:
- BCM basics
- steps to ensure processes continuity
- checklist with tips for implementing BCM tools
In addition to our recommendations, you are advised to refer to the global best practices, which are compiled in the following documents:
- ISO 22301:2019 Security and resilience—Business continuity management systems—Requirements
- ISO/TS 22317:2021 Security and resilience—Business continuity management systems—Guidelines for business impact analysis
The role of BCM has become particularly prominent over the last few years.
When the world was faced with the pandemic, many found themselves unprepared. Our research showed that 1 in 5 companies failed to keep service quality at the same level when they moved to remote operations. Numerous organizations were struggling to maintain their business processes, including those related to cybersecurity. The reasons for this were the heavy workload on their staff, time constraints, and a lack of technical tools and capacities. The companies most affected by such challenges allocated very few (to none) resources for predicting possible emergencies and developing effective action plans.
The exodus of foreign IT vendors from the Russian market in 2022 has once again demonstrated the importance of BCM mechanisms. Focusing on the company’s operating environment, identifying business‑critical processes, and testing alternative ways to implement them have become prominent elements of continuity management.
The events of the 2020s have transformed the approach to BCM. While there is still much room for improvement, a number of industries have shown promising results since 2020. We are convinced that the positive trend will persist, in which case we can expect significant progress in the coming years.
BCM development rates by industry
The examples below were derived from our practical experience and highlight the possible consequences for a company without any BCM tools in place.
Company A owns a large classifieds platform. The attackers created fake advertisements offering goods on this marketplace and directed potential customers to phishing payment pages.
The users put the blame on the platform and were looking to sue its owners.
Countermeasures and consequences. To stop the attacks on users, Company A banned the exchange of non-official links on its website. The fraudsters nonetheless found a way to bypass the restrictions: they continued the dialog with their victims on social networks and messengers. As a result, the company’s reputation was severely damaged: customer outflow over the period increased tenfold as users lost trust in the marketplace.
How BCM tools could have helped to avoid these consequences. Company A would have been able to anticipate potential phishing scenarios and develop an action plan. However, the organization did not track phishing scams disguised as its brand.
Also, users were not duly protected during the response phase, which allowed the scammers to quickly find a loophole and continue their attacks successfully. By avoiding such mistakes, the company could have retained more of its customers.
The earlier the BCM tools are implemented, the more benefits they deliver. Thus, analyzing scenarios of potential third‑party damage before the start of development could have resulted in a different approach to the platform, for instance, based on a transaction assurance framework.
Company B’s employees detected suspicious activity on their network. It was soon discovered that some attackers had gained access to a privileged account on the computer that was used to administer the company’s entire network. The attackers could have potentially disrupted all of the organization’s business processes and stolen funds from its accounts.
The investigation revealed that behind the attack was the notorious cybercriminal group Silence. The intruders were able to penetrate the critical system because an employee opened a malicious Word file when logged in. From the compromised machine, the attackers infected the organization’s entire network with several remote access tools.
Countermeasures and consequences. Our experts managed to block access to the organization’s network and clean up the malware. Company B also received detailed recommendations on the need to build cybersecurity processes, assemble a team of dedicated specialists, and set up regular security audits.
A few months later, the company reported a repeat attack on its systems and a theft of 43,000 euros. An investigation established that the attack had been launched by the same Silence group that exploited the unresolved security flaws discovered earlier. None of the recommendations were implemented.
How BCM tools could have helped to avoid these consequences. The company focused on building perimeter defenses and purchasing expensive cybersecurity tools, however, the most effective measures would have been to:
- Organize monitoring at an early stage.
- Engage qualified specialists to take care of the cybersecurity systems.
- Implement measures to protect against cyberattacks, as recommended by the experts.
This would have saved money and prevented the repeat incident.
Adversaries posted a fake press release in the media on behalf of Company C. The publication announced the resignation of its CFO. By the time the organization became aware of this misinformation, it was too late to initiate an adequate response and counter the damage.
Countermeasures and consequences. The negligence of Company C caused its shares to drop by almost a quarter. The financial loss from the incident is estimated at several billion US dollars.
How BCM tools could have helped to avoid these consequences.
The main problem with information attacks is that they are extremely difficult to predict. This is further complicated by insufficient resources (tools, people, and time) to monitor the brand’s media coverage.
The mistake is to disregard the risk of misinformation campaigns in crisis management.
Implementing BCM tools, specifically, by engaging independent experts, would have allowed for a detailed assessment of the external environment. For example, understanding the severity of the damage due to the stock decline would have prompted Company C to timely assess the consequences of negative publications as well as insider leaks.
This is another example of an incident that is as difficult to predict as an information attack. Company D discovered some reputation‑damaging information on its website’s home page. This could have led to regulatory sanctions.
The investigation revealed that the illegitimate content had been uploaded using Google Tag Manager (GTM), a tool to track and collect marketing data. Behind the sabotage was an employee of the marketing agency that provided its services to Company D.
Countermeasures and consequences. Company D invited independent cybersecurity experts and consulted with legal advisers regarding the possibility to impose a penalty on the agency.
The experts disabled GTM on the affected website to remove irrelevant content. Then they found and neutralized the infected tag, and restarted the system.
Further, the experts restricted third-party rights in the GTM administration panel.
How BCM tools could have helped to avoid these consequences. Although such attacks are difficult to predict, organizations need to prepare to repel them. BCM mechanisms would have helped to draw up scenarios for incidents that occur through the fault of employees or contractors. Based on this, an effective response can be developed that allows processes to be restored with minimal loss.
BCM is a cyclical process whose components can be broadly divided into two groups: tools development and incident response actions.
BCM tools development
- Examine the business development context: analyze the internal and external environment, record your assets, and carry out market research.
- Perform business impact analysis (BIA) to assess the effects of negative factors on core business processes as well as possible consequences and damage to company operations in the event of an incident.
- Develop economically feasible incident response and recovery measures.
Implement and test the developed measures.
Incident response actions
- Inform the stakeholders about a detected incident.
- Contain the incident, mitigate its effects, and recover the affected processes.
Analyze the root causes of the incident and review your current tools.
Connections between the BCM components are presented in the diagram below.
We will look into each stage of BCM tools development and explore the course of actions in an incident.
The purpose of this stage is to map out the landscape in which the company operates and evolves. This will help you seamlessly adapt to the changing market, digital environment, and legislation.
At this stage:
- Gather all the necessary market information or outsource this activity. This will allow you to assess the external environment and the key risks faced by your market peers. You might also need to review your marketing strategy in terms of reputation protection. Sometimes, engaging independent experts can yield even better results through their broader view of the market.
- Visualize the business processes in your company, map out the links between the departments, and define their roles.
- If you already have emergency action plans, draw up a list of these resources with a summary of their content. Document the rules that exist in your company, but are not yet recorded anywhere.
- Take a detailed inventory of assets. Maintaining records of your digital assets (information, network storages, and projects) is as important as bookkeeping and management accounting. With this, you can prioritize the assets to be protected and plan your business continuity budget accordingly during the next stage.
The purpose of this stage is to lay the groundwork for BCM implementation and assess the possible consequences of disruptions in certain processes.
BIA includes the following steps:
- Determine critical processes and information systems.
- Identify the associated key stakeholders, both external and internal.
- Assess whether the company has enough resources to ensure uninterrupted operation in an emergency.
- Analyze alternative ways of executing critical processes.
When performing BIA, you should be guided by ISO/TS 22317:2021 Security and resilience—Business continuity management systems—Guidelines for business impact analysis.
The purpose of this stage is to develop technical and organizational measures to ensure process continuity.
The example below demonstrates how incident consequences can be aggravated by poorly orchestrated actions.
A few years ago, an online ride‑sharing firm suffered a data leak, which occurred because its employees stored their credentials on GitHub. The hackers found the source code and were able to access the repository with the data of 57 million customers. As a result, the service had to pay 100,000 US dollars to the criminals for non‑disclosure. However, the case went public, which undermined the firm’s reputation. Apart from the ransom, the service paid a fine of 400,000 euros.
- Develop or revise your business continuity plan (BCP), incident response and recovery plan, and incident response playbooks.
- Create an incident response team.
- Allocate a BCM budget.
The BCP should set the key continuity parameters:
- Recovery time objective (RTO). The maximum amount of time to restore business functions or resources following an incident.
- Recovery point objective (RPO). The maximum acceptable amount of data loss.
- Service delivery objective (SDO). The service level to be supported until complete recovery. For instance, after an adverse event, a certain quality of services must be maintained, albeit at a lower level.
- Maximum tolerable downtime (MTD). The longest possible unavailability period for systems or processes. Exceeding this time will severely affect the company.
The BCP helps to find a balance by optimizing each of the above parameters. This is when business continuity management becomes a measurable and manageable task within the capability of most corporate services and functions, from logistics and accounting to IT and cybersecurity.
The incident response and recovery plan should describe the target scenarios and actions for a company to minimize the damage caused by incidents and reduce the remediation time. The document covers the following incident management fundamentals:
- coordinated actions and communications
- staff awareness and preparedness to act promptly as required by the process
When elaborating such plans, avoid unnecessary paperwork, use simple and concise language. This will ensure more effective actions in an incident. Thus, all the documents can be integrated into a user‑friendly guide accessible at any time.
The purpose of this stage is to progressively build a BCM framework that would cover almost all departments. This will enable the involvement of relevant professionals—legal advisers, PR managers, and others—throughout the remediation stages.
Recommended activities at this stage:
- Purchase the tools.
- Select the service providers.
- Launch an incident response team.
- Arrange for cyber literacy training for employees.
- Monitor the effectiveness of implemented measures, assess and eliminate the deficiencies.
You can simulate incidents to test your measures. For instance, when migrating a platform to the cloud, you can disconnect the source platform and check the service provider’s response. This will enable you to replace the ineffective contractor preemptively and avoid any downtime during an incident.
Engage independent experts to conduct training attacks on your IT infrastructure. It is critical to use all possible tools to identify and remove security gaps in your organization. Consider security awareness services to increase training effectiveness.
Remember to regularly test your incident response team. In an emergency, there will be no time to study the plans, hence, response actions should be practiced proactively. There are special training platforms tailored for these purposes—cyber polygons. Moreover, you can resort to red teaming services to assess how well your team is prepared to cope with incidents.
The purpose of this stage is to determine further actions based on the information about the incident and its implications.
These are the recommended steps to take:
- Collect as much intelligence as possible that would help to analyze the incident: what happened, who discovered the incident, and what measures were taken.
- Report the incident to your in‑house response team or the outsourced specialists. A minor incident may be reported to a security expert and an IT specialist alone.
- Document the incident.
- Assess the extent of compromise: the potential consequences, the suspended business processes, and the time and resources it will take to neutralize the incident.
The incident detection stage does not necessarily result in actions. Not every incident leads to substantial financial losses to trigger a response procedure. For example, single failed employee login attempts are a minor incident. While such failures should be recorded and monitored, there is no need to go through all the response stages.
The purpose of this stage is to minimize the consequences of the incident.
The first steps are as follows:
- Assess the measures you have taken.
- Try to isolate the systems that might be infected. Where this is not possible, enhance the monitoring. In this step, you can launch investigation procedures.
- Check all the systems to make sure the incident has not affected the entire infrastructure.
- Eliminate the cause of the incident.
- Determine whether the affected systems can be recovered.
- If not, prepare a further action plan factoring in the lost infrastructure components or critical data.
These will provide you with a basis for a safe recovery of your business processes.
In the course of recovery:
- Estimate when the affected business processes can be restored. Consider the investigation specifics: a system might have to be isolated for the time of the examination.
- Use backups to reset the compromised systems.
- Make sure that all the affected systems have been updated and patched.
The purpose of this stage is to identify and rectify the shortcomings that resulted in an incident.
These steps will help in revising the measures:
Analyze the following:
- Were all the employees prepared for the cyber incident?
- What prevented a prompt response?
- Was the course of actions clear to you and your employees? Did you follow it?
- Are your employees equipped with sufficient knowledge to effectively repel cyber incidents?
- Check the internal documentation:
- Are there any errors/omissions in the described course of actions?
- Are the documents easy to read for all employees? Are there any sections written in difficult language and hence hard to understand?
- Are the issues encountered during the incident covered in the documents?
- Update the inventory of your digital assets and identify changes in the external and internal infrastructure that occurred during the incident.
- Determine the measures and tools to prevent similar incidents in the future.
- Consider how to improve employee training. Your cybersecurity specialists would benefit from cyber polygon exercises while the rest of the staff could be put through cyber literacy training.
Our checklist will help you embark on your BCM journey.
- Determine when you last analyzed the digital trends. If your research was conducted more than six months ago, it is time for another round. Analyzing trends assists in predicting events that can affect business in the short and long term.
- Take inventory of your digital assets. The complete picture will enable informed decisions, such as software replacement, help to detect weaknesses in the IT infrastructure and plan further steps to strengthen your defenses.
- Create a cyber incident response team. Identify the key stakeholders (PR, legal, HR, and IT units, company executives, client support) to inform and involve in case of an incident.
- Make sure that the technical cybersecurity tools are suitable for your company and perform their declared functions.
- Check your technical defenses: they must be properly configured and updated to the latest versions.
- Make sure that the incident response documentation is simple and clear.
- Select activities to upgrade the skills of your in‑house cybersecurity specialists.
- Prepare a plan to improve cyber literacy among the line personnel and executives.
- Consider what digital transformation and cybersecurity tasks can be outsourced. External experts continuously cooperate with organizations of various scales across industries and might have a broader approach to your tasks. They will help you save your most valuable resource—time.
BCM is a recurring cycle of activities aimed at preventing incidents, whether online or offline, and adopting anticrisis and recovery measures. The BCM objective is to facilitate the development of businesses resilient to emergencies.
With BCM in place, a company can:
- Approach the continuity of business processes as a measurable and manageable task.
- Keep up with the fast‑paced changes in the market, digital space, and legislation.
- Elaborate possible threat scenarios.
- Prepare economically feasible response and remediation measures.
- Minimize damage caused by incidents.
- Identify security gaps before they are spotted by cybercriminals.