Business continuity: How to set benchmarks amid rising cyber threats

Not surprisingly, the demand for business continuity support and solutions closely mirrors the evolution of the threat landscape. The landscape is certainly evolving fast and new threats emerging – that are not replacing the existing one but adding to them and so multiplying the overall risk.

The Orange Cyberdefense vision for 2021 has identified three trends. First, a constant volume of attacks even during the Covid-19 lockdown with an explosion of ransomware attacks linked to new business models. Second, an acceleration of IT transformation as a result of the Covid-19 pandemic, introducing new risks and security challenges: cybersecurity is now at the core of most businesses decisions, requiring a new approach. Third, a cybercriminal ecosystem that has become more structured and professional as a result of huge potential rewards.

But the analysis also highlighted the new opportunities opening up to companies and the business continuity challenges they will have to meet, as ‘multi-cloud’ environments emerge. The key international reference for business continuity is the ISO 22301 standard. If the resources a company needs in order to operate – such as information systems – are victim to a disaster, then its business operations might be disrupted or even interrupted.

So, continuity in the cloud is crucial but it has too often been treated as a second-order issue. Rare but very-high impact events can happen and be disastrous for a cloud platform. The question is not if such an incident will occur, but when – as we have learned from the global pandemic.

So, in the cloud era, business continuity has a new challenge to meet. The management of business continuity takes into account all of the resources, including technical such as IT and non-technical such as offices and staff, that are necessary for the essential activities of the business. The aim is to protect, continue or resume these activities – whatever the nature of the failure or disaster and whatever resources may be affected – in a time frame and under conditions that are acceptable for the business lines.

The enterprise information system is an increasingly indispensable resource for most business activities and for years, many CIOs implemented often costly measures – data center backup sites, contracts with specialist IT recovery companies – to cope with a major failure or disaster at their data centers. With the arrival of the cloud revolution, there’s a new IT paradigm representing a crucial challenge for business continuity. Thanks to technological progress, there are now continuity and recovery solutions available that are well adapted to cloud environments and to the wide variety of needs and solutions for different companies.

Customer needs for support services in the choice, implementation or management of cloud based business continuity solutions vary, depending on their size, their organisation, their existing information system and especially their in-house skills. Recovery solutions provide technical tools and a cloud recovery platform: today a simple, ‘off the shelf’ approach can meet the requirements of many customers, especially large corporate groups.

The use of the cloud for a recovery site has many advantages compared to the setup and management of a physical recovery site, which is an expensive option in terms of investment (CapEx) when it is only rarely used, and it needs maintenance. A cloud recovery site takes advantage of shared resources and makes it possible to pay only the resources actually consumed (OpEx).

Business continuity framework
ISO22301, the international normative reference, defines business continuity as the ‘capability of the organisation to continue delivery of products or services at acceptable predefined levels following a disruptive incident.’

If the resources are struck by a failure or a disaster the essential activities of the business lines can be disrupted or even interrupted. In order to face disruptive events, a three-step approach should be rolled out: analysis, strategy, and planning and implementation.

First, the business impact analysis (BIA) will provide answers to questions such as: “what activities must be continued or restored in the event of a disaster?”… “in what time frame?” … “with what resources?”

Two definitions, identified during the BIA for each business line activity, are crucial: maximum acceptable duration of interruption and maximum tolerable loss of data. The main components of what is commonly called an enterprise business Continuity Plan (BCP), in line with ISO 22301 requirements are risk assessment, business continuity strategy, crisis management structure, business continuity plans, and training and awareness.

Finally, Business Continuity and Disaster Recovery plans should be developed and implemented for key business areas – critical networks, IT systems, sites, and assets – with plans regularly tested for different situations, from natural disasters (earthquakes, floods, tsunamis), to cyber attacks – and of course, pandemics.

As businesses may face attacks at any moment, and as they change, this three- step action will need to be repeated regularly to keep the strategy and plans updated.

Sahem Azzam is a VP Middle East and Africa at Orange Business Services