Does Resilience Reflect your Risk?

Author: Dawn O'Connor

Business continuity refers to the activities required to keep an organisation safe and running during an unprecedented event that interrupts normal service.

Within the first 3 months of 2020 we have already experienced 2 very real and impactful threats to businesses. First, we had flooding across vast areas of the UK and now we are in the middle of a pandemic which has resulted in businesses having to rapidly adapt to different ways of working.

Whilst we do not have a crystal ball to know what the future holds, businesses can bolster their readiness and resilience to unprecedented events by taking steps to firstly identify and then mitigate the risks.

There are many events that can occur, usually in an unexpected manner, which can pose both challenges and risks to the continuity of business practices. These could be events such as a gas leak, an area evacuation, power failure or indeed the event we are facing at this current time, a pandemic. It is impossible to identify every single event that could occur, but ultimately, whatever the cause, they all lead to the following issues and questions for businesses to solve. How does this affect our:

People – their availability, their transport options, their health, a change to their working environment;

Infrastructure - the availability of the network, power, telecoms and other communication methods, data loss?

This is just a selection of the issues that businesses face and is clearly not an exhaustive list.

From a compliance perspective, businesses also need to consider whether any accreditations they hold may be affected from a change in their working practices. For example, if your ISO 27001 scope only covers your office environment and suddenly your workforce is working remotely – is your accreditation impacted?

Therefore, it is critical to ensure that your risk assessment, carried out prior to creating your business continuity plan covers all these eventualities, and that you have suitable policies and processes in place to guide the way.

Without a doubt, the change in working practices that we see today lend themselves to a whole new set of risks that may not be part of your business’ security plan. We know already that there is an increase in pandemic related phishing emails being sent to people; user equipment such as laptops may have been hurriedly purchased and therefore not configured in the usual way; working from home may lead to confidentiality issues. The list can go on. If your staff are not used to working from home and you do not have a suitable policy in place, are they aware of the expectations that are being placed upon them to keep the business safe?

For many businesses, these challenges may feel like they are insurmountable. But this can be broken down into smaller, manageable pieces of work to ensure business resilience in the face of what seems to be an increasing amount problems.

The first step is to carry out a risk assessment to establish what the threats are to your business. Once this has been done, you can work to identify what you already have in place and what gaps exist to make sure that you are as prepared as possible.

One of your key defences in this is your staff. You need to make sure that not only do you have the right policies and processes in place detailing the actions your business will follow, but that your staff all receive the appropriate training and awareness so they know what is expected of them. This can be anything from security awareness training to participation in a business continuity training exercise. It is also important that you seek the feedback from your staff once these training sessions have completed and carry out a lessons learnt exercise.

Once you have that feedback, make sure you revise your plans with this information. If you make a change to your ways of working, ensure that you also change your continuity and incident management plans to reflect this.

Finally, remember, a system is Cyber Resilient if, and only if, there is a justifiable and enduring confidence that it will function as expected, when expected.

How can Nexor help

Nexor’s experienced cyber security consultants can work with your business to carry out a detailed risk assessment to determine what threats you need to defend against. Following this, we can design suitable risk mitigations for you to implement as well as assist you with any policies and processes that you need to introduce or update. We can help you determine what your information management system needs to consist of and how to ensure it is managed effectively in the future.

Read more posts on

About the author

Dawn O’Connor is an associate of Nexor with an extensive business background across different market sectors including retail, local and central government and law enforcement. She is a member of the Chartered Institute of Information Security and co-chairs the Nottingham/Derby/Leicester Branch.  Dawn holds the Certificate in Information Security Principles and the ISO 27001 Foundation certification.

Dawn O'Connor on Linkedin

Read more posts by Dawn O'Connor