This is a huge topic, one that spills out beyond the confines of cyber- and information security. Put simply, it’s all about making sure that your business can get back up and running and / or keep going in the event of some sort of disruption.
That may be due to floods or other natural disasters, accidents eg power failure if the electricity supply is damaged by digging in the roads outside, deliberate attack eg theft of key equipment, terrorism etc. The list goes on – whatever it is that stops you getting into your offices / place of work and / or being able to work.
Information security is based on three key tenets, namely the Confidentiality, Integrity and Availability of data. Business continuity is all about ensuring the Availability of data.
Business continuity includes Disaster Recovery, which is generally seen as getting your IT back up and running. Business continuity also includes things like making sure your staff know where to go if they can’t get to your office, making sure key office space is available when you need it including desks and chairs, making sure that things like Health and Safety requirements at any alternate location are taken into account – and so on…
So what do we need to think about in terms of cyber security? Well, you may not have all staff working at an alternate site, and they may not be using equipment that is familiar to them. You may have had to rebuild networks and servers, but have you also made sure that users only have access to the systems and data they need access to? In your normal place of work, if you restricted access to removable media, are the same controls in place at your new location? What about physical access to your new premises? Is that controlled? If users are accessing systems using remote access solutions, have those solutions been tested to ensure data isn’t able to leak?
Good practice would be to test your business continuity plans on a regular basis. This may be through some sort of tabletop exercise i.e. you get all interested / responsible parties together and talk through what would happen and how if there was disruption at your normal offices. This is a good thing to do, but if possible your should physically test your plans too. Try getting your staff to go to your alternate site, and see if they can do their jobs from there. That’s a great way of checking your IT and communications are in place and working as expected.
The most important thing to remember if you do test things out is that it’s OK to fail. In fact, expect to fail. It’s better to find out where any issues are at this stage rather than when you need them in anger.