Is security part of your business continuity plan?

Organisations from the largest enterprise to the smallest home based office do not seem to understand the correlation between a good disaster recovery (DR) / business continuity (BC) program and good system security.   Security is never a priority until something happens and when it happens, then starts the finger  pointing.   The recent full on disasters that have happened in Christchurch and Japan have enphysised what can truly happen in a large disaster situation.   Although major loss of life and physical damage are the priorities that have to be sorted out first, the damage to small and medium business can be disastrous.

Many organisations believe that basic security – firewall, system patching, strong passwords and backups are all that is required as a security component.   This is not the case when it comes to BC and DR.

Loss of some information can be disastrous, the loss of critical information or the loss of critical infrastructure can be business ending.   Additionally Administrators and IT support need to be aware of other insidious attacks that could happen on the business when it comes to cyber security that could render the business information and data useless.

To make sure your business is protected in a disaster here are three things to think about!

1. Conduct a security audit
If done correctly a security audit can give an SMB meaningful and significant direction in the management of business security and business continuity.   There are a number of gotcha’s though, it has to be done correctly and it is best if it is done by an outsider, either outside the department or outside the business.   It is human nature to just skip over things and tick the boxes when you are checking out your own work, this includes checking out colleagues work.   An internal audit, if conducted needs to be done by people who have no involvement in the system but have an understanding of the systems in place.

2. Get the correct technology for your business model
This is something that I harp on about, the right technology for your business will make your business more resilient, adaptable and profitable, get the wrong technology and no matter what you do you will never achieve your true business potential.

The utilisation of more expensive security systems allows a business to achieve a higher level of system protection, the more features then it is more expensive.   the problem is the more expensive and system is, the better features are included then the more secure your business data will be.  It’s a little bit of catch 22 but it seems to be that life is like that.

3. Test your recovery systems.
One of the biggest problems for a business is getting the time to test Business Continuity and Disaster recovery systems and plans.   Restoring backups is not a problem but restoring a system or complete database to another location then running the business off it before rolling it back can be nerve racking.  The testing of the systems allows a business to see what will happen with a total failure, it is better to test it and make sure that it all works than be in the situation where the first test is reality and as we all know reality bites.  A complete system failure that relies on an untested DR plan could be disastrous for the business.

The Business Continuity Plan, Disaster Recovery Plan and business resilience should all be part of your business security profile.   Without them, if something happens to your information, then security of your business data could be compromised and that loss could be disastrous.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.