In 2013, 81% of large organisations suffered a security breach and 60% of small businesses reported a breach, indicating that it’s not a case of if your organisation will suffer a cyber attack, but when.
Organisations working tirelessly to ensure that their defences are capable of repelling cyber attacks are likely to see their efforts go to waste if they don’t take into account one important question: what do we do if our defences fail?
Industry experts say that cyber resilience (not cyber security) is the new boardroom imperative. Alan Calder was quoted by Information Age, saying:
“Cyber security is no longer sufficient to ensure business sustainability. Yes, organisations need to defend themselves against potential attacks, but they must accept that some attacks will inevitably succeed. Therefore, an organisation’s cyber resilience is now the critical survival factor – its ability to recover quickly once an attack has taken place.”
Integration is key
Organisations that have cyber security defences as well as a business continuity plan in place are on the right track to become cyber resilient.
Mike Edwards, management systems tutor at BSI, said at the IT Governance cyber security summit in London: “Organisations need to converge their management of information security and business continuity. The good news is the best practice standards in each area – ISO27001 for information security and the new ISO22301 standard for business continuity – now work very well together, so policies and procedures can be dovetailed. Employing both standards in tandem is the key to cyber resilience.” (Source Information Age)
Organisations tend to be more familiar with information security management, but what about business continuity?
Business Continuity Management System (BCMS) aligned to ISO22301
A BCMS is considerably more effective than a business continuity plan. A BCMS grows with an organisation, whereas a plan has a tendency to remain static, left in drawer to be forgotten about.
ISO22301, the internationally recognised business continuity standard lays out the requirements for an effective BCMS. It doesn’t allow for a change in the organisation to happen without there being some record of it in the BCMS. For example, if an organisation purchases a new data server, then the BCMS will ensure there are plans to replace it quickly if there’s a need to.
The 2012 Business Continuity Management Survey revealed that 82% of organisations with business continuity management in place mitigated the impact of disruptions, 77% recovered faster and 55% saved money and protected revenue stream.