As organisations begin to understand that cyber security is just as much about responding to breaches as it is about preventing them, the popularity of business continuity grows.
Implementing a business continuity management system (BCMS) means organisations can ensure that mission-critical functions continue operating following disruptive incidents, which could be anything from cyber attacks to snow storms. A BCMS also allows organisations to return to ‘business as usual’ promptly and with as little trouble as possible.
ISO 22301 describes best practice for a BCMS, so if you want to get the full benefits of business continuity, you’ll need to persuade top management to adopt the Standard.
Why implement a BCMS?
Senior staff are most likely to be persuaded to adopt a BCMS by the promise of long-term financial savings. Ponemon Institute’s 2017 Cost of Data Breach Study: Impact of Business Continuity Management found that, on average, a BCMS helps save organisations 43 days in identifying a breach, and 35 days in containing it. This equates to a saving of about £500,000 per incident.
This doesn’t account for the drop in productivity following an incident. Those without a BCMS reported a 76% drop in business, compared to just 55% for those with a BCMS.
The report also quantifies other major benefits of implementing a BCMS. For example, organisations are 8% less likely to suffer future data breaches (31.8% compared to 23.9%) and will mitigate the negative impact of a breach, with reputational damage reported 10% less often.
There are also unquantifiable benefits of implementing a BCMS. It’s based on analysis rather than guesswork, meaning you can be sure that your organisation has allocated appropriate resources to each threat. Without doing this, organisations could overestimate certain risks and spend time and money unnecessarily. Worse yet, they could underestimate (or completely overlook) risks and expose themselves to a security vulnerability.
An effective BCMS involves regular reviews and tests to assess changes in the threat landscape and to ensure that the system doesn’t become outdated. One of the biggest upcoming changes is the introduction of new regulatory requirements. The EU General Data Protection Regulation (GDPR) and the Directive on security of network and information systems (NIS Directive) come into effect in May 2018, and both require organisations to adopt incident response capabilities. This will be much easier for organisations that have implemented a BCMS.
Watch our business continuity webinar series
You can learn more about business continuity management by registering for our webinar series. The next webinar, Business Continuity Management: Impact Analysis and Risk Assessment, takes place on Thursday, 3 May 2018, at 2:00 pm (BST). It covers:
- Setting risk assessment criteria;
- Conducting the risk assessment;
- Risk analysis and evaluation;
- Establishing business impact analysis (BIA) resource and activity dependencies;
- Setting BIA criteria;
- Determining the maximum tolerable period of disruption;
- What can be expected of BIA outputs; and
- Common challenges and how to overcome them.
This webinar will be followed by Business Continuity Management: Testing, Incident Response, Recovery and Communications, on Thursday, 17 May 2018, at 2:00 pm (BST).