As organisations begin to understand that cyber security is just as much about responding to breaches as it is about preventing them, the popularity of business continuity grows.
Implementing a business continuity management system (BCMS) means organisations can ensure that mission-critical functions continue operating following disruptive incidents, which could be anything from cyber attacks to snow storms. A BCMS also allows organisations to return to ‘business as usual’ promptly and with as little trouble as possible.
ISO 22301 describes best practice for a BCMS, so if you want to get the full benefits of business continuity, you’ll need to persuade top management to adopt the Standard.
Why implement a BCMS?
Senior staff are most likely to be persuaded to adopt a BCMS by the promise of long-term financial savings. Ponemon Institute’s 2017 Cost of Data Breach Study: Impact of Business Continuity Management found that, on average, a BCMS helps save organisations 43 days in identifying a breach, and 35 days in containing it. This equates to a saving of about £500,000 per incident.
This doesn’t account for the drop in productivity following an incident. Those without a BCMS reported a 76% drop in business, compared to just 55% for those with a BCMS.
The report also quantifies other major benefits of implementing a BCMS. For example, organisations are 8% less likely to suffer future data breaches (31.8% compared to 23.9%) and will mitigate the negative impact of a breach, with reputational damage reported 10% less often.
There are also unquantifiable benefits of implementing a BCMS. It’s based on analysis rather than guesswork, meaning you can be sure that your organisation has allocated appropriate resources to each threat. Without doing this, organisations could overestimate certain risks and spend time and money unnecessarily. Worse yet, they could underestimate (or completely overlook) risks and expose themselves to a security vulnerability.
An effective BCMS involves regular reviews and tests to assess changes in the threat landscape and to ensure that the system doesn’t become outdated. One of the biggest upcoming changes is the introduction of new regulatory requirements. The EU General Data Protection Regulation (GDPR) and the Directive on security of network and information systems (NIS Directive) took effect in May 2018, and both require organisations to adopt incident response capabilities. This is much easier for organisations that have implemented a BCMS.
Watch our business continuity webinar series
You can watch our BCM webinar series online now, or download the slides, to learn more about BCM and how to secure top management approval.