Business Continuity Plan: From Paper to Action

Medium and large companies that must comply with industry or national standards and controls have had to develop what is known as a BCP (Business Continuity Plan). Through it, experts in the company’s operations or specialised consultants define the route of action to be taken in different scenarios where business continuity is threatened. On the other hand, many small companies have had to implement them in order to do business with the companies that must by law require them.

This emerged after the attacks of September 11th, 2001, when it became clear that many companies did not know how to react in case their headquarters were blocked. Therefore, disaster scenarios were raised on one business area or the whole business, looking for alternatives to fill that gap for a period of time. Some of these plans considered earthquakes, tsunamis, and access closures due to social circumstances, among others. But, how many of them included a pandemic among the potential causes of a business blockage?

Not many companies took it into account. However, this is the simplest problem. Even if some of the approaches made for natural disasters or access blockages to headquarters were followed, we cannot know exactly when it would possible to go back to work.

The Technology and Security that a BCP Should Include When Facing a Pandemic

Let’s start by explaining what should have been done previously to be prepared. It is essential to have a pilot project of how our services and employees would react to telework. Why? Because even if we use a VPN that allows us to simulate that the worker is directly connected to the company’s network, the services and the network are not necessarily ready to receive requests from that connection.

According to the behaviour on the Internet, when performing validations of the services exposed we can see a growth of more than 40% in the use of RDP, as shown by Shodan in its blog. When making a simple search, we find computers having known vulnerabilities:

Actually, not all companies have the technology required to deploy enough VPNs to get the entire company connected remotely. However, this should have been taken into account in order to avoid exposing vulnerable services. To this end, there are many comparisons and aids on the Internet to help you make secure decisions fitting within the budget.

Secondly, companies must know what they are exposed to on the Internet and how is the regular use of these services. Just by means of this basic data it is possible to identify when the use from external networks is exceeding the capacities of each service or when we are being cyberattacked.

So, What’s the Next Step?

As long as the services exposed are clear, information security measures can be taken. These should be implemented at the moment of starting the continuity plan. In other words, by this time they should be fully operational and under review.

These measures must be oriented to the full identification of users. As we are working remotely, the local identification measures such as the network, the MAC of the computer and its configuration are not available. In most cases, only the user and password are controlled, and this has proven not to be a mechanism that guarantees identification.

Once you have this control, you must start monitoring events in all services and have fine-tuned alerts to detect external threats, since at this time all connections will be made outside the company network. For this reason, all perimeter security controls must go to what was calculated in the continuity plan.

What to Do Next?

The last measure that must be covered by this continuity plan is the technological tools that will be used to control the operations and work of the different groups within the company. These must include training for the staff −and to this end, it is essential to have strategic allies in the world of technology.

This is because of the endless number of tools available on the Internet today. However, not all comply with the information protection measures required to ensure business continuity. One of the main examples of these tools are in cloud services. In recent years, cloud-based tools have experienced exponential growth in terms of options and implementations. However, not in all cases this is done with sufficient security measures. This is critical considering that this is almost the cornerstone of the digital transformation as well as of a good development of the continuity plan, which today must be operating at its maximum capacity.

Conclusions

Following the first month of measures at a global level, it has been possible to verify that the business continuity plans of some companies have worked properly in terms of their essential objective of keeping employees performing their functions and being able to access information. Nevertheless, due to the growth of services exposed on the Internet and the vulnerabilities detected in these, information security was not taken into account when designing these plans.

This is evidenced by the control reports made from our SOC (Security Operations Centre), which have been widely analysed in different media by our ElevenPaths experts and published in a guide: Risk Guide and Recommendations on Cyber Security in times of COVID-19.

For this reason, companies must begin to align their plans with the new circumstances and to implement controls and mechanisms that allow their employees, not only to carry out their tasks, but also guarantee the security of the information that, in the near future, will constitute the continuity of the companies.