How to build a business resiliency plan for your company

Key Takeaways:

1. No organization is immune from cybersecurity threats or weather-related crises, but proactive planning could help avoid costly disruptions.
2. Identify the data, assets, and infrastructure at your company that could be at risk.
3. The importance of organizational resilience can be forgotten between big crises. Protect employees, property, and operations with proactive training.
4. Business continuity, disaster recovery, and incident response plans are critical in remaining vigilant against threats, so be sure to regularly review yours.
5. When a crisis emerges, revisit the plans you created—and practiced—to respond strategically.
6. Once you’ve created and exercised your plan, consider an outside audit.

If the technology at your organization should fail—whether as the result of a natural disaster, cyberattack, or fraudulent activity—do you have a plan to help you recover quickly and sustain business operations?

Nearly every business today depends on technology in some form. Any disruption could potentially have devastating consequences for operations and data recovery. A 2022 survey found the average hourly cost of server downtime exceeds $300,000 for 91% of surveyed enterprises^†. The increased sophistication of cyberattacks and the growing frequency of severe weather events are highlighting a need for businesses to better prepare for the unknown.

“Understanding your organization’s cybersecurity, IT, and physical security needs and response capabilities allows your organization to transition from risk and crisis management to resilience,” says Amber Buening, Cybersecurity Outreach Director at Huntington.

Business continuity, disaster recovery, and incident response plans are designed to prepare businesses for events that could disrupt operations. These plans are key elements of your organization’s resiliency strategy. Developing, maintaining, and exercising these plans for your organization can help your business recover and maintain operations when these situations arise.

Understanding the top cybersecurity and weather-related threats to your business

Examples of cybersecurity threats that can compromise your data and systems include ransomware attacks, business email compromise (BEC), and malware. Threat actors can manipulate employees into infecting your business’ network or even providing physical access to secure systems. Successful cyberattacks could entirely shut down your operations. A strong business continuity plan sets priorities in these situations, outlining which data to keep, which systems to focus on first, and which areas need the most protection.

Extreme weather events, defined as a trend of severe weather events in frequency and intensity, remain a significant threat to businesses. Examples include wildfires, flooding, extreme temperatures, and storms, which can cause property damage and prolonged outages or disruptions. According to the Cybersecurity & Infrastructure Security Agency (CISA), severe storms alone have caused more than $383 billion in total damages since 1980^‡. Protecting your employees, understanding what to do if employees cannot go into an office or plant, and knowing how to handle infrastructure damage are all part of a business continuity plan.

No organization is completely immune from cybersecurity breaches or weather-related crises. Make sure you’re preparing for any possibility to help avoid costly and time-consuming disruptions.

Preparing for a technology failure after a disaster or cybersecurity attack

Companies should take a risk management approach in preparing for a technology and facility failure. An organization’s resiliency strategy should address cybersecurity and business continuity needs, incident response plans, and disaster recovery procedures. The National Institute of Standards and Technology (NIST) developed a framework for protecting critical infrastructure against weather-related threats and cybersecurity risks, which includes the following pillars^§:

1. Identify

Consider the data, infrastructure, and assets at your company that could be at risk.

• What sensitive data do you have, and what data do you need to protect?
• If you outsource any aspect of your business, who do you share data with, and how is that protected?
• What data have you collected from employees that you’re obligated to protect, such as healthcare information and bank account information for direct deposit of paychecks?
• What physical assets, such as manufacturing plants or office buildings, could be impacted in the event of a tornado, hurricane, or other natural disaster?
• What is the most critical infrastructure at your organization? What would you do if it was severely damaged? (Consider secure computer rooms, hardware, service connectivity, or data.) Take an inventory of the systems your organization relies upon. Knowing the computers, devices, and software you have is necessary for insurance purposes in the case of disaster. You can also use this information to build contingency plans for shifting work to another area when needed.

2. Protect

“Employee education is one of the simplest ways to build a culture that prioritizes cybersecurity and physical safety,” says Buening.

Your security awareness program should go beyond fraud and cybersecurity to include emergency preparedness. These plans should also be exercised and continuously improved. Practicing data recovery exercises, fire drills, and simulated phishing attempts can all help keep employees prepared for the unexpected.

Be proactive with regular training, informational webinars, and education resources so every employee knows what to do in the event of an emergency or when encountering suspicious behavior. One example is participating in national awareness campaigns, such as Cybersecurity Awareness Month in October.

Protecting against vulnerabilities is also important. Be sure to update operating systems and applications with the most recent versions and patch when new versions become available.

3. Detect

An incident response plan is critical in remaining vigilant. This plan defines what an organization should do in the event of a data breach or other form of security incident. Periodically review these plans and make sure the right people within your organization know the answers to questions such as:

• What happens if malware gets on computers?
• What if there is a ransomware demand?
• What if there is a situation where remote or in-person operations are interrupted?
• What do you do if a known weather event is approaching?
• How will you communicate about outages to employees, customers, vendors, and manufacturers?

Set up systems to detect an intrusion into your system and integrate checks and balances into all processes. Also, ensure antivirus, endpoint encryption, and data loss prevention software are up to date.

Conducting a risk assessment of offices, warehouses, manufacturing plants, and other physical locations can help identify potential emergency situations your employees might face.

4. Respond

When a crisis emerges, revisit the plans you created—and practiced—to respond strategically.

Be prepared to assess your response once the crisis has been resolved to refine your plan for future disasters or interruptions to operations. Update your plan to incorporate lessons learned from testing, exercises, and real-life situations.

In the instance of a data breach or a prolonged outage that may impact customers, you will also need a communication plan for when the media comes calling. Make sure you are prepared to make a statement and plan to contact any individuals affected by the breach or outage. These communications should also include your board of directors, regulators, and customers.

5. Recover

Once you’ve created a plan, the final step is to bring in an outside expert to conduct an audit of your plan.

“Even if you think you did a great job, have someone conduct an audit,” says Buening. “After the audit, it’s important to review the results to determine, and then implement, areas to improve on to make your organization safer.”

Cybersecurity liability insurance can also help ensure your business survives. Under a cybersecurity liability policy, experts will come in to help you get your business back up and running after a technology failure or breach.

Five ways to help keep your business assets and data safe

To keep technology functioning and your company running smoothly, Buening recommends the following:

1. Put appropriate cybersecurity controls in place, such as keeping your systems up to date and managing vulnerabilities by applying patches as they become available.
2. Educate your employees. Teach them about phishing and BEC scams and warn them against clicking on links from unknown sources. “Your employees can be the weakest link. Empower them through security education,” says Buening.
3. Prepare your employees for extreme weather events and natural disasters. Host training sessions and send reminders about how to respond in different situations.
4. Encourage your employees to use unique passwords. People often use the same or similar passwords across multiple accounts, so stress the importance of this practice. Create strong passwords unique to each account and use a password manager to reduce your risk of vulnerability.
5. Practice your business continuity and disaster recovery plan. Host exercises that test evacuations, emergency communications, critical equipment monitoring, and other backup plans.

For more information on managing risk to your company’s technology infrastructure and operations, reach out to your relationship manager.