The Security Risks of Not Having a Business Continuity Program


A Business Continuity Program (BCP) is essential for the continuation of key business processes and information system services in order for organizations to recover from an unexpected business interruption. A synchronized BCP and IT Disaster Recovery Plan (DRP) are two key elements needed to recover from natural and/or man-made disasters such as fire, flood, cyber-attack/virus infection or even a DoS attack.


I recently had the opportunity to interview Mark Kern, Safety and Business Continuity Planning Lead with Noblis, located in Falls Church, Va. Kern is a Certified Business Continuity Planner (CBCP) with over 20 years of experience dedicated to BCP. Kern commented that "today, not having a Business Continuity Program, or having a program comprised of poor or mediocre plan(s), will definitely put your company at risk as it relates to IT security."


The crux of this statement lies in the definition of IT security. According to ZDNet, IT security is defined as, "the protection of data, networks, and computing power." You can look at almost any definition and get a similar description. Isn't this what we prepare a business continuity program for?


So by not having a Business Continuity Program in place, we put our assets, our people, and our stakeholders at risk. Kern also believes that, "viewing BCP as just an insurance policy is dangerous. A fully supported BCP is an essential business and IT security process." A good Business Continuity Program starts at the top. It must have the buy-in of the board of directors, senior management, all the way down to the people who execute the plan. In other words, business continuity is everyone's responsibility because business continuity is a part of security.


Kern also commented that, "some organizations are satisfied with the illusion of a BCP. Having vague BCP and security policies that are rarely enforced is risky. Companies should adopt internal BCP quality standards that reflect the needs of the business. The most effective continuity plans are built from the ground up after the completion of a thorough Business Impact Analysis (BIA). The establishment of Recovery Time Objectives and Recovery Point Objectives, as well as business process application and system mapping, to identify internal and external dependencies, is critical in the development of an effective BCP."


As a professional who has developed, implemented, exercised and audited many continuity programs, I can tell you that some IT executives regard BCP and disaster recovery planning as a necessary evil. It is viewed as a requirement by boards of directors and stakeholders, but may have little value if not properly administered. Every IT security program should include both business and IT components.