Designing robust Business Continuity policies

Designing robust Business Continuity policies

The goal of a Business Continuity policy is to document what is needed to keep an organisation running on ordinary business days as well as times of emergency. When the policy is well-defined and clearly adhered to, the company can set realistic expectations for Business Continuity and Disaster Recovery processes. Industry experts share insights with Intelligent CIO Middle East on the aims of a Business Continuity policy, what is needed to keep an organisation running on normal business days as well as times of crisis, writes Manda Banda.

A Business Continuity policy is the set of standards and guidelines an organisation enforces to ensure resilience and proper risk management. Business Continuity policies vary by organisation and industry and require periodic updates as technologies evolve and business risks change.

According to ResearchAndMarkets.com, The Business Continuity management solutions market is poised to grow by US$387 million during 2020 to 2024 progressing at a compound annual growth rate (CAGR) of 15% during the forecast period.

Manish Ranjan, Program Manager, Software and Cloud, IDC Middle East, Turkey and Africa (META), said across the Middle East, organisations prioritised to provide secure access to IT services and applications to employees working from home, increase tech-enabled collaboration and engagement with business executives and strengthened technologies for Disaster Recovery and Business Continuity. As a result, Ranjan said there is an increasing investment on endpoint security and management solutions, smart and digital workspaces, unified communication and video conferencing systems, and team collaboration applications.

“While formulating Business Continuity framework and policies, it is important that CIOs focus on data protection, as well as Disaster Recovery strategies,” he said. “They must adopt technologies to accommodate the proliferation of devices outside the centralised workplace, solutions which enable them to manage the influx of remote work and adopt cloud data management platforms.”

Leona Mentz, Regional Operations Manager: Asia, Middle East and Africa, BT, said Business Continuity is not just about the nuts and bolts of keeping operations going in the event of a crisis. Mentz said it requires a careful understanding of the appropriate people, processes, technology, information and supplies in delivering essential activities.

“Furthermore, the surge in a distributed work environment resulting from the COVID-19 pandemic has seen connectivity becoming more important than ever. With more organisations becoming reliant on cloud-based solutions, access provides the veritable glue that holds operations together,” she said. “During these uncertain times, having the right capabilities in place before a disruptive event does require some predictive planning. This means that even existing policies that would have been considered sufficient pre-pandemic need to be reviewed and, where applicable, enhanced.”

Sahem Azzam, VP Middle East and Africa (MEA), Orange Business Services, said not surprisingly, the demand for Business Continuity support and solutions closely mirrors the evolution of the threat landscape. Azzam said the threat landscape is certainly evolving and new threats emerging –are not replacing the existing threats, but adding to them and so multiplying the overall threats.

“In the ‘Orange Cyberdefence vision for 2021’, three trends were highlighted. First, a constant volume of attacks even during the COVID-19 lockdown with an explosion of ransomware attacks linked to new business models. Second, an acceleration of IT transformation as a result of the COVID-19 pandemic, introducing new risks and security challenges: cybersecurity is now at the core of most businesses, requiring a new approach. Third, a cybercriminal ecosystem that has become more structured and professional as a result of huge potential rewards,” he said. “The Orange Cyberdefence analysis also highlighted the new opportunities opening up to companies and the Business Continuity challenges they will have to meet, as ‘multi-cloud’ environments emerge.”

Business Continuity guidelines

With CIOs on the continent looking to improve their Business Continuity policies given the rapid change in IT, many are grappling with how to develop robust guideline.

Abboud Ghanem, Vice President, Middle East and  Africa, Alteryx, said with disruptive events occurring more frequently, making operationally critical decisions using legacy tools like spreadsheets or leaning on gut feelings, is no longer an option. Ghanem added that recent events such as the pandemic and the Suez Canal blockage have exposed the weak links in current continuity plans, highlighting how crucial analysing and planning for these potential risks is in order to ensure continuity. “When risk to the bottom line of your business can come from anywhere, the ability to leverage predictive data to predict, plan for and mitigate risk across the business is key to reducing the impact of them,” he said. “The vast majority of companies are likely to say that they are very well prepared, or at least, they are working very hard to mitigate risk. Planning around an expected crisis, however, is a far easier proposition than readying a business for the unknown.”

Mentz explained that in today’s environment, increased bandwidth and remote working capabilities have become key elements of a Business Continuity policy. These are driven by a foundation built on high-speed connectivity. “With remote working increasingly becoming a more accepted norm, organisations must ensure that they are cognisant of the kind of access available to home-based employees,” she said.

Stephen Gill, Academic Head, School of Mathematical and Computer Sciences, Heriot-Watt University Dubai, said if an organisation is yet to have a Business Continuity plan in place, CIOs should begin with a business impact analysis. Gill said this includes evaluating critical business areas and functions, identifying areas of vulnerabilities and contemplating potential losses if key business processes go down for a day or longer. “CIOs should customise their Business Continuity plan based on the size, nature and complexity of their business processes. By effectively structuring your plan, setting goals and objectives, determining roles and responses, communicating constantly and continually adapting and evolving your plan over time, you can build a Business Continuity plan that is ready for possible future disruptions,” he explained.

Cybersecurity

According Gill, as many organisations continue to operate with a dispersed workforce, lack of cybersecurity continues to be a pressing concern for CIOs and IT teams. “Current cybersecurity challenges require CIOs to focus on designing and implementing practical strategies that ensure organisations can prepare, respond and adapt to operational setbacks, ranging from short-term interruptions to long lasting disruptions,” he said.

Sebastiaan Rothman, Cloud Solutions Architect, Altron Karabina, said cybersecurity is emerging as critical to Business Continuity and growth in 2021 because dispersed workforces and heightened IT threats call for deliberate actions to ensure security is robust.

“As business leaders review and consolidate many of the dramatic operational and workforce changes that were implemented in response to the health crisis, cybersecurity is coming to the fore as a major risk to Business Continuity,” Rothman said. “Existing threats to companies in the form of data breaches, social engineering and phishing attacks, for instance, have now been amplified with employees working from home and IT teams having significantly less oversight over user behaviour. On a global scale, the cyberthreat to Business Continuity and economic stability is so large that ‘cybersecurity failure’ is listed among the top five risks in the World Economic Forum’s Global Risks Report 2021.”

According to Heriot-Watt’s Gill, maintaining workforce efficiency and seamless customer communication are other key challenges that CIOs are currently faced with. He said for companies operating in a highly competitive business environment, CIOs need to ensure that their employees, customers and business partners are able to access the information, products and services whenever they are needed. “This should continue as a top priority for CIOs in 2021 and beyond,” Gill said.

Rothman added that for South African businesses, a dual pressure is also looming in the form of the Protection of Personal Information Act (POPIA) which came into effect in July 2020 – and carries with it major financial and reputational risks for businesses that don’t comply. “Yet while this risk landscape can appear both daunting and overwhelming for businesses already under operational pressure, there are immediate, cost effective and accessible steps to take in order to become both more secure and to ensure data security compliance,” he noted. “Arguably, however, it must begin with an understanding that cybersecurity and information assurance are not technology problems: these are business challenges that are usually solved by implementing robust business processes (in addition to strategic technology solutions).

Compliance and security

Emad Fahmy, Systems Engineering Manager, Middle East, NETSCOUT, said it is now clear that moving forward, remote and hybrid work are becoming a more common alternative in the corporate world regionally. Fahmy said while the magnitude of this shift is still to be determined, the needs of remote and home-based users present a strategic challenge to IT organisations. “These employees maintain high expectations regarding the performance of business applications hosted in data centres and cloud or from SaaS providers,” he said. “The unprecedented switch to remote work and learning creates a massive strain on network, security and application infrastructures. Even the smallest DDoS attack could affect remote user access to corporate resources. Employees must now rely on VPNs to access vital business applications such as finance, HR, and engineering, making VPN endpoints a critical business lifeline.

He pointed out that DDoS represents a significant threat to Business Continuity. “DDoS attacks can target the mission critical business applications that your organisation relies on to manage daily operations, such as email, salesforce automation, CRM and many others,” he said. “Thus, in addition to managing employee and customer experience and ensuring the availability of important services and applications, CIOs and IT teams have the additional obstacle of defending their enterprise against cyberattacks as well.

Rothman explained that leaders need to understand that becoming compliant does not make an organisation secure. “Just because you have a control in place doesn’t automatically make it effective. And sadly, in many instances, the lack of maintenance or skilled management of these controls render them almost useless from the outset,” he said.

With this in mind, Rothman has some immediate and practical steps to consider on the journey to bolstering cybersecurity (and ensuring business sustainability in the long-term).

According to Rothman, harnessing existing assets by configuring them correctly and creating visibility with smart monitoring solutions will go a long way in bolstering cybersecurity and ensuring Business Continuity in an event of disaster.

Lucas Jiang, General Manager, TP-Link MEA, said CIOs across industries have faced some challenges as their Business Continuity plans were put to the test by the on-going COVID-19 pandemic. Jiang said one of the significant challenges has been around onboarding new employees remotely. “A Business Continuity plan needs to include the use of endpoint mobility management systems to set up new employees remotely smoothly. Securing company assets has been another challenge faced by many who have moved to smaller offices or moved out of their offices altogether,” he said. “CIOs must have a plan in place to help secure company devices virtually and help businesses sync their devices into their asset management. Managing technology that is not sufficient has also been a big challenge faced by many, for which the only answer is upgrading their technology and services to help employees work better and operations run more smoothly.”

Browse our latest issue

Intelligent CIO Africa

View Magazine Archive