The COVID-19 pandemic made working from home a reality for millions of Americans. While data shows that the American workforce is returning to the office, Stanford University estimates that 27 percent of full-time days are spent working from home. Prior to the COVID-19 pandemic this number was closer to five percent. As Hagerty Consulting (Hagerty) continues to support clients with remote or hybrid workforces, we have found that integrating business continuity planning processes with cybersecurity practices is critical to organizational resilience.
Since 2020, Hagerty has seen three major changes at the nexus of business continuity and technology recovery planning:
The Potential Impacts Of Cyberattacks And Communications Outages Have Increased
When employees work remotely, their connection to coworkers and clients is heavily reliant on access to the internet and various tools that their companies use to communicate and store information. Unplanned outages and cyberattacks have the potential to result in a complete halt of work.
For example, in 2022, Hagerty worked with a state entity that kept all its emergency contact information on a cloud-based application. In an emergency, it would be easy to find the phone numbers of other employees, but during an outage, teleworking employees would be unable to reach anyone on their teams because they could not access the roster. Hagerty identified this single point of failure as part of the planning process and added the possibility of backup and redundant systems in the final plan.
Backup Facilities Can Be Anywhere
In continuity of operations planning, backup facilities are where work takes place if primary facilities are inaccessible. Remote work has dramatically increased the flexibility of relocation planning by expanding potential backup facilities to anywhere with an internet connection. However, Information Technology (IT) planners play an important role in ensuring employees have connectivity and can access the data and software they need to conduct their functions remotely. This flexibility often comes with a cost – if employees are scattered across a county, state, or country, there is a greater chance that any individual employee is impacted by a disaster. As a result, Hagerty has updated our process for conducting risk assessments to account for locations where employees conduct business – both in the office and at home.
Business Continuity Increasingly Relies On Personal Preparedness
Virtual work has reinforced the importance of business continuity and IT planners integrating planning, training, and exercise processes into employee training and onboarding. In a remote environment, organizations can no longer assume employees and information are safe because offices and networks are secure. When employees work from home, they should always follow best practices for personal preparedness and technological hygiene.
Hagerty has a variety of recommendations that remain conscious of different budgets, from redundant methods of accessing digital files to investing in generators and batteries that can maintain power during storms. When producing training documents, Hagerty recommends supporting employees by offering hands-on educational opportunities that can increase personal preparedness. Hagerty also includes client-specific recommendations for those working from home, such as best practices for accessing customer data remotely, using unsecured networks, and defending hardware from unauthorized access.
Integrating Business Continuity And IT
Business continuity and IT often operate in separate silos. By working together, they can ensure organizational and operational resilience, especially if they are supporting remote and hybrid workers. To meaningfully integrate IT into business continuity planning, Hagerty has incorporated the following tenets in our client’s project workflows:
- Bring It To The Table Throughout The Planning Process
Business continuity planning requires coordinating with multiple stakeholders throughout the organization. IT plays in continuity and recovery for all divisions. When building business continuity plans, Hagerty includes clients IT in kickoff meetings and asks for confirmation of vital records, and software and hardware essential for all functions. This ensures stakeholders are aware of their roles and expectations. At one state agency, Hagerty facilitated an IT meeting to review critical software used across the organization. The IT representatives identified numerous pieces of software that had been replaced, allowing Hagerty to use the discussion as an opportunity to recognize IT modernization efforts and to address deficiencies in tracking updates across the organization. Recognizing the vast IT world that organizations manage daily, this discussion bridged gaps within and across different organizational domains in the final plan. - Align Planning Processes And Share Resources
Business continuity and technology recovery planning share multiple steps; meaning business continuity and IT planners can save time and build relationships by working together to create a business impact analysis, risk assessment, and any other shared planning resources. Hagerty frequently helps clients who are commencing technology recovery plan updates alongside a business continuity plan. This is an excellent opportunity for the planning teams to align assumptions, especially of recovery time objectives for critical software. - Conduct Joint Exercises
Instead of involving IT only during exercises that involve cyberattacks, coordinate early and often. Hagerty recommends using a non-cybersecurity scenario in the initial continuity exercise to highlight IT’s role in facilitating the organization’s essential functions. When employees work remotely, every scenario can have significant IT impacts. While Hagerty can assist at any stage of the planning process, we have seen great success when business continuity and IT plan updates occur simultaneously. This allows the planning teams to take advantage of overlaps in the planning, training, and exercising process, including joint exercises that meet both business continuity and IT goals.
Conclusion
According to the World Economic Forum’s (WEF) Global Risks Report, cybersecurity is ranked number eight among the top ten current and future risks facing the globe. In response to the rapidly evolving cybersecurity risk environment, Hagerty developed the Cyber Nexus Approach (CNA), leveraging existing practices and research to seamlessly unite emergency management and information technology (IT) stakeholders as they collaborate to manage complex cyber incidents.
As organizations continue adapting to the teleworking era, business continuity and IT recovery planners will need to integrate planning efforts. October is Cybersecurity Awareness Month – an annual observance and collaborative campaign between the Cybersecurity and Infrastructure Agency (CISA) and the National Cybersecurity Alliance (NCA) that promotes the importance of cybersecurity – making today a great time to prepare for the risks your business/ community may face in the wake of a cyber incident. Whether you have years of continuity and technology recovery planning experience or have just begun your journey, Hagerty can help you make a business continuity program that accounts for your organization’s risks, including the changing world of work.
Ethan Arvanitis is a Preparedness Associate at Hagerty Consulting. As a continuity of operations planner, Ethan has assisted clients with their business continuity and resilience needs. He has experience and subject matter expertise related to cybersecurity for emergency managers and has created cyber and physical security coursework for multiple clients. Prior to Hagerty, he served on the Volunteer Search and Rescue Squad for Pomona College in Claremont, California where he trained others in first-aid, search and rescue techniques, and disaster leadership.