Most organisations fail to appreciate the importance – and benefits – of testing when it comes to business continuity … and cyber resilience.
At ContinuitySA, client service manager Wayde Anderson says: “We live and breathe testing because we know that the only way to ensure that a business continuity plan actually works is to test it–rigorously and frequently. A disaster is no time to find out that the plan has serious flaws.”
Rehearsals are critical, but testing is much more than that. The often overlooked benefit of testing is that by feeding the results of each test back into the business continuity plan, the plan becomes better in every way.
The same logic holds good when it comes to cyber resilience. The Business Continuity Institute’s Cyber Resilience Report revealed that two-thirds of organizations had experienced at least one cyber security incident during the previous year, and 15% had experienced at least 10.
As one speaker at a recent seminar said: “There are basically two types of organisation in the world today: The first has been a victim of cybercrime and is aware of it… the second is simply not aware that it is a victim.”
So improving your ICT system’s ability to withstand an attack, and to recover from if your defences are breached, is eminently sensible.
The first order of business is clearly to ensure that cyber security is integrated into the business continuity plan, and thus into the regular testing cycle.
Testing, and particularly crisis simulations and penetration testing, help identify weaknesses and also help to refine the business continuity plan. Incident management, which naturally forms part of a test, also contributes to cyber resilience because, as numerous examples show, how an unexpected incident is managed is critical to limiting the damage it causes, both in the short and long terms.
In short, testing your cyber security measures will initiate a virtuous cycle of improvement, acting as a training regime to keep your cyber security in peak condition, and thus building resilience to even the unexpected. Crucially, it enables you to take a proactive stance against cyber criminals, to be prepared for whatever they do.