In mid-May, the Western Cape Parliament’s technology systems went offline after a cyberattack. While this event was undoubtedly bad for productivity, they could at least recover from the attack thanks to data backups, business continuity, and disaster recovery plans.
Every business must have such measures in place, says Jim Morrison, account manager at Sithabile Technology Services: “The simple fact is that it’s easy to become a cybercrime victim, experience a catastrophic equipment failure, or an employee accidentally loses important data.
“That’s why we tend to say ‘when, not if’ about cyber risks, especially cyberattacks. Unfortunately, automated tools and the low risk of prosecution means cybercrime is as opportunistic as a street mugging. If you want to reduce risks from cyberattacks and employee mistakes, you need to have both prevention and cure in place. Business continuity and disaster recovery plans can cover both those bases.”
Yet despite often being used interchangeably, business continuity (BC) and disaster recovery (DR) are different. So is data loss prevention (DLP). How can you tell the difference between BC, DR and DLP?
Building a resilient business
The concept of resilience has become very popular since the pandemic. Books such as Antifragile and Grit inform discussions on how people and organisations can reduce harm from unexpected changes and challenges.
Yet while we can cover volumes on exploring resilience, it’s a straightforward proposition for an organisation, says Morrison, “Business resilience is about how well your operations can resist negative disruption or recover from such disruption. It’s like losing the keys to your office front door: how quickly can you find a replacement key and open up so that people can get to work?”
The cornerstone of business resilience is business continuity planning, supported by disaster recovery and reinforced by data loss prevention:
* Business continuity: BC is there to help an organisation continue operating through a disruptive event, and BC planning is to identify critical operational areas, then put policies and processes in place to help those through planned and unexpected disruptions.
* Disaster recovery: As the name suggests, DR steps in when something goes wrong. Specifically, it focuses on recovering technology systems and data in the event of a disaster, bringing them back to operational status.
* Data Loss Prevention: DLP is an ongoing effort to track and secure data through policies and processes, often automated, preventing accidental losses or intentional data theft.
The Resilience Pyramid
Business continuity is the strategic master plan. It determines what is important, what could threaten those critical areas, how to reduce those risks, and what to do when something goes wrong. Disaster recovery often guides the tangible parts of that strategy, particularly for assets: what data or applications are important, how they are being backed up, and the appropriate timelines and priorities to recover systems. Data Loss Prevention aims to prevent disaster recovery by determining measures such as encryption, access controls, and employee training.
“You can visualise resilience as a pyramid. Business continuity is at the top, while disaster recovery and data loss prevention form the foundations. You make BC plans, then use DLP to support prevention and DC to support recovery,” says Morrison. “If you don’t know where to start, always start with BC planning. That’s your guiding light. Once you have a grasp on BC needs, you’ll see where DR and DLP fit in.”
The trinity of business continuity, disaster recovery and data loss prevention form the most robust approach against cyber-related risks and help mitigate many other disruptions, such as fires, equipment failure and even loss of people. And if done correctly, this trinity helps employees be more productive inside a highly secure business.
This is why it’s important to distinguish these three disciplines. But while their definitions are straightforward, every business has unique needs. Poorly designed interventions can be worse than none since they create a false sense of security, and ample gaps for criminals to exploit.
“BC, DR and DLP are not just products you pull from a shelf or a cloud app store. They need alignment with your business. It’s worth the effort to engage with professionals to put the right measures in place. When disaster strikes, you’ll be glad they did. Because if you don’t have a plan, all you’ll get is chaos.”