DigitalXRAID

Business Continuity Planning: Because Chaos Rarely Sends a Calendar Invite 

The business world spins faster each year, and with it, the stakes grow ever higher. Think about the following situation: it’s 3am on a Tuesday, and your phone buzzes with the call every security leader dreads. Your company’s crown jewels have been compromised, systems are down, and thousands of customers are unable to access your services and the business is losing money. This isn’t a hypothetical scenario. This has happened countless times and it can happen at any time, it is the new reality of doing business. 

Table of Contents

Key Takeaways

  • Cyber incidents are inevitable — the real question is whether your business is ready to respond and recover.
  • Many critical assets are overlooked, especially systems with hidden dependencies or underestimated impact.
  • Outdated or untested business continuity plans often fail in real incidents due to flawed assumptions.
  • Effective BCPs require continuous testing, stakeholder involvement, and scenario diversity — not just IT-driven tabletop exercises.
  • True resilience means dynamic response capability, not static documentation — readiness, adaptability, and recovery speed are key.

The Uncomfortable Truth

Back in March 2012, former FBI Director Robert Mueller stood before an audience at the RSA security conference and delivered a stark warning that still echoes through boardrooms today. He quoted Dmitri Alperovitch, McAfee’s Vice President of Threat Research, who had made an astute observation the year before: “There are only two types of companies—those that know they’ve been compromised, and those that don’t.” 

Mueller didn’t stop there. He added the uncomfortable addition that it was no longer a question of ‘if’ a breach will occur, but ‘when’ and ‘how often’. 

Thirteen years later, these words have proven prophetic. We’ve witnessed household names such as SolarWinds, British Airways, Capital One, Equifax all falling victim to sophisticated attacks, and some to mistakes and errors in processes and procedures. These weren’t fly-by-night operations with questionable security practices; they were organisations that many considered bastions of modern business with billions in turnover. 

So the question is no longer ‘if’ your organisation will face a major incident in the future, whether it stems from a malicious cyberattack, a natural disaster, or human error. The question isn’t whether you’ll be ready when it does. 

business continuity planning meeting

The Critical Asset Illusion

Executives believe that they know their critical assets, but do they really?  

A company believed they had identified their crown jewels; their production database and customer management system. They spent months cataloguing these assets and felt secure in their knowledge. Then came the incident: a ransomware attack that didn’t target their identified crown jewels at all. Instead, it crippled their seemingly innocuous printer management system, which, unbeknownst to them, was connected to the production network. Within hours, their entire manufacturing line had fallen over. 

This scenario plays out more often than you’d think because organisations focus on what they perceive as important whilst overlooking the interconnected web of dependencies that modern business relies upon. 

The Real Questions About Your Crown Jewels

Before you can confidently state that you know your critical assets, you must have considered these essential questions: 

Location Intelligence: Do you know the geographical location of your assets? Not just that they’re “in the cloud”, but the actual data centres, regions, and jurisdictions they occupy? When AWS had its infamous outage in 2017, companies discovered that their “distributed” systems were all housed in the same availability zone. 

Access Management: Who has access to these systems, and when did you last review this access? This includes third-party vendors, former employees whose access might linger, and service accounts that may have been forgotten. The Colonial Pipeline attack in 2021 began with a single compromised password, which is an important reminder that access management isn’t just an IT concern; it’s a business survival issue. 

Dependency Mapping: What is each system connected to? What’s the blast radius if one fails? That small system or service might be the single point of failure that brings down your entire operation. Understanding these dependencies isn’t just about drawing network diagrams; it’s about understanding how your digital systems and services interconnect and what happens when they fall over. 

Failure Impact Analysis: What actually happens when each system goes down? This requires honest assessment, often involving tabletop exercises that reveal uncomfortable truths about operational resilience. 

Data Classification: What data resides on each system, and how is it classified? GDPR has made this question particularly pressing, but it’s also fundamental to recovery prioritisation. Some data losses are inconveniences; others are existential threats. 

The Business Continuity Plan Reality Check

Many organisations proudly point to their business continuity plans (BCPs) as evidence of their preparedness. These documents, often residing in pristine SharePoint sites or printed binders, represent months of work and considerable investment. But when crisis strikes, these same plans often prove inadequate. Not because they’re poorly written, but because they’re based on assumptions rather than reality or they are legacy documents that have not been reviewed or tested in some time. 

Business Continuity Planning

The Uncomfortable BCP Questions

System Hierarchy: You must be able to definitively state which systems you can live without, and for how long. A European bank discovered during a major outage that their “non-critical” reporting system was actually essential for regulatory compliance. Without it, they faced potential regulatory action within 24 hours. 

Departmental Criticality: Which departments are truly essential for your continuing business operations? If the building’s on fire (literally or figuratively), production and customer service likely take precedence over something like HR or marketing. However, this analysis must be nuanced. That HR system might seem secondary until you realise it controls building access during a security lockdown or it is integrated with your payroll system and without it you are unable to pay your employees. 

Accessibility During Crisis: Will your BCP be accessible when you need it most? If your business continuity plan lives on the same network that’s just been compromised, you’ve got a problem. The most elegant plan is useless if no one can access it during the crisis it was designed to address; sometimes the lowest technological simplest solution is the best. 

Authority and Responsibility: Who can actually enact your BCP? Is it just the CISO, or do others have the authority to make critical decisions? During the 2017 WannaCry outbreak, some organisations were paralysed not by the malware itself, but by decision-making bottlenecks as executives struggled to reach the one person authorised to activate emergency procedures. 

Sequential Recovery: You cannot simply switch everything back on simultaneously after an outage. Systems have dependencies, and the order of restoration matters enormously. Bringing up your database before your network infrastructure is like trying to fill a bucket with no bottom—it’s not just ineffective; it can cause additional damage. 

The Testing Paradox

There’s a world of difference between testing and truly validating your plans. Let me give you are a real example of this. 

A financial services firm conducted annual BCP tests that consistently received glowing reports. Their tabletop exercises ran smoothly, stakeholders knew their roles, and documentation was pristine. Then came a real incident… a phishing attack that compromised multiple systems simultaneously. Within the first hour, it became clear that their beautiful plans were based on single-system failures, not the cascading, multi-vector attack they faced. Their testing had been thorough and detailed but the overall scope was narrow, missing the complexity of real-world scenarios. 

Working with an expert cyber security partner can mitigate the risk of under scoping your table top exercises. An experienced cyber security provider with a deep knowledge of both offensive and defensive cyber security will have the breadth of knowledge of multi-vector attacks to be able to define accurate scenarios suited to your business and industry.  

Business Continuity is important for businesses

Beyond Tick-Box Testing

Comprehensive Participation: Who participates in your tests? If it’s just the IT team, you’re missing crucial perspectives. Real incidents affect every department, from facilities management (who controls physical access during lockdowns) to communications (who manages customer and media relations). 

Continuous Improvement: Testing isn’t just about validation; it’s about discovery, looking under the “carpet” and behind the “curtains”. Each test should reveal gaps, assumptions, and improvements. If your tests consistently show everything working perfectly, you’re probably not testing the right things or with sufficient rigour. 

Scenario Diversity: Are you testing different types of incidents? A cyberattack requires different responses than a natural disaster, which differs again from a supply chain disruption. Your BCP should be flexible enough to handle various scenarios, and your testing should reflect this diversity. 

Real-World Constraints: Do your tests account for real-world constraints? It’s one thing to activate procedures during a planned exercise on a Tuesday afternoon; it’s quite another to do so at 3am on Christmas Eve when half your team is unreachable. Does your company have that savant who knows everything about specific services and systems? If so, what happens if this person is unavailable for the entire incident? 

The Strategic Dimension

Business continuity isn’t just about keeping the lights on; it’s about understanding what constitutes a viable business during crisis. This requires honest answers to uncomfortable questions. 

Let’s explore what real validation looks like. 

Revenue Runway: How long can your organisation survive without revenue? This isn’t just about cash flow; it’s about understanding your absolute minimum operating requirements. Some organisations discover they can maintain basic operations for months, whilst others realise they’re frighteningly dependent on continuous income streams. 

Minimum Viable Business: What’s the smallest subset of functionality that allows you to remain operational? This concept, borrowed from the startup world, forces organisations to identify their true core functions versus nice-to-have features. 

Client Communication: How and when do you communicate with customers during incidents? The temptation is often to say nothing until you have complete information, but customers in the dark often assume the worst. Having pre-prepared communication templates and clear escalation criteria can mean the difference between maintaining trust and losing customers permanently. 

Stakeholder Management: How do you balance transparency with operational security? Employees need enough information to do their jobs effectively, but too much detail can create additional risks and create unnecessary fear, uncertainty, and doubt (FUD). Finding this balance requires clear policies and practiced communication skills. 

Designing your business continuity plan

The Recovery Reality

The immediate response to an incident often receives the most attention, but returning to business as usual is equally critical and often more complex. Recovery isn’t just about restoring systems; it’s about rebuilding confidence, relationships, and operational rhythm. 

Data Triage: Not all data is created equal. Understanding what you can afford to lose (and what you absolutely cannot) helps prioritise recovery efforts and resource allocation. This analysis should happen before the incident, not during it. 

Stakeholder Confidence: How do you rebuild trust with customers, partners, and employees? The companies that emerge stronger from major incidents are often those that handle the recovery phase with transparency, accountability, and clear improvement commitments. 

Operational Rhythm: Returning to business as usual isn’t just about system functionality; it’s about re-establishing the rhythm and confidence that drive effective operations. This human element is often overlooked but is crucial for long-term recovery. 

The Modern Reality

Today’s business continuity challenges extend far beyond traditional disaster recovery. The shift to remote work, cloud dependencies, supply chain complexity, and increasing regulatory requirements have created new vulnerabilities and dependencies that many organisations are still learning to manage. 

Consider the complexity of a modern incident: your primary cloud provider experiences an outage affecting your customer-facing applications. Simultaneously, your remote workforce cannot access corporate systems, your third-party payment processor is also affected (because they use the same cloud provider), and your customers are flooding social media with complaints. Traditional BCP approaches, focused on single points of failure, struggle with such interconnected scenarios. 

The Path Forward 

Effective business continuity in the modern era requires a fundamental shift in thinking. Instead of preparing for specific scenarios, organisations must build adaptive resilience with the ability to respond effectively to unexpected situations. 

This means moving beyond static plans to dynamic capabilities: cross-trained teams who can adapt to various roles, flexible infrastructure that can scale and shift as needed, and decision-making frameworks that work under pressure and uncertainty. 

It also means accepting that perfect preparation is impossible. The goal isn’t to prevent all incidents but to build the capability to respond, adapt, and recover quickly when they occur. 

As Helmuth von Moltke observed in the 19th century, “No plan survives first contact with the enemy.” In cyber security and business continuity, this wisdom remains startlingly relevant. The organisations that thrive aren’t those with perfect plans, but those with the resilience, adaptability, and preparedness to respond when those plans inevitably require adjustment. 

The question isn’t whether your organisation will face a major incident. In reality, it probably will. The question is whether you’ll be ready not just to survive it, but to emerge stronger on the other side. In an era where business moves at digital speed, that readiness isn’t just a competitive advantage; it’s a fundamental requirement for survival. 

Cyber Protection - speak to an expert

So, the question is, when your phone rings at 3am: will you be ready to answer it? 

If the answer isn’t an emphatic yes. Reach out and talk to one of our team about how you can bolster your resilience with table top exercises and consultancy around business continuity planning.  

Drew Heron, Information Security Consultant at DigitalXRAID, is an experienced GRC Specialist, who excels in maintaining Information Security Management Systems (ISMS) and overseeing various cybersecurity governance and risk functions. 

Previous Article

In-House vs Managed SOC: Which Is Right for You?

Next Article

DigitalXRAID announces acquisition by Limerston Capital

Protect Your Business & Your Reputation.

With a continued focus on security, you can rest assured that breaches and exploits won't be holding you back.

Speak To An Expert

cybersecurity experts
x

Get In Touch

[contact-form-7 id="5" title="Contact Us Form"]
DigitalXRAID
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.