Business Continuity vs. Disaster Recovery vs. Backup on Cyber Policy Applications

Business Continuity vs. Disaster Recovery vs. Backup on Cyber Policy Applications

img-blog-business-continuity-versus-disaster-recovery-versus-data-backup-cyber-insurance-applications-questions-IT-gaps

img-jed-fearon

Jed Fearon

Solution Advisor, 17+ years of experience in MSP Solution Development, Sales and Marketing Communications

You can learn a lot about technology from cybersecurity insurance applications.

You can also get confused because some of the questions oversimplify terminology, transcend IT classifications, and suggest testing exercises that most SMBs cannot afford to undertake.

Understanding these distinctions will not only save you time in the cybersecurity insurance application process, but you will also gain a greater appreciation of the business impact and increase the likelihood of getting approved for coverage.

Our recent review of an application inspired the following lingo decoder highlighting five questions that appeared in a section labeled "Business Continuity & Disaster Recovery Planning."

#1 - Do you have a business continuity or disaster recovery plan?

The primary concern of business continuity is maximizing operational resource uptime during a natural disaster, fire, act of terror, active shooter, or cybercrime. By default, this means limiting downtime.

The main objective of disaster recovery is responding to threatening events with specific steps to return the enterprise (and its resources) to a pre-disaster state.

Business continuity is the How/When/Where/Why/To What Extent? safety blueprint of a business while disaster recovery is the What Happens If and When? piece.

Warning (because it wasn't evident in the application): both plans encompass resources that are much broader than hardware, software, computers, etc., including:

  • Employees
  • Office space, furniture, and equipment
  • Records (electronic data and hard copies)
  • Production facilities, machinery, and equipment
  • Inventory including raw materials, finished goods, and goods in production.
  • Utilities (power, natural gas, water, sewer, telephone, internet, wireless)
  • Third-party services

Source: Ready.Gov Business Continuity

#2 - When was it last tested?

This follow-up question asked how often business continuity or disaster recovery plans were tested: <12 months ago, >12 months ago, >24 months ago, or Never.

Unlike data backup, a subcategory of disaster recovery, comprehensive business continuity, and disaster recovery readiness testing is not feasible for most SMBs. A full-fledged program is disruptive to operations, while a scaled-down version isn't as accurate or complete.

Some facets of the testing include but are not limited to:

  • Team training exercises
  • Emergency simulations
  • Reading through step by step checklists
  • Evaluating and validating volumes of paperwork
  • Performing walkthroughs to observe process flow
  • Testing alternate sites for parallel function and performance
  • Relocating data and staff
  • Shutting down and relocating all resources to simulate the response to a total interruption

Can you afford this? Not many businesses would say "yes." Your risk tolerance and available resources will drive the size and scope of your process.

Learn More: Disaster Recovery Plan Examples from IBM

#3 - Do you maintain regular backups (at least monthly), and are they in an encrypted format?

The answer to this question is a simple "yes" or "no" in two parts. And the cost is very reasonable for most SMBs. But first, I'd like to issue a little critique: monthly backups are not frequent enough! More on this in section #5.

Why is encryption so important? Encryption is a protective layer that prevents your data from being deciphered. So even if your data repository gets breached, it's of no use to the threat actors. They can't read it.

Learn More: How Encryption Works

#4 - Are your backups segmented from and inaccessible through the organization's network?

You can confidently answer "yes" to this inquiry by employing a combination of network-attached storage devices and offsite cloud backups.

For example, a backup appliance can fulfill its obligations in conjunction with cloud data centers in multiple geographies, each of which maintains independence from the other. And the backup device is removable.

Or all of the back-ups can take place in a combination of data centers in different cities without employing an onsite appliance.

Many companies use physical data backup appliances in conjunction with offsite cloud instances due to bandwidth constraints. It's quicker to implement frequent incremental backups on the local area network throughout the day.

#5 - What is the frequency of backing-up data, and do you test restoring from backups?

The application gives you four ways to respond: Daily, Weekly, Monthly, or None. (I can't imagine any serious business would choose the last one.)

We recommend daily incremental backups with an onsite appliance in conjunction with a few or several redundant and geographically diverse cloud datacenters. Incremental backups can be set every 15 minutes, mirrored to offsite silos, with nightly testing to ensure the backups are successful.

Insurance companies love this approach because companies who get hit by ransomware actors can't be held hostage. The impact is minimal. How so? Even if all backup instances are commandeered (which is statistically improbable), the company only loses 15 minutes of data.

What's Next?

Be sure your MSP plays an integral role in helping you qualify for cyber liability insurance that covers data breaches, ransomware events, or phishing schemes.

They should know all of these details and where all the high-risk, legacy servers are buried.

Your MSP can also assist with developing comprehensive business continuity and disaster recovery plans, including the selection of third-party specialists.

If you enjoyed this article, you will probably like the related content in our free eBook.