I guess most people would say yes, but I am sorry, as everyone knows there is no such thing as a free lunch. In reality there is also no such thing as 100% information security, or at least I am not sure you actually want that with the associated implications for your business and bottom line. Protecting the Confidentiality, Integrity and Availability of information has to be done in a balanced way. If you are a business for example, that is providing cloud services to your customers, you need to strike a balance between being able to operate as a business, providing availability and protection for your customer’s information as well as making it easy for your customers to use your service.
The balance could be found by using a risk management process. Risk is a combination of, how likely a threat is going to cause an incident and the consequence of that incident taking place. Risk occurs, when a threat and a corresponding vulnerability both exist. To reduce the likelihood you can apply preventive measures such as IT security policies, training & awareness, operating procedures, access control, antivirus, firewalls, etc. To reduce the consequence you would apply corrective measures such as Business Continuity Plans (BCP) and Disaster Recovery (DR) procedures.

There is often discussion and confusion over the definition of the term BCP and DR. My view is, that BCP is to ensure, that adequate temporary measures are brought into play as fast as required, so that ongoing customer activity is maintained. The DR should focus on getting the original facilities back into full working order as quickly and cost-effectively as possible, so that the organisation can transition back from its temporary arrangements (the BCP) to more permanent ones.

Coming back to my starting point: “There is no such thing as 100% information security”, most people agrees with this and the logic is then, that things will go wrong at some point no matter, how many preventive measures you put in place. It is then of specific interest, that very few organisations actually have a BCP and DR in place, and if they do, it is often not tested, trained or regularly reviewed and updated.

I think, it is also worth noting, that one of the most inexpensive areas of an information security defence is in the BCP/DR area. OK, I know that, if you want to have redundancies, the cost will increase significantly, but purely from having plans defined, responsibilities defined, procedures, communication, testing and training, the cost is insignificant compared to the cost of not being able to operate as a business for perhaps days.

Using my earlier example of a cloud service business I think, trust is a key word in the relationship between the service provider and the customer. What better way to create trust than to build and implement solid BCP and DRP (and here I mean not just paper plans that anyone can do, but actually plans you are regularly testing so you know they work and are appropriate). As a service company the key measure from a customer perspective is not only how you keep a great service running 99.9% of the time, but rather how you handle the situation where things have gone wrong. If I know you can perform in both scenarios I will reward you with loyalty, repeat business and referral.

What is your view…is BCP/DRP not worth doing or definitely worth doing?