Business is great until a BREACH hits the fan

by Gerardo Guerrero

There’s no better feeling than owning or managing a successful business. You feel on top of the world. Profits and revenue are at an all time high. The economy is booming and the public loves what your business offers. You may even feel unstoppable. The Fortune 500 list is in your line of sight. Then suddenly disaster strikes! Business operations cease and the revenue and profit come to a  screeching halt. What could have caused this? You get word that there’s been…a disaster.

Disasters seem to come out of nowhere and are very unexpected. All companies are susceptible to disasters. For instance, on November 25, 2016 the San Francisco Municipal Transportation Agency was victim to a ransomware attack that suspended the train ticketing and bus management systems. They fell victim to an attacker group demanding 100 Bitcoin in ransom. In 2013, an IT company that hosts servers for over 200 clients, named Cantey Technology, had an office building that was struck by lightning and caused a massive fire. Terminated IT employees have gone rogue and caused intentional harm to businesses’ networks leaving them inoperable. There have been many natural disasters such as hurricanes, tornadoes, and earthquakes that cripple businesses. The list goes on and on. It is not possible to 100% guarantee prevention from any of these incidents. Though there are ways to recover from them.

So how does a business recover from a disaster? Most organizations have what is called a Business Continuity Plan (BCP). The BCP contains plans and procedures that can help speed up the recovery and help return the organization to normal operations. They also help to mitigate effects of a disaster. A well documented BCP should be constantly reviewed and updated to keep up with the ever changing cyber attacks and ways of destruction from disasters. A Disaster Recovery Plan (DRP) goes hand in hand with the BCP. The DRP is a more technical plan that describes activities such as backups, recovery sites, and fault tolerance. Both of these are designed to keep operations running and help to recover operations as soon as possible if there are any disruptions. 

There are organizations that do not have any of these formal plans in place. The argument against implementing a BCP is that the business has always survived without a plan in place and in the event of a disaster, the senior management will figure something out if that time comes. The problem when a business adopts a “seat-of-the-pants” attitude comes when the business is losing money trying to recover without a plan to follow. There is never an estimated time to get operations back to normal status and no testing in place beforehand that could ensure a recovery can be possible. It is always best to plan ahead for the worst.

It is very important to know where to start when it comes to Business Continuity Management. There are four elements that make up the BCP process - project scope and planning, business impact analysis, continuity planning, and approval and implementation. Before beginning the process, a BCP Team would have to be selected. Choosing the right individuals to create, maintain and put the BCP in action when needed is another important task. Responsibilities of this Team also include frequently updating and testing. This shouldn’t just be another task for IT and security departments only. The plan needs input from other operational and support departments. The plan should include senior management, representatives from each of the business’s departments, business unit team members from functional areas, IT and cybersecurity members if available. Legal representatives should also be included as well as any vendors the business utilizes.The plan should take into account the knowledge possessed by individuals responsible for day-to-day operations. The BCP Team should be as diverse as possible and still operate in a well-balanced manner. 

Part of the BCP Team’s responsibilities is one of the most important, which is risk identification. The Team should follow a 5 step process that includes identifying priorities, identify risks, a likelihood assessment, impact assessment and prioritizing resources. The recovery strategies should include more than just technology. All of this information would be included in what is called a Business Impact Analysis.

Testing and tabletop exercises are a key element of the BCP process. According to (ISC)2 CISSP Certified Information Systems Security Professional: Official Study Guide, “The BCP documentation should also outline a formalized exercise program to ensure that the plan remains current and that all personnel are adequately trained to perform their duties in the event of a disaster.” These tests should be performed regularly or anytime there are changes made to the BCP.

Vala Secure offers services to help with the BCP process. We have a Virtual Information Security Officer service that can help assist the BCP Team with ongoing support and maintenance of the BCP. As well as creation or management of the Business Impact Analysis, tabletop exercise scenario planning and a Disaster Recovery walk through test. Vala Secure certified cybersecurity consultants review an organization’s Business Continuity Plan, which is part of a comprehensive Technology Audit that is based on FFIEC standards. Get in touch with Vala Secure for more information on how we can help your organization be prepared when disaster strikes at



“A History of Ransomware Attacks: The Biggest and Worst Ransomware Attacks of All Time.” Digital Guardian, 19 Nov. 2018, from .

Rock, Tracy. “6 Real-Life Business Continuity Examples You’ll Want to Read.” Invenio IT, from Accessed 15 Mar. 2021 .

Chapple, Mike, et al. (ISC)2 CISSP Certified Information Systems Security Professional: Official Study Guide. Eighth edition, John Wiley & Sons, 2018.