1

Our Business is keeping You in Business

Q4 2017 In This Issue

Wishing you Health, Wealth and Resilience this Festive Season.

Cindy Bodenstein

Editor’s Note

Keeping ContinuitySA clients informedChronicles

A Time to be thankfulThis time of year, we begin to really focus on what we are thankful for the people and moments that make us truly grateful.

To our valued clients we are thankful for your business and support, you inspire us to do what we love. It’s been another busy year indeed and ContinuitySA’s highlight was our three awards we scooped at the BCI Africa Awards in September this year.

Inside this edition, we focus on planning and that it is the key to building a resilient company.

Companies should also look at factoring in natural disasters into their business continuity planning.

Take a minute and read our latest case study on the power of replication and backup.

Our training department have released their training dates for 2018 for both the five-day Business Continuity Management and ISO 22301 Lead Implementer training. If you are interested in any group bookings for your company, you can contact the training department directly or enquire online.

Be sure to diarise Business Continuity Awareness Week (BCAW 2018) which takes place from the 14th to 18th May 2018, globally. ContinuitySA will keep you posted to what the theme is for that week and will include a host of activities that will be taking place over this period both globally and in our various regions.

Finally, a big thank you to all our readers for your continued interest in our newsletter, it’s been an amazing year, with its successes and challenges all rolled into one, and from the ContinuitySA family we would like to wish all our readers, clients, suppliers and patrons a peaceful holiday season, travel safely and a Happy 2018 ahead.

The power of professional replication

and backup Page2

Complete practionioner

training for 2018

Page 3

South African organisations must factor

natural disaster

into business continuity planning Page 4

ISO 22301 training (Lead

Implementer)Page 5

Planning is the key to building a resilient company

Page 6

The client is a large services organisation, wholly reliant on its 24/7 call centre to receive and schedule client service requests. The majority of the service requests are urgent and relate to a range of emergency services.

This large service organisation fell victim to a ransomware attack using Samsam Prosperity 666 which had only been released 2 days prior to the attack. All its IT systems and data, including their telephony system, were encrypted by the ransomware app, and a large ransom in Bitcoin was demanded before the organisation’s systems and data would be unlocked. The organisation took the decision not to capitulate to the illegal ransom demand, and invoked a disaster with ContinuitySA, its long-term business resilience partner.

Later investigation showed that the cyber criminals exploited a temporary vulnerability when the organisation’s firewalls were upgraded and a security patch was not updated sufficiently quickly a clear indication of how efficient these criminal syndicates are, and also that the organisation had probably been under long-term surveillance.

Because of the nature of its business, the first imperative was to shut down the network links between the client’s site and ContinuitySA, to isolate the recovery facility and prevent the ransomware app spreading to the recovery site. The next priority was to get its call centre up and running. The majority of its servers were replicated at the ContinuitySA data centre and were able to be brought up within a short time. Once the client’s staff had been relocated to

Our Business is keeping You in Business

When it fell victim to a devastating ransomware attack, this ContinuitySA client found out the hard way that all disaster recovery is not equal.

the ContinuitySA data centre in Midrand, it was able to continue operating while its production environment was rebuilt.

Crucially, since ContinuitySA uses Veeam with Exagrid technology as the backup target for server backup, these backup’s were unaffected by the ransomware. The Exagrid/Veeam technology creates an “air gap” between the production systems and the backed up data to prevent malware damaging the backups.

To save costs, the client had elected to do its own backup for a group of servers hosted at a third-party data centre to an ordinary network NAS drive. Unfortunately, these backups were not protected by the same technology and were compromised by the ransomware. This group of servers and their backups could not be recovered which resulted in a loss of data that had a substantial financial impact.

As cyber-attacks, particularly ransomware attacks, become more frequent and sophisticated, it is essential that replications and back-ups are adequately quarantined from malware. Keeping backups/ replications in a sanitised, protected environment is clearly critical, and emphasises the imperative for organisations to partner with a specialist business resilience and continuity provider like ContinuitySA, with access to leading-edge technology and processes.

THE POWER OF PROFESSIONAL REPLICATION AND BACKUP

CA

SE S

TUDY

33

•12 - 16 February 2018•16 - 20 April 2018•23 - 27 July 2018•15 - 19 October 2018

Register online via www.continuitysa.com/training/register-here/

4

Our Business is keeping You in Business

The recent floods highlight the fact that South Africa is vulnerable to its own set of natural disasters with the potential to disrupt businesses quite substantially. Flooding is a periodic danger in many parts of the country, including Gauteng and the Western Cape, while other natural disasters like water shortages owing to drought, wind and hail damage must be factored into sustainability planning, says ContinuitySA, Africa’s leading provider of business resilience services.

Compared to many other parts of the world, South Africa does has a relatively benign climate but they do occur regularly, and can have devastating effects on businesses, as the recent floods have reminded us. Even a fairly localised climatic event can put an unprepared company out of business; responsible companies and their boards must factor natural disasters into their scenario planning to ensure staff safety in the event of a natural disaster, but also to ensure that the business has robust contingency plans to recover as quickly as possible.

Local companies must not forget that they are increasingly part of global supply chains, and so are affected by the impact of natural disasters elsewhere on their businesses.

For example, the tsunami that hit Japan in 2011 did not only devastate that country, it meant that many Japanese factories could not supply components needed in international supply chains; automotive and electronics companies were particularly hard hit. The massive hurricanes in the United States this year have affected certain supply chains as well.

In the connected, global world, no business is an island. Business continuity planning must take today’s long and complex supply chains into account.

Planning an emergency response to a flood, hurricane or similar event is obviously critical, but it is even more important that companies factor natural disasters into a comprehensive business continuity management plan.

Business continuity management is a much more comprehensive process that aims to identify and prioritise risks in terms of their potential impact on business processes, and put mitigation and recovery strategies in place.Coping with the disaster is just the start, you have to know how to get the business back up and running in the shortest time possible—and only business continuity management can do that.

SOUTH AFRICAN ORGANISATIONS MUST FACTOR NATURAL DISASTER INTO BUSINESS CONTINUITY PLANNING

Register online via www.continuitysa.com/training/iso-registration/

6

Our Business is keeping You in Business

Global governance codes and regulations recognise the duty of boards to take a long-term view, and that a key responsibility is to ensure the company’s sustainability. Immediate profit can no longer compromise growing shareholder value over the years. In part at least, this change in emphasis is driven by the fact that in today’s global business world, with its long supply chains and close integration between business partners, risks are both complex and highly contagious. The inability of a manufacturing plant in Japan to honour its commitments has an impact across many supply chains and countries. Similarly, a fire in a company’s factory will have an effect not just on that facility but on the whole company. Of course, an emergency plan to deal with a fire or industrial action is necessary (how to protect staff, save records, secure equipment and so on) but actually the real challenge comes next. Where will the staff report for work if their usual work areas are not accessible? What are the implications for other business processes, and partners? How will the disaster be communicated to the public, to stakeholders and so on?

In recognition of this complex set of interdependences, disaster recovery has expanded into the discipline of business continuity management, with its own set of global standards (among them ISO 22301) and a professional body, the Business Continuity Institute.

Planning is the key to building a resilient company

When disaster, any disaster strikes, is no time to realise you don’t have a plan.

Business continuity is a process that needs to be managed throughout its entire life cycle, constantly being tested and improved. In the process, the company will not only be better able to respond to any disaster, it will hopefully be able to prevent most of them from materialising.

What’s the impact?

A business continuity plan begins with understanding what risks a particular company faces, and what their impacts are. Externally, this means surveying the risk landscape in which the company operates but the internal review is even more important. The latter means understanding exactly what the business processes in the company are, and their relative importance to the achievement of the overall corporate strategy.

“Every owner of a business process believes it is critical, so this actually an extremely difficult task,” “The person entrusted with business continuity management needs to engage with senior staff to prioritise business processes in relation to strategy. This Business Impact Analysis is critical because it will determine how quickly each process must be recovered, and how far back in time, which will in turn affect budget allocations.” In more than two decades of helping companies across Africa to protect themselves from business interruption, ContinuitySA has learned that it is vitally important not only that the business continuity management

7

Our Business is keeping You in Business

process has buy-in from senior management, but that all employees are brought into the process. Once the Business Impact Analysis has been completed, it is possible to begin developing the plans for recovering each process based on the identified risks.

Because of the reliance of modern business on in ICT, it follows that the business continuity plan will focus fairly heavily on IT disaster recovery and cybercrime, but IT is by no means all. Other key elements of the business continuity plan would include natural disasters like fire and flood, industrial action and epidemics, as well as terrorism. Power and water outages can also compromise a company’s ability to operate.

Many companies include a work-area recovery element to their plan. Business continuity providers can provide fully equipped office space at their own facilities, either on a dedicated or syndicated basis, so that clerical or back-office staff can be relocated relatively easily, and find their familiar systems and data accessible at the recovery site. Providing recovery sites for manufacturing facilities is obviously a much trickier proposition, but careful thought needs to be given to how to continue production in the event a particular site is rendered unusable for whatever reason.

Companies with more than one site can have plans in place to shift production to such sites, but arrangements to transfer key staff and rescheduling of production runs need to be carefully made. Other strategies could be to enter into an agreement with a competitor.

The key point is that there are many moving parts, and the plan needs to be thought-through in advance. Working out what to do with staff or where to move production is not something that can be done satisfactorily in the middle of a crisis.

In an emergencyAs noted, emergency planning needs to be part of a wider business continuity management programme. But when an emergency occurs, any emergency, the following should be in place:

•A nominated response team that is well briefed and has specific tasks.

•All response team members must have personnel lists and contact details to monitor safety and communicate. A pre-set up What’s App group is a good idea. All staff mobile numbers must be on record.

•Assembly points and roll calls for an on-premise emergency. First aid kits on site.

•Preselected communication points noted for use as needed: top management, business partners, board chairperson, media, emergency response teams and, of course, the business continuity provider if there is one. One nominated media contact is essential.

•Re-route call centre and main business numbers as needed.

•Battle box in the event of having to relocate to recovery site. It would include physical items such as stationary, stamps and manuals. It’s a good idea to have a secure copy of all the passwords people need to access their systems as well as the shortcuts to frequently used corporate applications.

A process, not a destination

Like any business plan or strategy, it is important to understand that the business continuity plan has its own distinct life cycle. Risks and other circumstances change, for one thing; another is that perfection will never be attainable, so continuous improvement has to be the watchword.

No business continuity plan is worth anything unless it is regularly and thoroughly tested, and the results of each test are fed back into the plan. Some of this testing must take the form of real-life drills, rather than desktop testing, because these will provide the hard information about just how effective the response is and, more critically, its shortcomings. This iterative process is analogous to fitness training because it means that the company develops an innate resilience because it becomes more able to respond to, and recover from, any disaster.

A highly specialised element of any disaster response plan is crisis communications. Experience has shown that a major factor in how quickly and effectively a business can recover depends on how well it is able to communicate during a disaster: with employees, of course, but also other stakeholders, including business partners, families of employees, neighbouring communities, government agencies and even the public as a whole.

In an age dominated by social media, communication has become a zero-sum game that can easily spiral out of control.

Too often, companies focus on planning for a disaster, a fire or a ransomware attack, for example, without taking into account the bigger picture.

Building resilience is critical because the likelihood of something unexpected is exaggerated in today’s environment.

Business continuity management has become a profession, and can no longer realistically be allocated to a manager as an add-on portfolio; increasingly companies are engaging with third-party service providers for part or all of their needs.

The Management and Staff at

wish you our readers a very Happy Holiday season and a peaceful

and prosperous New Year.