Business Continuity Planning is a vital component of business operations. Table Top Exercises (TTX) are necessary to test Business Continuity Plans (BCPs). A TTX is a process typically between one and three hours where executive management business leaders, information technology, information security, marketing, legal and/or other departments/roles depending on the organization. Exercises are usually run annually, with some organizations performing them more frequently based on their risk tolerance.
Testing of the BCP often exposes gaps in business continuity, disaster recovery, and/or incident management response. Indeed, at vCISO Services we have never had an instance when a TTX did not expose some areas for improvement. The opportunity to identify and address gaps before an actual incident is self-evident; when an interruption in continuity takes place, all efforts should be directed to restoring business services as soon as possible.
However, many organizations do not have comprehensive BCPs; of those that do, many do not test the BCPs at least annually with a TTX. This can lead to extended outages and significant expenses should an organization experience a business continuity incident. This is more prevalent with Small and Midsized Businesses (SMBs) who often have limited resources to conduct such exercises, let alone create and maintain an adequate BCP.
Those who do conduct a BCP TTX at least annually do so for one of two reasons (or both): it is required for compliance, and it lowers business risk. In the first case, compliance may mean satisfying SOC2 or other audit requirements or ensuring meeting regulatory guidelines (e.g. FFIEC). Of course compliance doesn’t equate to security, and while compliance risk may be lowered (by checking a compliance box), business risk likely isn’t.
We’ve already noted one way how a comprehensive BCP program can lower business risk by lowering restoration times. Risk of information exposure can also be limited. For example, during a disruption the business may restore operations rapidly but in the process neglect necessary security measures (such as temporarily removing the requirement for Multi Factor Authentication for VPN connections). A longer term risk is realized if one of these shortcut changes is not identified and allowed to continue after “full” recovery is realized.
The exercise does not produce direct business value but does better prepare for disruption. vCISO Services scripts a different scenario for our clients each year based on the current threat environment. In 2019, a large-scale pandemic was the TTX scenario. Those who participated were much better prepared for the COVID-19 outbreak as opposed to organizations who struggled with the sudden need to transition to a remote workforce.
The noted roles above should not only participate in the TTX, they should be fully engaged, otherwise the exercise may fail. Additionally, the audience must not consist of only IT personnel; this is a business issue, not (solely) a technical one. In one case, a TTX attended only by IT personnel ended abruptly in frustration; the IT director saw no need to rehash the gaps “everyone knew existed”, and did not desire to have others in the company participate because the director did not wish other departments, including executive management, to be aware of the gaps. This organization is not prepared for a sudden BCP incident.
Bottom Line: A comprehensive business continuity plan an strategy to include regular testing reduces business risk. Resources should be allocated to fully support the program. Treating it as a check the box exercise or ignoring completely can result in significant and sudden business disruptions and costs.
SMB Considerations: Business continuity planning and testing is not just for large organizations. Businesses of all sizes should have (and test) a comprehensive BCP. In fact, in some aspects it’s more critical to do so, as often SMBs have less cushion to survive a significant interruption in business operations.