Regular testing is critical for the DWP getting the right answers from its BC and DR capabilities, says Databarracks
At the end of March, the Department for Work and Pensions (DWP) put out a prior information notice, looking for a supplier help to ensure its business continuity and crisis management plans are fit for purpose. In response, disaster recovery specialists Databarracks recommends a number of practices the DWP and other public sector organisations can undertake in order to improve its resilience capabilities: Peter Groucutt, managing director of Databarracks, commented:
"IT Disaster Recovery (DR) and Business Continuity (BC) strategies must always be reviewed so it's fantastic to see big public sector departments like DWP seeking to improve its plans. It's a vital time to be updating plans as the security landscape is evolving significantly. While they probably featured in previous plans, cyber threats should undoubtedly be considered much more prominently in disaster recovery planning now, with strategies to account for both ransomware and malicious attacks.
"Testing of disaster recovery and business continuity plans is critical to the success of any organisation looking to improve their resilience. Even smaller organisations should be performing regular testing, with full recoveries at least annually with more frequent tabletop tests to cover specific scenarios.
"One piece of advice we would give organisations is to plan for impact, but test for scenarios. In other words, businesses should write their DR plan with a broad scope to handle the various different impacts that a continuity event might have on their organisation, such as IT downtime or inability to access the office. By doing this, it means that the plan itself will be comprehensive and cover every eventuality rather than trying to address a large number of specific scenarios.
"At this point tabletop testing becomes useful – you can throw very specific scenarios at the plan and see how you will cope. It's a practical way to work through different scenarios without the time commitment of a full test and it helps to identify any gaps you may have in the plan, as well as helping to keep all contact information up to date."
Groucutt goes on to discuss the growing importance of planning for cyber-attacks: "When developing your scenarios, it's vital that you consider malicious cyber-attacks in your planning. It's a threat we're seeing affect more and more organisations, but the risk can be reduced through thorough testing and having a comprehensive disaster recovery plan in place.
"When Sony was hacked last year it was revealed that there wasn't a plan in place for this kind of cyber-attack, which meant they were offline for an extended period as they dealt with the incident. That kind of downtime is hard to come back from for any organisation, but for a significant government department like DWP, it would be catastrophic.
"Another area to consider is the growth in use of cloud services. We can see from DWP's G-Cloud spending that they have been investing in cloud services, which is unsurprising. Cloud services are able to afford organisations a lot of opportunity for growth and increased efficiency. In many cases greater use of cloud services improves resiliency. An incident that occurs at your site for instance won't affect the cloud service you are using. This doesn't mean that they should not be taken into account within your planning. Your cloud services may connect to on-premise IT or require authentication if users are logging in from new devices as would be the case in a disaster, so it's important that cloud services are factored into your plans."