It is important for organizations to have the knowledge and ability to continue business despite environmental conditions. “The show must go on” is a phrase often used in theater, but is just as true, if not more so, in business. Business continuity (BC) involves preparation for all business functionality to continue in the event of a major disruption or disaster (Gibson, 2015). Internal and external threats such as negligence, cyber-attacks and natural disasters are examples of things that could lead to such a disruption and impede normal business operations. To ensure the best chance at business continuity, organizations must develop a business continuity plan (BCP). A business continuity plan is a documented plan that helps an organization prepare for the ability to continue operations during a period of emergency or disaster.
As the information technology (IT) manager for the only print shop in the small town of Cascade, Idaho, business continuity is vital to sustainability. The shop is connected to the internet by satellite link. Orders are received via the internet as well as by walk-ins with portable storage drives or smart phones that can transfer files via Bluetooth network. Business could withstand a few hours of downtime, but an interruption of a few days or more could be crippling. A good business continuity plan should be well thought-out and constructed to include analyzing threats, mitigating risks, personnel training and strategies for improvement.
Internal and External Threats
Threat assessments are important in knowing what the possible threats are to an organization. A threat is anything that represents a possible danger (Gibson, 2015). Threats can be anything that exploits a vulnerability to obtain, damage, or destroy an asset. There are three main types of threats: natural unintentional and intentional. Also, when evaluating threats, it is important to note that threats can be internal or external.
Internal threats originate from within the organization such as employees. Humans are the weakest link in any cybersecurity operation. Sometimes these are disgruntled employees. In other cases, employees unknowingly or accidentally pose an internal security threat. Some of the most probable internal security threats include: malicious cyberattacks, social engineering, malicious downloads, information leakage and illegal activities (Whittle, 2008).
External threats come from outside of the organization. Most often these are a result of the environment where the organization operates. These can also include humans such as customers, social engineers and hackers. Network security threats and natural disasters are also probable external threats. Like with internal threats, these external threats could also be intentional or unintentional.
When maintain risk, it is important to provide good risk management practices which also requires a good risk management plan. After identifying the threats, the risks should also be accessed. This includes analyzing the likelihood of occurrence. Next, steps should be taken to avoid or reduce risks. Lastly, risk mitigation would be addressed in order to limit the impact of the risks. It’s hard to predict when a cybersecurity attack will occur. Physical location may not always increase the probability of an attack. However, the strength of the cybersecurity infrastructure could very well play a role in the likelihood of a successful attack and penetration. Natural disasters are also hard to predict, but geographical location allows for preparation for disasters common to an area. All of this may seem quite expense to a small business, but it is important to understand the investment. As reported by the Federal Emergency Management Agency (FEMA) in Idaho, each $1 spent on mitigation can save $6 on disaster recovery (Federal Emergency Management Agency, 2018).
For a small-town print shop in Cascade, Idaho that heavily relies on electronic and network operations, there several risks. Internet usage, harmful websites, email phishing and viruses are all common security concerns for most modern businesses. Portable storage drives can contain malware that is known or unbeknown to the customer. Some devices are also very small, so they can be easily forgotten or left unattended. Bluetooth technology is very convenient, but also has its risks. It is relatively safe compared to Wireless Fidelity (Wi-Fi) but not foolproof or impenetrable. Common Bluetooth attack methods include Blueborne, Bluebugging, Bluejacking and Bluesnarfing. Bluetooth range is farther than most people think. An attacker could not only be inside the shop but could be outside the shop in a nearby location. Customers are likely to be more at risk for a Bluetooth attack, but an organization does not want to be associated in any way with this type of occurrence. Satellite link internet is perfect for getting signal in remote areas, especially where cable and digital subscriber line (DSL) are unavailable. Yet, it too has its risks. Speeds are slower than cable and DSL and severe weather can affect the signal.
Natural disaster risks include floods, earthquakes and wildfires (Idaho Office of Emergency Management Agency, 2016). Cascade, ID is located near Lake Cascade, the Payette River and on the south end of the Wallowa-Whitman National Forest and Payette National Forest. Flooding and wild-fires are a definite high-risk concern. Fiberpipe Data center is in Boise, ID and will be used for data backup and recovery. It will also function as a hot-site for recovery.
Personnel training is very important to protect against security risks. Security training for employees should be provide when hired and ongoing at least once per year. Social engineering is a likely risk and employees can be trained on what to look out for. Internet and email safety along with Bluetooth training is a must for personnel. Signs should also be posted and visible for customers so that they stay safe. This will benefit customers and the organization. Outsourcing a firm secretly test employees against potential risks. This will give immediate feedback and allow action to be taken to prevent damage that could have occurred in a real-world scenario. Employees will be required to take and pass cybersecurity tests in conjunction with ongoing training. Emergency preparedness and awareness will also include practice drills.
Strategies for Improvement
There is always room for improvement. It may be impossible to predict every single scenario and all the different factors that may cause or result in a business interruption. No business continuity plan is perfect. Furthermore, a BCP must be reviewed and revised in order to be current and the most successful. Consequently, organizations should have strategies for continually improving the quality and effectiveness of the BCP. Submitting the BCP to an outside organization for peer review can always bring additional insight as a “second set of eyes”. Reviewing the BCP of similar organization and other organization in the area also gives a broader scope of ideas for revisions. Gathering best practices from organizations that experienced situations where the BCP had to be implemented gives invaluable feedback to understand what worked and what didn’t work. Quarterly drills and practice runs are always beneficial so that real scenarios are not one hundred percent new and unfamiliar. There’s no such thing as being too prepared and there’s always room for improvement.
- Federal Emergency Management Agency. (2018, March 13). 30 Years of Hazard Mitigation,
FEMA and the State of Idaho highlight local success stories | FEMA.gov. Retrieved from https://www.fema.gov/news-release/2018/03/13/30-years-hazard-mitigation-fema-and-state-idaho-highlight-local-success
- Gibson, D. (2015). Managing risk in information systems (2nd ed.). Burlington, MA: Jones &
- Idaho Office of Emergency Management. (2016). Idaho Disaster History. Retrieved from
- Whittle, S. (2008, March 10). The top five internal security threats | ZDNet. Retrieved from