4/21/2020

1

Business Continuity in the Midst of COVID-19

What You Need to Know

To Receive CPE Credit• Individuals

• Participate in entire webinar• Answer polls when they are provided

• Groups• Group leader is the person who registered & logged on to the webinar• Answer polls when they are provided• Complete group attendance form • Group leader sign bottom of form• Submit group attendance form to training@bkd.com within 24 hours of webinar

• If all eligibility requirements are met, each participant will be emailed their CPE certificate within 15 business days of webinar

4/21/2020

2

Rex Johnson, CISSP®, CISA®, CIPT, PMP®, PCIP™, QSADirectorBKD Cyberrjohnson@bkd.com

Agenda• What Is Business Continuity?

• The Game-Changer – COVID-19

• Adapting to the “New Normal”

• Case Study

4/21/2020

3

What Is Business Continuity?

Definition of Business Continuity (BC)“Business continuity is about having a plan to deal with difficult situations, so your organization can continue to function with as little disruption as possible”Source: The Business Continuity Institute (BCI)https://www.thebci.org/knowledge/introduction-to-business-continuity.html

4/21/2020

4

Key Success Traits of a BC Plan• Maintaining, resuming & recovering the business• This is not just the recovery of the technology• Planned enterprisewide

• Contain a business impact analysis (BIA)• Disaster recovery plan• Incident response plan• Pandemic plan

• Be periodically reviewed & updatedImplementation

Business Impact Analysis (BIA)• The BIA identifies the BC requirements• Identifies the urgency of each activity by assessing the impact

over time caused by potential or actual disruption• Includes

• Impact analysis• Risk assessment• Final analysis & consolidation

Source: The Business Continuity Institute (BCI)Good Practice Guidelines, 2018 Lite Edition

4/21/2020

5

The BC Plan Must Identify• ALL business processes • “Mission critical” functions within each business process • The potential threats & impact by business process• Supporting technology systems mapped to business processes & mission

critical functions• Viable business process risk scenarios, by grouping (natural, technical,

social, human) • Estimated dollar-loss for each viable business process risk scenarios

Incident Response or Disaster RecoveryIncident Response

• Managing the aftermath of a breach, attack or serious event

• Goal is to limit damage & reduce the recovery time & cost

• Can lead to disaster recovery

Disaster Recovery

• Actions to take when a serious incident occurs

• Direct impact on business continuity• Focuses on bringing back the

production environment

Sources: https://security.stackexchange.com/questions/50944/what-is-the-incident-plan-and-disaster-recovery-plan-for-firehttps://www.nakivo.com/blog/key-principles-of-incident-response-and-disaster-recovery/

Business Continuity

4/21/2020

6

The Game-Changer

Traditional Business Continuity• Considers an impact to one office or a geographic location

• Natural disaster such as a hurricane• Power outage• Cyberattack

• This means another office takes on the work• Look to resolve & restore operations

• Emergency relief• Back-up facility• Pay the ransom• Regain “reputational loss”

4/21/2020

7

COVID-19 TimelineChinese Health Officials inform WHO about 41 patients with mysterious pneumonia

connected to Huanan Seafood Wholesale Market

China records first death

World Health Organization

(WHO) declares global public

health emergency

First death outside China

(Philippines)

United States has first death within

borders

CDC recommends no gatherings of

50 people or more

Almost all U.S. states have

declared national emergency

12 states issue stay-at-home orders. This

means 50% of Americans are in

lockdown

Trump signs $2 trillion stimulus bill

into law to respond to the

COVID-19 pandemic

Death toll in China surpasses SARS

(811 deaths)

United States declares a national

emergency

President Trump recommends no gatherings of 10 people or more

New York reports 21,000 cases

United States rises above

200,000 cases

United States passes China in total confirmed cases reaching 82,404 cases

MAR, 26

MAR, 17

MAR, 13

JAN, 30

JAN, 11

MAR, 15

MAR, 23

MAR 19

FEB, 29

FEB, 9

FEB,2

APR, 1

MAR, 27

DEC, 31

How Is This Different?Traditional

• Consider only a portion of facilities being impacted

• Operations would resume at other company locations

• Provide a means to restore data

• Could follow the playbook of a prewritten plan

COVID-19

• All locations were impacted

• Organizations had to adjust to remote workers

• Data was not directly impacted

• Most BC plans were not the right fit; consider elements from various plans

4/21/2020

8

North America in Comparison*North America Global

Active Incident Management Team 77.3% 70.9%Plan Sustainable over a Pandemic 66.2% 60.9%Reviewed Supplier’s BC Plan for Continuity of Service 60.5% 66.6%Changed Suppliers to Ensure Continuity 25.9% 18.2%Transferred Meetings to Conference Calls 92.7% 87.4%Reviewed Cybersecurity Measures for Working from Home 85.4% 78.5%Ensured IT Capabilities Cover Peak & Nonpeak Times 82.7% 78.7%Implemented Global Travel Bans 85.5% 77.8%

* As of the date of the studySource: The BCI Coronavirus Organizational Preparedness Report, March 20, 2020

Adapting to the “New Normal”

4/21/2020

9

Key Considerations in COVID-19 BC Plan• Proactivity

• Monitoring outbreak updates• Communication to workforce

• Identify firm process & controls during the incident• Ability to continue operation without physical location• Continuous testing of the plan & ability to continue operations

remotelySource: ACA Compliance Group, “Guidance on Business Continuity and Disaster Recovery Planning for Coronavirus Disease 2019 (COVID-19)”https://www.acacompliancegroup.com/blog/guidance-business-continuity-and-disaster-recovery-planning-coronavirus-disease-2019-covid-19

CIOs Share Insight• Technology enablement

• Make sure employees have tools• Data access & productivity

technologies

• Capacity management• Cloud-based technologies• Additional VPN servers• Recommending 50 Mbps for video

conferencing

• Culture• Set expectations• Demonstrate how to use the technologies• Help HR provide communication channels

• Security• Ensure up-to-date passwords• Training on how to access the system• Actively monitoring events on extended

network

Source: CMS Wire, “CIOs Share Business Continuity Plans Amid COVID-19 Pandemic”https://www.cmswire.com/digital-workplace/cios-share-business-continuity-plans-amid-covid-19-pandemic/

4/21/2020

10

Using Approved Technology• Shadow IT is the use of technology that is acquired outside of the

normal procurement channels

• Risky as it has not gone through security review

• Cybercriminals are aware of common exploits to certain technology

• Check with your organization if you are using something nonstandard

Sources: Gartner IT Glossary, https://www.gartner.com/it-glossary/shadowhttps://www.rutter-net.com/blog/4-security-risks-of-shadow-it

Rise in Cyberattacks• Online threats have risen over the course of COVID-19• Phishing attempts were up 600%• Cybercriminals attacking those working from home

• Organizations may not have provided technology• May have less sophisticated defenses• Exploit sense of concern or panic

• Weak passwords are a primary method to attain access to sensitive data

Sources: Infosecurity Magazine https://www.infosecurity-magazine.com/news/cyberattacks-up-37-over-past-month/World Economic Forum https://www.weforum.org/agenda/2020/03/covid-19-cyberattacks-working-from-home/

4/21/2020

11

Fake Sites • Site set up by cybercriminals• Pretending to be legitimate &

beneficial organizations• Collecting personal information• In some cases getting payments• Cybercrime is the primary motive

for attacks

Source: Trendmicro https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/coronavirus-used-in-spam-malware-file-names-and-malicious-domains

Be Extra Diligent on Links

• https://mycompeny.com/

• https://mycompany.fraudsite.com

• https://mycompany1993.com

Fake Link

4/21/2020

12

Be Extra Diligent on LinksDifferences Used

• Misspelling

• Separate domain ending

• Inserted characters

Fake Link

• https://mycompeny.com/

• https://mycompany.fraudsite.com

• https://mycompany1993.com

Remote Work Environment Considerations• Equipment• Access & capacity• Device security• Phone system & conference call options• Bring your own device• Confidentiality of sensitive information• Workspace

4/21/2020

13

Case Study

U.S.-Based Organization• Approximately 40 physical offices

• Several thousand employees

• Majority of administrative & support staff worked in physical offices or at client locations

• Clients in all 50 states

• When COVID-19 first materialized in the U.S. they had to implement a plan appropriate for all their physical offices

4/21/2020

14

Which Plan Can We Use• Acute Disaster – Fire, earthquake or hurricane. Limits as it implies loss of

individual facilities• Data Recovery Plan – Loss of infrastructure, or a data center going down.

But IT & data were not directly affected• Remote Office Plan – Designed for a scenario where employees could

not come into the office. While not a 100% fit, was the best written plan for COVID-19

None of these plans considered an entire organization having to be remote!

Assembling the Right Team• Plan had a response team designated• Did not have the right mixture to address this situation• Decision to only include those with a real purpose on the team• Representation from key areas

• Information technology• Procurement• Accounting• Executive management

4/21/2020

15

Adopted a Staged Approach• Considered a regional approach to execution

• U.S. government did not have entire country go to the highest alert phases at once

• Regional & local offices moved towards the higher phases sequentially

• Allowing for distribution of resources & expansion of VPN & remote access

• Some offices in middle of country took longer to understand the impact

Remote Workers Needed• Some in the organization using desktops rather than laptops • Those who travel as part of their job – easier transition• Transition for those who work in office everyday• Expanding the VPN capabilities (3x what was anticipated)• Consideration for office equipment/software needed

• Printers• Scanners• Monitors• Virtual meeting capabilities

4/21/2020

16

Case Study Cyberattack• Almost immediately, a phishing email went out to several employees• Claimed to be from the CEO• Promised guidance to assist employees• Two giveaways

• Caution banner on external emails• Email extension was not what similar to the organization’s

• Quickly intercepted by leadership sending notices that the email was not legitimate

Other Considerations• Had placed orders for additional equipment

• Accommodate for remote workers• However, priority would go to health care providers & first responders

• Migrated all personnel to softphones for laptop & mobile• Set up remote support & resource centers• Established new communication channels• COVID-19 information & assistance for

clients & vendors

4/21/2020

17

The Result• This organization was able to implement a successful BC plan• Involvement & clear communication from senior leadership was key

contributor to the plan’s implementation• Planning & staging the closing of offices• Providing appropriate technology & infrastructure for a remote

workforce• The company was able to get all locations closed & remote workers

set up in less than a week & a half

Wrap-Up

4/21/2020

18

Summary• Communication & commitment from senior leadership is key! • Providing updates to the remote team• Use of only company-approved devices & services• Remain suspicious of emails that appear urgent• Retain documentation of activities & events to update the plan during

the post-mortem• Now may be a good time to change your password

4/21/2020

19

QUESTIONS?

Continuing Professional Education (CPE) Credit

BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org

The information contained in these slides is presented by professionals for your information only & is not to be considered as legal advice. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor or legal counsel before acting on any matters covered

4/21/2020

20

CPE Credit• CPE credit may be awarded upon verification of participant

attendance

• For questions, concerns or comments regarding CPE credit, please email the BKD Learning & Development Department at training@bkd.com

THANK YOU!For more information

Rex Johnson | rjohnson@bkd.com