business continuity in the midst of covid-19...4/21/2020 1 business continuity in the midst of...
TRANSCRIPT
![Page 1: Business Continuity in the Midst of COVID-19...4/21/2020 1 Business Continuity in the Midst of COVID-19 What You Need to Know To Receive CPE Credit • Individuals • Participate](https://reader034.vdocuments.net/reader034/viewer/2022050518/5fa1dcf07540bd1fc31c5259/html5/thumbnails/1.jpg)
4/21/2020
1
Business Continuity in the Midst of COVID-19
What You Need to Know
To Receive CPE Credit• Individuals
• Participate in entire webinar• Answer polls when they are provided
• Groups• Group leader is the person who registered & logged on to the webinar• Answer polls when they are provided• Complete group attendance form • Group leader sign bottom of form• Submit group attendance form to [email protected] within 24 hours of webinar
• If all eligibility requirements are met, each participant will be emailed their CPE certificate within 15 business days of webinar
![Page 2: Business Continuity in the Midst of COVID-19...4/21/2020 1 Business Continuity in the Midst of COVID-19 What You Need to Know To Receive CPE Credit • Individuals • Participate](https://reader034.vdocuments.net/reader034/viewer/2022050518/5fa1dcf07540bd1fc31c5259/html5/thumbnails/2.jpg)
4/21/2020
2
Rex Johnson, CISSP®, CISA®, CIPT, PMP®, PCIP™, QSADirectorBKD [email protected]
Agenda• What Is Business Continuity?
• The Game-Changer – COVID-19
• Adapting to the “New Normal”
• Case Study
![Page 3: Business Continuity in the Midst of COVID-19...4/21/2020 1 Business Continuity in the Midst of COVID-19 What You Need to Know To Receive CPE Credit • Individuals • Participate](https://reader034.vdocuments.net/reader034/viewer/2022050518/5fa1dcf07540bd1fc31c5259/html5/thumbnails/3.jpg)
4/21/2020
3
What Is Business Continuity?
Definition of Business Continuity (BC)“Business continuity is about having a plan to deal with difficult situations, so your organization can continue to function with as little disruption as possible”Source: The Business Continuity Institute (BCI)https://www.thebci.org/knowledge/introduction-to-business-continuity.html
![Page 4: Business Continuity in the Midst of COVID-19...4/21/2020 1 Business Continuity in the Midst of COVID-19 What You Need to Know To Receive CPE Credit • Individuals • Participate](https://reader034.vdocuments.net/reader034/viewer/2022050518/5fa1dcf07540bd1fc31c5259/html5/thumbnails/4.jpg)
4/21/2020
4
Key Success Traits of a BC Plan• Maintaining, resuming & recovering the business• This is not just the recovery of the technology• Planned enterprisewide
• Contain a business impact analysis (BIA)• Disaster recovery plan• Incident response plan• Pandemic plan
• Be periodically reviewed & updatedImplementation
Business Impact Analysis (BIA)• The BIA identifies the BC requirements• Identifies the urgency of each activity by assessing the impact
over time caused by potential or actual disruption• Includes
• Impact analysis• Risk assessment• Final analysis & consolidation
Source: The Business Continuity Institute (BCI)Good Practice Guidelines, 2018 Lite Edition
![Page 5: Business Continuity in the Midst of COVID-19...4/21/2020 1 Business Continuity in the Midst of COVID-19 What You Need to Know To Receive CPE Credit • Individuals • Participate](https://reader034.vdocuments.net/reader034/viewer/2022050518/5fa1dcf07540bd1fc31c5259/html5/thumbnails/5.jpg)
4/21/2020
5
The BC Plan Must Identify• ALL business processes • “Mission critical” functions within each business process • The potential threats & impact by business process• Supporting technology systems mapped to business processes & mission
critical functions• Viable business process risk scenarios, by grouping (natural, technical,
social, human) • Estimated dollar-loss for each viable business process risk scenarios
Incident Response or Disaster RecoveryIncident Response
• Managing the aftermath of a breach, attack or serious event
• Goal is to limit damage & reduce the recovery time & cost
• Can lead to disaster recovery
Disaster Recovery
• Actions to take when a serious incident occurs
• Direct impact on business continuity• Focuses on bringing back the
production environment
Sources: https://security.stackexchange.com/questions/50944/what-is-the-incident-plan-and-disaster-recovery-plan-for-firehttps://www.nakivo.com/blog/key-principles-of-incident-response-and-disaster-recovery/
Business Continuity
![Page 6: Business Continuity in the Midst of COVID-19...4/21/2020 1 Business Continuity in the Midst of COVID-19 What You Need to Know To Receive CPE Credit • Individuals • Participate](https://reader034.vdocuments.net/reader034/viewer/2022050518/5fa1dcf07540bd1fc31c5259/html5/thumbnails/6.jpg)
4/21/2020
6
The Game-Changer
Traditional Business Continuity• Considers an impact to one office or a geographic location
• Natural disaster such as a hurricane• Power outage• Cyberattack
• This means another office takes on the work• Look to resolve & restore operations
• Emergency relief• Back-up facility• Pay the ransom• Regain “reputational loss”
![Page 7: Business Continuity in the Midst of COVID-19...4/21/2020 1 Business Continuity in the Midst of COVID-19 What You Need to Know To Receive CPE Credit • Individuals • Participate](https://reader034.vdocuments.net/reader034/viewer/2022050518/5fa1dcf07540bd1fc31c5259/html5/thumbnails/7.jpg)
4/21/2020
7
COVID-19 TimelineChinese Health Officials inform WHO about 41 patients with mysterious pneumonia
connected to Huanan Seafood Wholesale Market
China records first death
World Health Organization
(WHO) declares global public
health emergency
First death outside China
(Philippines)
United States has first death within
borders
CDC recommends no gatherings of
50 people or more
Almost all U.S. states have
declared national emergency
12 states issue stay-at-home orders. This
means 50% of Americans are in
lockdown
Trump signs $2 trillion stimulus bill
into law to respond to the
COVID-19 pandemic
Death toll in China surpasses SARS
(811 deaths)
United States declares a national
emergency
President Trump recommends no gatherings of 10 people or more
New York reports 21,000 cases
United States rises above
200,000 cases
United States passes China in total confirmed cases reaching 82,404 cases
MAR, 26
MAR, 17
MAR, 13
JAN, 30
JAN, 11
MAR, 15
MAR, 23
MAR 19
FEB, 29
FEB, 9
FEB,2
APR, 1
MAR, 27
DEC, 31
How Is This Different?Traditional
• Consider only a portion of facilities being impacted
• Operations would resume at other company locations
• Provide a means to restore data
• Could follow the playbook of a prewritten plan
COVID-19
• All locations were impacted
• Organizations had to adjust to remote workers
• Data was not directly impacted
• Most BC plans were not the right fit; consider elements from various plans
![Page 8: Business Continuity in the Midst of COVID-19...4/21/2020 1 Business Continuity in the Midst of COVID-19 What You Need to Know To Receive CPE Credit • Individuals • Participate](https://reader034.vdocuments.net/reader034/viewer/2022050518/5fa1dcf07540bd1fc31c5259/html5/thumbnails/8.jpg)
4/21/2020
8
North America in Comparison*North America Global
Active Incident Management Team 77.3% 70.9%Plan Sustainable over a Pandemic 66.2% 60.9%Reviewed Supplier’s BC Plan for Continuity of Service 60.5% 66.6%Changed Suppliers to Ensure Continuity 25.9% 18.2%Transferred Meetings to Conference Calls 92.7% 87.4%Reviewed Cybersecurity Measures for Working from Home 85.4% 78.5%Ensured IT Capabilities Cover Peak & Nonpeak Times 82.7% 78.7%Implemented Global Travel Bans 85.5% 77.8%
* As of the date of the studySource: The BCI Coronavirus Organizational Preparedness Report, March 20, 2020
Adapting to the “New Normal”
![Page 9: Business Continuity in the Midst of COVID-19...4/21/2020 1 Business Continuity in the Midst of COVID-19 What You Need to Know To Receive CPE Credit • Individuals • Participate](https://reader034.vdocuments.net/reader034/viewer/2022050518/5fa1dcf07540bd1fc31c5259/html5/thumbnails/9.jpg)
4/21/2020
9
Key Considerations in COVID-19 BC Plan• Proactivity
• Monitoring outbreak updates• Communication to workforce
• Identify firm process & controls during the incident• Ability to continue operation without physical location• Continuous testing of the plan & ability to continue operations
remotelySource: ACA Compliance Group, “Guidance on Business Continuity and Disaster Recovery Planning for Coronavirus Disease 2019 (COVID-19)”https://www.acacompliancegroup.com/blog/guidance-business-continuity-and-disaster-recovery-planning-coronavirus-disease-2019-covid-19
CIOs Share Insight• Technology enablement
• Make sure employees have tools• Data access & productivity
technologies
• Capacity management• Cloud-based technologies• Additional VPN servers• Recommending 50 Mbps for video
conferencing
• Culture• Set expectations• Demonstrate how to use the technologies• Help HR provide communication channels
• Security• Ensure up-to-date passwords• Training on how to access the system• Actively monitoring events on extended
network
Source: CMS Wire, “CIOs Share Business Continuity Plans Amid COVID-19 Pandemic”https://www.cmswire.com/digital-workplace/cios-share-business-continuity-plans-amid-covid-19-pandemic/
![Page 10: Business Continuity in the Midst of COVID-19...4/21/2020 1 Business Continuity in the Midst of COVID-19 What You Need to Know To Receive CPE Credit • Individuals • Participate](https://reader034.vdocuments.net/reader034/viewer/2022050518/5fa1dcf07540bd1fc31c5259/html5/thumbnails/10.jpg)
4/21/2020
10
Using Approved Technology• Shadow IT is the use of technology that is acquired outside of the
normal procurement channels
• Risky as it has not gone through security review
• Cybercriminals are aware of common exploits to certain technology
• Check with your organization if you are using something nonstandard
Sources: Gartner IT Glossary, https://www.gartner.com/it-glossary/shadowhttps://www.rutter-net.com/blog/4-security-risks-of-shadow-it
Rise in Cyberattacks• Online threats have risen over the course of COVID-19• Phishing attempts were up 600%• Cybercriminals attacking those working from home
• Organizations may not have provided technology• May have less sophisticated defenses• Exploit sense of concern or panic
• Weak passwords are a primary method to attain access to sensitive data
Sources: Infosecurity Magazine https://www.infosecurity-magazine.com/news/cyberattacks-up-37-over-past-month/World Economic Forum https://www.weforum.org/agenda/2020/03/covid-19-cyberattacks-working-from-home/
![Page 11: Business Continuity in the Midst of COVID-19...4/21/2020 1 Business Continuity in the Midst of COVID-19 What You Need to Know To Receive CPE Credit • Individuals • Participate](https://reader034.vdocuments.net/reader034/viewer/2022050518/5fa1dcf07540bd1fc31c5259/html5/thumbnails/11.jpg)
4/21/2020
11
Fake Sites • Site set up by cybercriminals• Pretending to be legitimate &
beneficial organizations• Collecting personal information• In some cases getting payments• Cybercrime is the primary motive
for attacks
Source: Trendmicro https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/coronavirus-used-in-spam-malware-file-names-and-malicious-domains
Be Extra Diligent on Links
• https://mycompeny.com/
• https://mycompany.fraudsite.com
• https://mycompany1993.com
Fake Link
![Page 12: Business Continuity in the Midst of COVID-19...4/21/2020 1 Business Continuity in the Midst of COVID-19 What You Need to Know To Receive CPE Credit • Individuals • Participate](https://reader034.vdocuments.net/reader034/viewer/2022050518/5fa1dcf07540bd1fc31c5259/html5/thumbnails/12.jpg)
4/21/2020
12
Be Extra Diligent on LinksDifferences Used
• Misspelling
• Separate domain ending
• Inserted characters
Fake Link
• https://mycompeny.com/
• https://mycompany.fraudsite.com
• https://mycompany1993.com
Remote Work Environment Considerations• Equipment• Access & capacity• Device security• Phone system & conference call options• Bring your own device• Confidentiality of sensitive information• Workspace
![Page 13: Business Continuity in the Midst of COVID-19...4/21/2020 1 Business Continuity in the Midst of COVID-19 What You Need to Know To Receive CPE Credit • Individuals • Participate](https://reader034.vdocuments.net/reader034/viewer/2022050518/5fa1dcf07540bd1fc31c5259/html5/thumbnails/13.jpg)
4/21/2020
13
Case Study
U.S.-Based Organization• Approximately 40 physical offices
• Several thousand employees
• Majority of administrative & support staff worked in physical offices or at client locations
• Clients in all 50 states
• When COVID-19 first materialized in the U.S. they had to implement a plan appropriate for all their physical offices
![Page 14: Business Continuity in the Midst of COVID-19...4/21/2020 1 Business Continuity in the Midst of COVID-19 What You Need to Know To Receive CPE Credit • Individuals • Participate](https://reader034.vdocuments.net/reader034/viewer/2022050518/5fa1dcf07540bd1fc31c5259/html5/thumbnails/14.jpg)
4/21/2020
14
Which Plan Can We Use• Acute Disaster – Fire, earthquake or hurricane. Limits as it implies loss of
individual facilities• Data Recovery Plan – Loss of infrastructure, or a data center going down.
But IT & data were not directly affected• Remote Office Plan – Designed for a scenario where employees could
not come into the office. While not a 100% fit, was the best written plan for COVID-19
None of these plans considered an entire organization having to be remote!
Assembling the Right Team• Plan had a response team designated• Did not have the right mixture to address this situation• Decision to only include those with a real purpose on the team• Representation from key areas
• Information technology• Procurement• Accounting• Executive management
![Page 15: Business Continuity in the Midst of COVID-19...4/21/2020 1 Business Continuity in the Midst of COVID-19 What You Need to Know To Receive CPE Credit • Individuals • Participate](https://reader034.vdocuments.net/reader034/viewer/2022050518/5fa1dcf07540bd1fc31c5259/html5/thumbnails/15.jpg)
4/21/2020
15
Adopted a Staged Approach• Considered a regional approach to execution
• U.S. government did not have entire country go to the highest alert phases at once
• Regional & local offices moved towards the higher phases sequentially
• Allowing for distribution of resources & expansion of VPN & remote access
• Some offices in middle of country took longer to understand the impact
Remote Workers Needed• Some in the organization using desktops rather than laptops • Those who travel as part of their job – easier transition• Transition for those who work in office everyday• Expanding the VPN capabilities (3x what was anticipated)• Consideration for office equipment/software needed
• Printers• Scanners• Monitors• Virtual meeting capabilities
![Page 16: Business Continuity in the Midst of COVID-19...4/21/2020 1 Business Continuity in the Midst of COVID-19 What You Need to Know To Receive CPE Credit • Individuals • Participate](https://reader034.vdocuments.net/reader034/viewer/2022050518/5fa1dcf07540bd1fc31c5259/html5/thumbnails/16.jpg)
4/21/2020
16
Case Study Cyberattack• Almost immediately, a phishing email went out to several employees• Claimed to be from the CEO• Promised guidance to assist employees• Two giveaways
• Caution banner on external emails• Email extension was not what similar to the organization’s
• Quickly intercepted by leadership sending notices that the email was not legitimate
Other Considerations• Had placed orders for additional equipment
• Accommodate for remote workers• However, priority would go to health care providers & first responders
• Migrated all personnel to softphones for laptop & mobile• Set up remote support & resource centers• Established new communication channels• COVID-19 information & assistance for
clients & vendors
![Page 17: Business Continuity in the Midst of COVID-19...4/21/2020 1 Business Continuity in the Midst of COVID-19 What You Need to Know To Receive CPE Credit • Individuals • Participate](https://reader034.vdocuments.net/reader034/viewer/2022050518/5fa1dcf07540bd1fc31c5259/html5/thumbnails/17.jpg)
4/21/2020
17
The Result• This organization was able to implement a successful BC plan• Involvement & clear communication from senior leadership was key
contributor to the plan’s implementation• Planning & staging the closing of offices• Providing appropriate technology & infrastructure for a remote
workforce• The company was able to get all locations closed & remote workers
set up in less than a week & a half
Wrap-Up
![Page 18: Business Continuity in the Midst of COVID-19...4/21/2020 1 Business Continuity in the Midst of COVID-19 What You Need to Know To Receive CPE Credit • Individuals • Participate](https://reader034.vdocuments.net/reader034/viewer/2022050518/5fa1dcf07540bd1fc31c5259/html5/thumbnails/18.jpg)
4/21/2020
18
Summary• Communication & commitment from senior leadership is key! • Providing updates to the remote team• Use of only company-approved devices & services• Remain suspicious of emails that appear urgent• Retain documentation of activities & events to update the plan during
the post-mortem• Now may be a good time to change your password
![Page 19: Business Continuity in the Midst of COVID-19...4/21/2020 1 Business Continuity in the Midst of COVID-19 What You Need to Know To Receive CPE Credit • Individuals • Participate](https://reader034.vdocuments.net/reader034/viewer/2022050518/5fa1dcf07540bd1fc31c5259/html5/thumbnails/19.jpg)
4/21/2020
19
QUESTIONS?
Continuing Professional Education (CPE) Credit
BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org
The information contained in these slides is presented by professionals for your information only & is not to be considered as legal advice. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor or legal counsel before acting on any matters covered
![Page 20: Business Continuity in the Midst of COVID-19...4/21/2020 1 Business Continuity in the Midst of COVID-19 What You Need to Know To Receive CPE Credit • Individuals • Participate](https://reader034.vdocuments.net/reader034/viewer/2022050518/5fa1dcf07540bd1fc31c5259/html5/thumbnails/20.jpg)
4/21/2020
20
CPE Credit• CPE credit may be awarded upon verification of participant
attendance
• For questions, concerns or comments regarding CPE credit, please email the BKD Learning & Development Department at [email protected]
THANK YOU!For more information
Rex Johnson | [email protected]