The recent Russia/Georgia conflict made me wonder last night how prepared businesses, which are located in so called political hot spots, are when it comes to the continuation, and subsequent restoration, of their business when faced with a regional, national or international military conflict. Living in North America the thought of an invasion by a foreign power is low on my list of threats to think about managing. However, if you live in Georgia (the country, not the state) or Estonia, it is a threat to the operation of your business that you probably wished you could have planed for.
Can we, as information security practitioners, really hope to build a business continuity plan (BCP) that would allow us to keep our business running in a time of war? How could you plan to move operations to a cold/warm/hot site if its located in the same town/city/country/region? Could you draft a disaster recovery (DR) plan to ensure the restoration of your business operations? What makes you think that you’ll be able to get the hardware/software/people/location/internet/power needed to get your business back up in a timely manner?
I know most will argue that keeping your business going in a time of war is very low on the priority list and that human life is a greater concern. I completely agree. The fact is, however, that business continuity is a requirement of business operations and we must, during our risk exercises, plan for the worst case scenario. I think that war is really the worst case scenario but I have yet to see a BCP/DR that has a section on “Dealing with Armed Conflict“.