How to build an IT resiliency plan for your business

Read Time: 6 Min
In the event of a technology failure, an IT resiliency plan can help you maintain operations and keep your organization safe.

If the technology at your organization should fail—whether as the result of a natural disaster, malware attack, or fraudulent activity—do you have a plan to help you recover quickly and sustain business operations?

Nearly every business today depends on technology, even if it’s simply a website that posts a company’s hours and address.

“This has been the case for a while now, but the pandemic has really brought out the fact that technology is so fundamentally important to business operations,” says Amber Buening, Security Outreach Director at Huntington. “There isn’t much we do anymore that isn’t online or plugged into some IT system, especially with so many employees continuing to work remotely.”

With so many people and processes relying on technology, any interruption can be disastrous for a business. Developing a strong IT resiliency plan can help keep your organization running and your assets secure.

Preparing for a technology failure after a disaster or cybersecurity attack

Companies should take a risk management approach in preparing for a technology failure. An IT resiliency plan should address cybersecurity and business continuity needs, incident response plans, and disaster recovery procedures.

The National Institute of Standards and Technology (NIST) developed a framework for protecting critical infrastructure against natural and cybersecurity risks, which includes the following pillars:

1. Identify

Consider the data and assets at your company that could be at risk.

  • What sensitive data do you have, and what data do you need to protect?
  • If you outsource any aspect of your business, who do you share data with, and how is that protected?
  • If you have employees, what data have you collected that you’re obligated to protect, such as healthcare information and bank account information for direct deposit of paychecks?

Take an inventory of the systems your organization relies upon. Knowing the computers, devices, and software you have is necessary for insurance purposes in the case of disaster. This information is also helpful if your organization’s operating system or application is compromised.

2. Protect

Employee education is one of the simplest ways to build a culture that prioritizes cybersecurity. Train employees on safety issues, backing up data, and email security best practices. Be sure to update operating systems and applications with the most recent versions and patch when new versions become available.

3. Detect

Set up systems to detect an intrusion into your system and integrate checks and balances into all processes. Also, ensure antivirus, endpoint encryption, and data loss prevention software are up to date.

A business continuity plan and a communication plan are critical in remaining vigilant. Periodically review these plans and make sure the right people within your organization know the answers to questions such as:

  • What happens if malware gets on computers?
  • What if there is a ransomware demand?
  • What if there is a situation where remote or in-person operations are interrupted?

Exercise your plans to relocate employees in the event of a disaster. Gather lessons learned and improve the processes and procedures.

4. Respond

When a crisis emerges, it’s crucial to revisit the plans you created—and practiced—to respond strategically.

“No plan survives first contact with the enemy, and you will never have a plan that perfectly fits whatever malfeasance comes to you,” says Buening. “But having a plan in place will greatly benefit you and ensure your business can continue.”

Be prepared to assess your response once the crisis has been resolved to refine your plan for future disasters or interruptions to operations.

In the instance of a data breach, you will also need a communication plan for when the media comes calling. Make sure you are prepared to make a statement and plan to contact any individuals affected by the breach when needed.

5. Recover

Once you’ve created a plan and are confident it covers every contingency, the final step is to bring in an outside expert to conduct an audit of your plan.

“Even if you think you did a great job, have someone conduct an audit,” says Buening. “It’s rare to pass an audit with flying colors, and the results will give you a lot of things to improve on.”

Every test or audit provides valuable insights that can be applied to make your plan and business safer.

Cybersecurity liability insurance can also help ensure your business survives. Under a cybersecurity liability policy, experts will come in to help you get your business back up and running after a technology failure or breach.

Keeping your business assets and data safe

To keep technology functioning and your company running smoothly, Buening recommends the following:

  • Put appropriate cybersecurity practices in place, such as keeping your operating system up to date and applying patches as they become available.
  • Educate your employees. Teach them about phishing scams and warn them against clicking on links from unknown sources. “If you haven’t done that, even buying a multimillion-dollar protection system won’t help you,” says Buening. “Your employees can be the weakest link.”
  • Encourage your employees to use unique passwords. People often use the same or similar passwords across multiple accounts, so stress the importance of this practice. Create strong passwords unique to each account and use a password manager to reduce your risk of vulnerability.

“Cybersecurity and IT resiliency are risk management,” says Buening. “You can’t eliminate the risk, but you can manage it. And if you can manage it correctly, you can minimize the risk of being a victim.”

For more information on managing risk to your company’s technology infrastructure, reach out to your relationship manager.

Related Content

Framework for Improving Critical Information Cybersecurity. National Institute of Standards and Technology, United States Department of Commerce. Accessed August 18, 2022.

The information provided in this document is intended solely for general informational purposes and is provided with the understanding that neither Huntington, its affiliates nor any other party is engaging in rendering tax, financial, legal, technical or other professional advice or services or endorsing any third-party product or service. Any use of this information should be done only in consultation with a qualified and licensed professional who can take into account all relevant factors and desired outcomes in the context of the facts surrounding your particular circumstances. The information in this document was developed with reasonable care and attention. However, it is possible that some of the information is incomplete, incorrect, or inapplicable to particular circumstances or conditions. NEITHER HUNTINGTON NOR ITS AFFILIATES SHALL BE LIABLE FOR ANY DAMAGES, LOSSES, COSTS OR EXPENSES (DIRECT, CONSEQUENTIAL, SPECIAL, INDIRECT OR OTHERWISE) RESULTING FROM USING, RELYING ON OR ACTING UPON INFORMATION IN THIS DOCUMENT OR THIRD-PARTY RESOURCES IDENTIFIED IN THIS DOCUMENT EVEN IF HUNTINGTON AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF OR FORESEEN THE POSSIBILITY OF SUCH DAMAGES, LOSSES, COSTS OR EXPENSES.

Third-party product, service and business names are trademarks/service marks of their respective owners.