Plan for attack even if you don't feel you have to

"In the wise leaders plans considerations of advantage and of disadvantage blend."
If you've never been attacked, that's great. But the fact that you've never been attacked is not evidence that you never will be attacked.
If you have an internet presence and information of value, then you're a possible target. In your business-continuity planning, you should consider scenarios of electronic attack through malware or breach by a human attacker.
Following Sun Tzu's advice, the best time to plan for your disadvantaged state is when you're in an advantaged state. That is, do it before you're (finally) attacked.
Conduct a business-impact analysis to identify and prioritise your critical ICT systems. Learn the impacts to your business and how long your systems can be down. Determine your recovery priorities because, under attack, you won't have the resources to bring all systems back on line at the same time.
Review your preventive, detective, and correction controls for adequacy against the attack scenarios. Finally, develop and test your recovery strategies.
For more information, visit the Business Continuity Institute.
![]() |
The time to plan for attack is when you don't have to. |