Business Continuity Plan for Shopify to Maintain Information Security
Question
Task: Draft a 2000-word equivalent report about the use of appropriate business continuity plan for Shopifyto ensure the continuity of critical business processes/operations during the time of emergency/disaster.
Answer
Introduction
There are a number of information security breaches and attacks that have taken place. The frequency of these attacks is increasing at a rapid scale. One such incident is reported for Shopify which is a Canadian e-commerce company. The organization is a large-scale and multi-national company that supports over a million registered merchants across 175 countries. The security breach at Shopify was reported in the last week of September, 2020. The internal data breach occurred which resulted in the exposure of the personally identifiable information of over 200 users. The impacts of the data breach are significant as it resulted in the drop of the company’s stock by 1.27% on the NY Stock Exchange (Adler, 2020).
The conduction of the information security breach was done by two of the employees of Shopify. There are various measures that the organization can follow to make sure that the risks can be prevented. Also, business continuity shall never be disrupted even if such attacks occur in the future. The business continuity plan has been developed that comprises of the actions and mechanisms that can be followed to make sure that the business continuity is always maintained.
Risk Management Plan
In order to determine the risk management plan and strategies for Shopify, it is necessary to determine the significant assets of the organization that must be protected. The primary asset that is associated with the business firm is the information and data sets. Shopify has more than 1,000,000 businesses in over 175 countries. There is a lot of data that is generated from each of its business that includes the customer information, sales data, employee information, product details, and a lot more(Cheng et al., 2016). All of these data sets are extremely relevant for the organization as the business decision-making and strategies depend upon these. There are millions of customers that are associated with Shopify in various parts of the globe. These are significant assets along with the 5000+ employees that are associated with the organization. The physical tools and hardware that is used by the organization is also a major asset for the business firm.
There are various standards that have been defined for information security and controls. The use of ISO and NIST will be done as the two standards to maintain continuity and manage the risks. These are as depicted below.
The risk management plan that has been devised for Shopify comprises of six stages as listed and described below.
- Identification: The first step that shall be conducted is the identification of the risks. Shopify has its presence in more than 175 countries. The risk identification survey shall be conducted across all the locations to determine the various risks in the categories as resource risks, market risks, information security risks, technical risks, legal risks, etc. A list of risks shall be prepared in this step.
- Analysis: The second step shall include the detailed analysis of the risks identified. The determination of the probability and impact scores shall be done for the risks by qualitatively analysing these risks. It will assist in the determination of the specific levels of each risk (Sadgrove, 2016).
- Evaluation: The risks that are identified and analysed must be evaluated so as to determine the priority level of the risks. The risks shall be mapped with the respective priority level and Shopify will get an understanding of implementing the risk management techniques accordingly.
- Treatment: In this step, the treatment of the risk shall be done and all the risks evaluated as not acceptable shall be mapped with the treatment strategies, such as mitigation, avoidance, transfer, and likewise (Anderson, 2015).
- Control: The risks will be treated as per the treatment strategy and there shall be control measures put in place. The monitoring of the risks shall be done so that the effective controls are implemented.
- Closure: The risks on which the treatment strategy is effectively applied shall be marked as closed. The above steps to effectively manage the risks will allow Shopify to make sure that the risk handling and management is properly done. The adequate management of the risks will provide the organization with the ability to properly control and treat the risks. This in turn will make sure that the continuity of the business operations and execution is maintained.
The risk register for Shopify has been developed using all of the steps that are described above. The allocation of the probability and impact scores is done from the range of values of 1 to 5. In these cases, 1 indicates the lowest possible value and 5 is the highest value. The risk score is determined by multiplying the values of risk probability and impact.
ID |
Risk |
Probability |
Impact |
Score |
Treatment/Response |
1 |
Changes in customer interests |
3 |
4 |
12 |
Mitigation |
2 |
Information security and privacy violations |
4 |
4 |
16 |
Avoidance and Mitigation |
3 |
Ethical non-compliance |
1 |
5 |
5 |
Avoidance |
4 |
Legal non-compliance |
1 |
5 |
5 |
Avoidance |
5 |
Low resource productivity |
2 |
4 |
8 |
Avoidance |
6 |
Communication Gaps |
3 |
3 |
9 |
Avoidance |
7 |
Increased competition in the market |
3 |
4 |
12 |
Acceptance |
8 |
Delays from suppliers’ end |
2 |
4 |
8 |
Transfer |
9 |
Changes in political scenarios and policies |
1 |
3 |
3 |
Acceptance |
10 |
Operational mistakes |
2 |
3 |
6 |
Avoidance |
Business Impact Analysis
In order to conduct the impact analysis of the various business operations and risk situations on Shopify, it is necessary to understand and analyse the stakeholders that are associated with the organization. There are various internal and external stakeholders attached with Shopify and these are analysed below.
Stakeholder |
Type |
Level of Interest |
Level of Impact |
Level of Influence |
CEO – Tobias Lutke |
Interest |
High |
High |
High |
Board Members of Shopify |
Internal |
High |
High |
High |
Subsidiaries |
External |
High |
Moderate |
Moderate |
Business Partners |
External |
High |
High |
High |
Customer Groups |
External |
Moderate |
Moderate |
High |
Employees |
Internal |
Moderate |
Moderate |
Low |
Suppliers |
External |
Moderate |
Moderate |
Low |
Competitors |
External |
High |
Moderate |
Moderate |
Regulatory Boards and Agencies |
External |
Low |
Low |
High |
The analysis of the business stakeholders is done along with the classification of these stakeholders as internal or external. The mapping of these stakeholders is done with the interest, influence, and impact levels. These levels are in the range of low, moderate, or high. In the occurrence of the business risks or the cybersecurity issues as detected in September, 2020, the impacts on the stakeholders can be significant (Heng, 2015). To make sure that the impact is controlled, it is necessary that the avoidance of the risks is done in the first place. In case the risks occur, there shall be contingency plans that must be in place along with the execution of the disaster recovery plans. This will provide the ability to mitigate the risks and control the resulting impacts on the stakeholders of Shopify.
Disaster Recovery Plan
In spite of the risk management and control strategies implemented in the organization, it is possible that there are certain issues and challenges that still come up. It would be necessary that the disaster recovery plan is implemented so that the recoveries from the risks and disaster situations can be done.
The most significant is the recovery measures that shall be taken for the computerized systems and the information sets. There shall be data backups that must be maintained by Shopify at all times. The use of the automated tools shall be done so that the data backups can be taken at regular intervals(Kliem& Richie, 2016). The computerized devices shall be installed with the trackers so that the devices can be properly tracked in the case of loss or stealing of the device.
The alternate tools shall also be available that can replace the tools in use. This will make sure that the application and computing downtime is low in the case of a security attack. There are integrated disaster recovery tools and controls that have also been developed. The use of these integrated tools shall be done by Shopify to make sure that the recovery from any of the disasters can be done.
The Recovery Time Objective (RTO) for the systems shall be set as 3 hours. The systems must be back and running after a maximum of three hours in the case of the service disruption. The Recovery Point Objective (RPO) against the costs is kept at 18 hours.
The audits and compliance checks shall be done to make sure that the legal and regulatory compliance is maintained. The improvement checks and exercises shall be conducted to recover from the gaps.
Crisis Communication Plan
There can be various risks and issues that may occur for Shopify in the future. One of the most significant aspects that need to be maintained in any of the business situation is the maintenance of communications. The communications must be maintained in the crisis situation so that all of the stakeholders are aware of the ongoing activities.
For this purpose, there must be multiple communication modes that must be used. The internal and external communication mechanisms used by Shopify must be in place. The use of emails shall be done to share information with the internal and external members. There are significant announcements that can also be done on the social networking channels of the business organization(Mohammed et al., 2019). The use of social media is now done as one of the most preferred channels. The information around the specific risk or issue shall be circulated on the social media platforms. There shall also be significant focus that must be applied on the reports and documents. The sharing of the reports and documents must be maintained so that the detailed information on the risk and crisis situation can be shared with the stakeholders of the organization.
Incident Response Management Plan
Another major aspect that is associated with the business firm is the incident response and management. Shopify must use the approach mentioned below so that it may respond to the incidents properly.
Before the incident management is done by Shopify, there shall be effective incident planning that must be carried out. The incident management plan shall be developed and there shall be tools and processes that must be in place to make sure that the effective incident planning is done. The next step that must be conducted by the organization is to defend the incidents. The risk assessments and analysis must be done to determine the possible risk scenarios that may occur. There shall also be operational exercises and audits conducted to identify the possible situations around risk situations. The network defense mechanisms shall also be in place(Bhandari et al., 2015).
The next step that must be followed is to identify the incidents. There are specific customer service channels that are used by the organization. The reporting of an incident may be done through these channels or through the internal reporting. Apart from these, the organization must also conduct the analytics procedures to make sure that the network and threat analysis can be conducted. The analysis of these aspects with the predictive and descriptive analytical measures will provide the ability to identify the specific incidents.
Once the incidents are identified, Shopify shall act on the incidents by conducting the reporting and analysis activities. There shall be detailed analysis that must be carried out and the response must be provided on the incident that is reported. The analysis of the incident can be done either through qualitative or quantitative measures.
The third aspect shall be maintenance. The program management mechanisms and processes shall be carried out to make sure that the disruption of the ongoing services and activities do not take place. There shall also be development mechanisms and processes that shall be carried out. It will provide the mechanism to ensure that the business continuity is always maintained in the business organization. The implementation of the incident response strategies must be in place to make sure that the effective handling and control is done.
Conclusion
Business continuity is an important aspect of the business organization. The inability to provide the continual services of the business operations and activities can lead to the significant risks for the business organizations. It is essential that the measures are identified to control and manage the risk situations associated with the business firms. The security incident that took place at Shopify did not result in the massive impacts. However, the stock prices of the organization dropped and the privacy of over 200 users was put at stake. Such repeated incidents can lead to the negative influences on the customers and the other stakeholder groups. It is, therefore, necessary that the proper management of the business risks and incidents is carried out. With the implementation of the business continuity plan, it would be possible that the effective management and control of the business processes is done at all times.
References
Adler, S. (2020, September 25). Incident Of The Week: Shopify Internal Data Breach Exemplifies Insider Threat Trend. Cyber Security Hub. https://www.cshub.com/attacks/articles/incident-of-the-week-shopify-internal-data-breach-exemplifies-insider-threat-trend
Anderson, E. J. (2015). Business risk management?: models and analysis. Wiley.
Bhandari, R. B., Owen, C., & Trist, C. (2015). Incident Management Approaches above the Incident Management Team Level in Australia. Journal of Homeland Security and Emergency Management, 12(1). https://doi.org/10.1515/jhsem-2013-0054
Cheng, L.-C., Carrillo, E., & Gibson, M. (2016).APPLYING THE PROJECT MANAGEMENT PRINCIPLES FOR RISK MANAGEMENT PLAN IN CHEMICAL INDUSTRY.International Journal of Strategic Management, 16(2), 71–76. https://doi.org/10.18374/ijsm-16-2.7
Heng, G. M. (2015). Business Continuity Management Planning Methodology.International Journal of Disaster Recovery and Business Continuity, 6, 9–16. https://doi.org/10.14257/ijdrbc.2015.6.02
Kliem, R. L., & Richie, G. D. (2016).Business continuity planning?: a project management approach. Crc Press.
Mohammed, S., Mohammed, S., &Fiaidhi, J. (2019). Business Continuity Planning and Learning Based on an Extension to the JDL Data Fusion Model. International Journal of Disaster Recovery and Business Continuity, 10, 1–6. https://doi.org/10.33832/ijdrbc.2019.10.01
Sadgrove, K. (2016). The complete guide to business risk management.Routledge.