The term business continuity refers to the set of activities required to keep an organisation running during a period of displacement or interruption of normal operations.
According to a 2016 study by the Business Continuity Institute, the top ten global threats to business continuity were:
- Cyber attacks
- Data breaches
- Unplanned IT or telecoms outages
- Terrorism
- Security incidents
- Utility supply interruptions
- Supply chain disruption
- Lack of available key skills
- Health and safety incidents
Although terrorism and security incidents may grab the headlines, the risk of cyber attack, data breach or an IT outage is actually much more likely. It is estimated, for example, that cybercrime costs the global economy US $450 billion a year, whilst audit and consulting giant Deloittes have reported (https://dupress.deloitte.com/dup-us-en/deloitte-review/issue-19/loss-of-intellectual-property-ip-breach.html) that the impacts of such an attack go way beyond the known problems such as reputational damage and compliance issues. They note that the true cost of such an attack can take several years to surface, and may include “hidden” effects such as increased insurance premiums, the devaluation of trade names and Intellectual Property (IP), and a loss in customer relationships.
Another study by The Ponemon Institute found that, in 2017, the likelihood of a business suffering a data breach was as high as 1 in 4, whilst airlines, banks and phone companies, as well as public bodies such as the National Health Service, are just a few of the industries which have been hit by massive IT outages in the past few years.
One common misconception is that it is only the large organisation or business which is the object of cyber attacks, and data breaches, or which suffer IT outages. Nothing could be further from the truth.
It may be that these are the organisations which grab the headlines but, in reality, all businesses are vulnerable and, arguably, a small business is more like to suffer than a larger enterprise. They have less redundancy built-in to their processes and systems, are likely to have less rigid data protection and security protocols in place, and have less ability to withstand a serious attack. The financial impact on them can also, in relative terms, be more severe, in some cases threatening the very viability of their business.
Yet the importance of business continuity for a small business is often overlooked. This is a mistake. Having a process in place to manage a devastating attack or disruption to operations can be the difference between business survival or extinction.
A key defence in the event of a major attack or disruptive event is a disaster recovery plan. Such a plan should include, at a minimum, the necessary steps which would need to be taken to restore business and IT systems to a state which can support the business after a disaster. Whilst such a plan in the past may have been messy and cumbersome for a small business to implement – involving, for example, backing up data to a tape or floppy disk and storing offsite – this no longer need be the case. The advent of cloud applications and storage now offer a cost-effective means of storing data “outside” the office or business environment, whilst allowing easy retrieval whenever anybody needs to access that data. There are a range of cloud-storage options now available which can suit any budget, so it is simply too risky not to consider, at least, putting some some of data back-up system in place, simply hoping for the best instead.
However, although related, disaster recovery and business continuity plans are not one and the same thing. A disaster recovery plan helps a business rebuild after a disaster has taken place; a business continuity plan allows it to maintain operations, even in the event of unexpected disruptions.
Such a plan would identify who was responsible for overseeing and implementing it, outline the process for managing, reporting and communicating key incidents and the business response, and capture important information such as key staff, customer and supplier details.
Whilst such a plan can be as detailed, or as scant as the owner of a small business wants, or feels that they have need for, one consideration to be borne in mind is the old adage “fail to plan; plan to fail”. This means, in essence, that the more steps and processes which are documented in advance, the easier they may be to follow when needed.
When a disaster – cyber attack, data breach or major IT failure occurs – there will often be confusion and panic whilst people struggle to identify the cause and implications of what has occurred. Having a detailed continuity plan in place can provide clarity, guidance and reassurance during what can be a stressful and distressing time.
Businesses are more vulnerable than ever before to global threats; whatever your size of business, it would be foolish to ignore the potential consequences such events could have on you. To counter this, it is recommended that a business prepare a Business Continuity Plan which outlines the key processes to follow and steps to adopt if such an event occurs. These would include implementation of a disaster recovery plan, but also should include broader strategies of ensuring that not only can business be recovered, but to allow operations to continue as normal.