How many SMEs have a business continuity plan in place should they be subject to a cyber-attack that seriously disrupts business to the point where you can’t process and order, raise an invoice or get in essential supplies.  It happens, don’t kid yourself and business continuity is not the same as disaster Recovery.  Business Continuity and Disaster Recovery are two closely related concepts that are often used interchangeably, but they serve different purposes within an organization.

Business Continuity refers to the proactive strategies and plans put in place to ensure that essential business functions can continue in the event of a disruption or disaster. This could include natural disasters, cyber-attacks, power outages, or any other event that could disrupt normal business operations. Business Continuity planning typically involves identifying critical business processes, implementing redundant systems and processes, and developing communication plans to ensure that the organization can continue to operate smoothly in the face of adversity.

Disaster Recovery, on the other hand, is focused specifically on restoring IT infrastructure and data after a disaster has occurred. This could involve recovering lost data, restoring systems and networks, and ensuring that IT operations can resume as quickly as possible. Disaster Recovery planning typically involves creating backup systems, implementing data recovery procedures, and testing these plans regularly to ensure they are effective.  Both are critical components of a comprehensive risk management strategy and should be integrated into an organization’s overall resilience planning efforts.

In general, along with your insurers, the IT support company you have under contract, should be able to help you with disaster recovery, which is often defined by a physical disaster ie fire, flood etc, as well as a cyber-attack.  Business continuity on the other hand requires much more thought and planning.

In essence then, business continuity is the ability to recover quickly and continue operating when there has been a serious disruption to the business function caused by equipment failure, power outage, fire, flood, or other type disruption (manmade or otherwise).  Business continuity may be achieved through resiliency – which is an essential part of system architecture, associated with business continuity planning.  Resiliency considers the business impact and corresponding plans to restore business functionality after a disruptive event.  However, as many SMEs have carried out no real risk assessment and have no real risk management plan in regard to cyber security, then it is unlikely that they have a system architecture robust enough to take account of this requirement.  The exception is that the majority have taken to cloud computing which goes someway to achieving resilience, although that was probably not their primary reason for going down that road.

There are 4 elements that are essential to the business continuity component of the security operations function are as follows:

• Business impact assessments (BIA)
• Disaster recovery planning.
• Business recovery planning.
• Plan, testing and analysis.

Arguably the most important is the BIA, developing an understanding of what could happen to the business if the loss of systems, leading to the loss of access to critical data and the ability to continue to function efficiently, should a disaster overcome you.

These are the issues all business owners should get to grips with and here at H2 we understand that it isn’t easy, and that advice and guidance is necessary.