I’ve made quite a bit recently about cyber resilience and the focus being placed on computer outages caused by third party suppliers, highlighted by not just the CloudStrike issue but also the ransomware attack on the UK NHS, made possible by infiltrating a key supplier.  All of this of course highlights the importance of supply chain security, but my focus today will be all about disaster recovery and business continuity.

Disaster recovery and business continuity are very much connected but are different.  The former is basically a plan for when things go sideways—like when a natural disaster hits, a cyberattack happens, or even if there’s a major tech failure. It’s all about making sure that businesses can bounce back and keep things running as smoothly as possible. Imagine your favourite coffee shop gets flooded. Disaster recovery is like their game plan for getting back on their feet: they might have backup equipment stored somewhere, a way to communicate with customers, and a strategy for cleaning up and reopening. In the tech world, it often involves regular backups of data, having alternate servers ready to go, and making sure everyone knows what to do in case of an emergency. The goal? To minimize downtime and get everything back to normal without too much hassle. It’s like having an insurance policy but for your operations—very important for keeping the lights on when the unexpected hits!

However, we need to understand that when it comes to the type of outages caused by supply chain cyber failures as we saw with CloudStrike, there isn’t much a customer can do to recover from that, without fixes from the suppliers.  So, in this instance disaster recovery planning becomes a little difficult to say the least.

Business continuity on the other hand, is all about making sure that a company can keep running smoothly when it is deprived of their IT systems, in whole or in part.  So, it’s about keeping business running whilst the disaster recovery plan kicks in and gets stuff back online.  The idea is to have a plan in place that helps the business bounce back quickly. This includes figuring out which critical functions need to keep going, having some way of operating manually if necessary.  Can you place an order, process an order, raise an invoice, pay a bill etc. It’s like having an emergency kit for your business—batteries included! Companies should create a business continuity plan (BCP) that outlines the steps they’ll take during a crisis. This way, they don’t just react on the fly; they can hit the ground running. It’s all about minimising downtime and keeping customers happy. In short, it’s like being prepared for a rainy day—just with more spreadsheets and meetings!

The first thing to decide is what the priorities are regarding business processes.  What is essential, what is a nice to have and what you can live without in the short to medium term.  Don’t leave it to managers and staff to guess, have it documented.  This priority order is determined based on what is known as a business impact analysis (BIA).  This determines the impact of an outage on the business and its customers.  Don’t ever forget that your reputation is on the line, and you need to keep your customers serviced and happy.  Each business process should have recovery time attached to it, ie how long you can do without it before it becomes truly disastrous.

It all sounds terribly complicated and therefore expensive, but in fact, it isn’t.  All the information you need to work this out is already in your hands.  You know your business best and you know what’s important and what isn’t quite so important.  You just have probably never written it down. And that’s the crux of the matter.

Disaster recovery planning addresses the processes, technical requirements and infrastructure an organisation needs to implement to recover data and operations as required by the business in the event of a disaster. The planning process will involve identification of critical business processes, business impact analysis and thus determination of the overall requirements for a cost-effective plan.

Following the disaster recovery plan, business recovery planning is the process that organisations must use to assess appropriate timeframes for business resumption, also allowable data losses and risk tolerances for business disruptions.  As stated earlier, it also needs a plan to carry on manually whilst the disaster recovery plan is implemented.  Budgetary requirements for infrastructure and processes, to meet the disaster recovery plan, will also be determined by the business recovery planning process.

There are also 2 other key parts to this.  Firstly, companies must ensure that their plans are tested, that everyone in the company is aware of them, where they can find them, and what their responsibilities are in this regard.  Testing is critical to ensure that processes, systems and business restoration can meet the requirements laid down for them.  Where the plans rely on third party service providers and/or indicate the need to support key customers, these should be involved in the testing process. This will give re-assurance that support will be received and/or given as expected.

And then we have key stakeholders.  Who in your organisation is responsible for what, regarding disaster recovery and business continuity planning?  Do they know their respective responsibilities, have they accepted this?  Have you placed this in their job descriptions?  Can they be held to this responsibility?  Are they part of the planning and testing process?  All seems a bit obvious when you say it, but you’ll probably not be surprised to know that it’s often totally overlooked.

Note 1 – these two functions would be carried out by a CIO and/or and CISO in a larger organisation, but as most, even top end, SMBs are unlikely to have anyone in that role, then it must be owned by other board members. I hope this is helpful, but it can only be a guide and there is no one size fits all solution.