This year has been fraught with major security breaches, most notably the WannaCry ransomware attack last month. WannaCry infected computers in more than 150 countries and affected major organizations like Britain's National Health Service (NHS), Spain's Telefónica and FedEx. As an MSP, we work tirelessly on prevention methods for our clients, from the latest security software and updates to, most importantly, user education.
However, it’s important to realize that while prevention is important, nothing is foolproof – infections can and will happen as viruses continue to evolve. The ultimate tool to ensure survival? A solid business continuity plan with backup and disaster recovery processes.
What is a business continuity plan?
A business continuity plan (BCP) can simply be defined as a roadmap for restoration of mission-critical business functions during and after a major interruption – whether it be nature-related (fire, flood) or technology-related (malware, hacking).
A lot of companies think that if they have a data backup plan, they’re covered, but a BCP should not just be an IT document. Rather, it needs to be an all-encompassing, operational compilation that includes:
- Initial company data, such as important contact information
- Purpose and scope
- Guidelines related to what events will trigger the plan
- Policy information
- Emergency response and management protocols
- Step-by-step procedures for all scenarios and departments
- Checklists and flow diagrams
- A schedule for reviewing, testing and updating the plan
Creating your business continuity plan
As we mentioned earlier, your BCP is a comprehensive operational document that will be used by all departments in your company. Therefore, it requires intensive cross-departmental planning and collaboration. The hardest part of putting your BCP together is figuring out all the different areas you need to define. Here are some of the top aspects to think about:
- Key business activities: What sort of things are crucial to keeping your business running? These include systems, processes and activities. For example, if your business lost phone use for over a day, would this shut down your office? Are you able to forward calls to people working from home?
- Disasters: What events can be disastrous to your business? The term “disaster” typically covers natural/physical disasters (i.e. water damage from a leaking pipe) and technological disasters (i.e. a crashed server). However, there could be more categorizations depending on your business type.
- Disaster costs: Before you can start to plan for the potential disasters you may face, you should know what is at stake in terms of revenue. Think about things like labor/resource time (and how much that costs), impact to sales revenue and any other potential losses due to client dissatisfaction.
- Recovery budget: Now you know what’s important to the business, how that can be derailed and at what cost, you can start to consider how much you are willing to pay for preparedness.
- Training and review: A BCP is not a static document. Instead, it must continually develop and change along with your business and industry. With this in mind, define how frequently the document should be revisited and how often to meet with and educate your staff.
Although the elements outlined above constitute a solid starting point, this is not a finite list of areas to work out. There are communication hierarchies, processes, vendor considerations and more to think about when creating your BCP. The most important realization concerning your BCP is that putting such a plan in place is not a one-and-done scenario – the document is your go-to survival guide in the event of an incident that will significantly affect your company’s up-time, and it should be treated as such. We encourage you to talk to your MSP (if you have one) about how to get a comprehensive plan together, or download our free template to help you get started on your own!