A recent Data Breach Investigations Report published by Verizon has suggested that the likelihood of cyber-attacks has increased a hundred-fold over the past decade. Companies need to invest in a business continuity plan that will help them survive when something catastrophic hits them.
Although most large organisations now understand the benefits of Business Continuity Management Systems (BCMS), many small and medium sized enterprises (SMEs) remain either unaware of its importance or are under the impression that implementing a business continuity plan is unnecessary. They believe that the chance of being hit by a natural disaster or terrorist attack is so unlikely that a generic risk management system will sufficiently cover all operational calamities, so there is no need for additional strategies. Unfortunately the painful reality is that any organisation is still vulnerable and increasingly susceptible to the threat of an unexpected IT outage, data breach or, even more unnervingly, a cyber-attack.
Cyber security is a widespread topic of concern that has featured on online discussion panels, board meetings and conferences, exhausting all forms of media and fuelling panic. The threat of a cyber-attack today is very real and worrying. In fact, according to a recent report published by the Business Continuity Institute (BCI) in association with the British Standards Institution (BSI), companies regard cyber-attacks as the biggest threat to business, followed closely by the risk of unplanned IT/telecoms outages and data breaches. With increasing reliance on the Internet, cyber threats such as ransomware, malware, phishing and online fraud are becoming more common. Companies should not only worry about external threats, but also internal attacks by rogue employees who have access to systems and the knowledge to cause significant damage.
Despite these alarming figures, many small companies still fail to see the relevance of adopting a BCMS; instead they are falsely self-assured with a belief that their operations will bounce back to normal after a major disruption. They maintain a ‘we are just a small business’ mentality to reassure themselves that customers will accept a lack of service during the aftermath of a disastrous incident.
According to a recent Data Health Check Report published by Databarracks, only 27% of small businesses in the UK have adopted a business continuity plan, and of that percentage, 73% admit to not having tested their plan in the last 12 months. Similarly, a US study found that only one in four small businesses have a BCMS and more than half claim it would take them at least three months to recover from a disaster.
With these statistics in mind, can SMEs really continue to ignore the need for business continuity management systems? The answer is unquestionably no. Good quality management systems alone will not save a business that has not adequately prepared to cope with a disruptive incident. Companies need to change their mindset – it’s not a matter of if, it’s a matter of when a major disaster will occur. UK government figures state that nearly one in five businesses suffer a major disruption every year and 80% of these businesses affected by a major incident close within 18 months. So it remains in the best interests of a company to prepare for any eventuality by considering all the variables, how these variables can affect them and how they can be dealt with.
The Business Continuity Institute (BCI) defines a Business Continuity Management System as a holistic management process that identifies potential threats and the impact these threats could have on an organisation. It provides a framework for building resilience capabilities to effectively respond to threats and safeguard the interests of the company’s reputation, key stake holders, brand and values.
A BCMS extends beyond the basic reactive measures of a risk management strategy to adopt a more proactive approach by understanding the organisation, its strengths and weakness, and pre-empting any disruptions. A BCMS builds resilience to ensure businesses can respond quickly and effectively in the event of a major incident by regularly testing their business continuity plan and documenting learning points.
ISO 22301 is the internationally recognised standard for business continuity. It helps companies put their BCMS plan into place by providing a comprehensive set of controls that can monitor, measure, analyse and evaluate their strategies. The principles based on ISO 22301 help businesses establish an effective BCMS through a process that begins with a risk assessment (RA) and Business Impact Analysis (BIA). This involves identifying the key business processes, services, systems and people – what could happen to them in the event of a disaster, the impact this would have and how to develop a contingency plan to prepare for the worst-case scenario.
A BCMS delivers a multitude of tangible benefits. As well as helping organisations increase their levels of resilience and chance of survival, a BCMS also helps companies meet due diligence audits and other client or customer requirements. It also demonstrates resilience to stakeholders, increases competitive advantage and enhances a company’s reputation. Most importantly it ensures that a company’s assets are always protected no matter what obstacles are encountered.
SMEs need to adopt a proactive attitude when it comes to dealing with a major disruption. Businesses should not wait for an incident to occur before implementing a Business Continuity Management System - they need to invest in one now. SGS United Kingdom Ltd, part of the world’s leading inspection, verification, testing and certification company, is a strong believer in proactive business management. Many businesses can select component part training from companies such as SGS which will include BIA, Exercise Planning, Crisis and Incident Management to help improve any areas of weakness in any business continuity strategy.