Plan B: Business continuity plan for SMEs

When IT stands still, most companies stand still. This is why small and medium-sized enterprises need a continuity plan as a plan B. Especially now, when more and more SMEs are falling victim to cyber attacks and, in the worst case scenario, have to reckon with short or longer system and thus business interruptions.
Man looking something in a tablet
These topics will be addressed

Why is a recovery plan needed?

As the number of cyber attacks increases, so does the risk of business interruptions or outages. SMEs are particularly at risk, as they are often less well protected than large companies due to a lack of resources. With business continuity management as part of their risk management strategy, SMEs prepare themselves for such emergencies and the continuation of critical business processes. According to the Sophos study "The State of Ransomware 2023," an outage costs an average of 1.85 million dollars. In addition, there is a loss of reputation and trust. Prolonged downtime can jeopardize the existence of an SME.

What belongs in a business continuity plan?

A business continuity plan increases cyber resilience, shortens interruptions to business operations and ensures long-term viability. Cyber resilience is the ability to protect against cyber attacks, recognize them, respond immediately and recover quickly from the consequences. These are the four core components of a continuity plan:

  • First, all critical business processes are identified. These are the processes that are crucial to the survival of the SME, from the distribution chain to customer services.
  • Possible threats such as cyber attacks or technical problems and their consequences are then analyzed in a risk assessment.
  • Based on the risk assessment, a recovery strategy is developed so that the SME can resume operations as quickly as possible. For example, with a redundant IT system or at a second location.
  • With the increasing number of cyber attacks, cyber security is becoming vital and must be regulated in the business continuity plan. For example, with preventive measures such as regular backups, software patches and updates, or employee training.

Six steps to a business continuity plan

How to create a business continuity plan in six steps:

Step 1: Identify and assess risks

Start with a thorough risk analysis. What dangers might threaten ongoing operations – and therefore the company – in the event of an IT failure? Consider all conceivable scenarios and assess the probability and impact. Possible scenarios include technological risks such as cyber attacks or system failures.

Step 2: Evaluate business-critical effects

A business impact analysis enables you to understand the effects of failures and interruptions. You can identify business-critical processes and IT dependencies and determine how quickly they need to be restored in order to avoid serious consequences. The analysis helps to allocate resources sensibly and to develop a strategy for risk mitigation and recovery. Some processes and departments or areas may take longer to recover than others, without customers being directly affected. Ultimately, it is about deciding which processes are most important for value creation and relevant for sales.

Step 3: Minimize risks and restore processes

Once all impacts and dependencies have been identified, plan measures to minimize the potential impact with a risk mitigation strategy. You then use a recovery strategy to determine how you can restore the critical business processes as quickly as possible. Plan crisis communication, define clear communication channels and assign responsibilities.

Step 4: Derive, prepare and develop measures

Every business continuity plan is divided into two subject areas. The departments or divisions are responsible for maintaining business operations, as they know their processes best. Internal or external IT specialists are responsible for technical recovery

Maintenance of business operations

  • Print complete process documentation with instructions, plans and directories
  • Print and store forms for process documentation
  • Record contacts of customers, partners and employees and keep them available offline
  • Find alternatives for relocating production and procuring materials
  • If possible, set up an external warehouse with production-critical components
  • Clarify with the bank how urgent bills can be paid in an emergency
  • Look for alternatives to card payment, for example cash or invoice forms
  • Discuss documents and emergency scenarios with key employees
  • Save important documents on a laptop with an independent Internet connection
  • If possible, set up emergency organization with employees and the IT service provider

Technical restoration

  • The first thing to check is the availability of the backup data; how many days or weeks does it go back, and do you want to use this as a basis for the future? Do the data carriers work, and is a sufficient read/copy infrastructure available?
  • Before restoring the backups, it must be ensured that the target systems have been completely deleted and are virus-free. In some cases, it makes sense to procure new hardware or restore backups in a cloud environment
  • For more complex system landscapes, an extensive "clean-up" of the systems may be more efficient than a complete restore from backups. An experienced IT emergency service provider should be brought in to help remove all viruses and backdoors and set up an "alarm system" for new infections
  • With the help of the IT service provider, a secure network area can also be created for recovery, which is physically separated, or separated by suitable firewalls, from any systems that may still be infected
  • First of all, the central systems should be restored or cleaned up, i.e. user management, file servers, email, security and network systems, as well as systems for operating virtual machines
  • The sequence of recovery of servers, virtual machines, applications and databases depends on the criticality of these systems and on dependencies, which should be identified and documented in advance
  • At the same time, desktops and laptops can be reinstalled, and affected control systems in production environments can be cleaned up

Step 5: Involve and train employees

Involve your employees in the risk analysis, business impact analysis and emergency planning. On the one hand, they know their work area, possible dangers and the effects of failures or interruptions best. On the other, this involvement promotes their understanding of the business continuity management (BCM) process and increases their commitment to the BCM strategy. For this reason, it makes sense to organize regular training and feedback for relevant employees and to update the plan in the event of major organizational changes.

Step 6: Test and adapt business continuity plan

No plan is set in stone. The business continuity plan should be tested and updated at least once a year. In addition, recovery tests should be carried out and manual processes practiced in emergency scenarios so that everyone knows what to do in an emergency. As with fire alarm drills. Update the business continuity plan after every major disruption or interruption and after every major change in the operating environment, print it out and distribute it to all affected employees and service suppliers.

Cyber insurance
If you are well prepared, you will be better able to cope with the consequences of a cyberattack or system failure – whether it is a business interruption, data loss or blackmail attempt.

Take out cyber insurance

Good to know

Zurich Cyber Insurance for SMEs covers not only the costs of analyses such as virus scans or damage assessment, but also the costs of disaster recovery efforts. Calculate your premium or arrange a consultation.

More articles

view all articles