How to develop an IT contingency plan for your business

IT Contingency Planning
How effective were business contingency plans when they were in place? (Copyright BIS)

According to the last security breach survey [PDF] conducted by the Department for Business, Innovation and Skills (BIS) 76% of large organisations and 83% of small businesses believe security is a high or very high priority to their senior management.

BIS also notes: "The number of small businesses that formally assess security risks has dropped by 15%. This is worrying at a time when both cyber threats and business use of technology are rapidly evolving."

A small business that relies on its ability to efficiently store and manipulate data must have a contingency plan in place to protect from potential disasters.

Avoiding disaster

Small businesses are also embracing the cloud in increasing numbers. BIS research illustrates this trend with three-quarters of SMBs storing confidential information in the cloud. This data and on-site information must all be protected with a contingency plan. There are a number of events that could impact on your business' IT infrastructure including:

  • Equipment failures
  • Theft
  • Cybercrime
  • Environmental impacts
  • Human error

Each of these potential threats should be mitigated with a well-designed contingency plan. If your business was flooded for instance, or suffered a major disruption of services as many businesses did at Buncefield in 2005, how would your business react? Indeed, a survey carried out by the Chartered Management Institute and the Cabinet Office revealed that less than half of the businesses affected by the event at Buncefield had any kind of contingency planning in place.

David Fisk, sales director, Quorum EMEA, told TechRadar Pro: "For most small businesses, it is not an area of IT contingency, but the overall concept of contingency. They don't normally get past the idea of backing up their server. Contingency is more about working through the process of how to recover and how fast you will be able to recover, and the costs associated with such."

Don't throw the dice

So contingency planning is a vital component of how a successful business is run today. Identifying what risks your enterprise's IT could be subject to, and then developing a plan of action to reduce these risks is critical. Think about how your business would function if it lost just one of its IT systems. Now multiply this until you arrive at a complete system breakdown. Suddenly it becomes clear how vulnerable your IT resources can be.

And responding to information security breaches has a financial impact as well. According to the BIS study, among small businesses, the average time spent on responding to an incident is six to 12 man-days, up from two to five man-days in 2012. The average cost of this time was £2,000-£5,000, plus a further £500-£1,500 in cash costs.

IT disruptive

Which incidents were most disruptive to business? (Copyright BIS)

Human error is a risk that can be difficult to quantify and protect against. Weak password usage, data backup policies and the misuse of digital devices are all potential risks that a contingency plan needs to address.

In its risk management study, IBM highlighted this area of IT risk: "The greatest single cause of both disruption and economic impact is human error – which is not an issue that IT alone can address. While IT can invest in processes such as change management or automated data backup that can help reduce the opportunity for human error, educating end users and developing a security-aware and compliant culture requires an enterprise-wide effort with top-down leadership."

Defending your IT

Business owners are not powerless to act when considering how their IT systems could be affected by a myriad of potential disasters. Understanding the threats to your business' IT systems and mitigating them with a detailed contingency plan is something that even the smallest enterprise can achieve.

Follow these steps to create an IT contingency plan for your business:

1. Assess your business' IT infrastructure

Perform a detailed analysis of your businesses IT assets including data, hardware and software.

2. Rank your risks

Think about the risks that your IT faces. These will be specific to your business. Rank the risks in their order of probability.

3. Plan of action

Take each risk in turn and consider how these could be reduced. What steps or processes could be put in place to reduce or eliminate each risk?

4. Write your IT contingency plan

Once your business understands the IT risks it faces, writing a contingency policy document should include clear steps that should be taken if any of the events you have identified occur.

5. Test your contingency plan

It is critical that the plan of action your business has developed is tested. This will reveal any areas that need more attention.

The size of your business and the extent of its IT infrastructure could mean that a contingency plan may be as simple as initiating a more robust data backup regime to a reliable cloud storage service.

On the other hand, SMBs with on-site servers, for instance, will need to think about a number of potential issues. But think about them you must. The businesses at Buncefield had no warning of the disaster that was about to unfold. A well-designed contingency plan can ensure your business never suffers any loss.

Image Credits: BIS