In the UK Business Forums Startup Clinic, sponsored by Microsoft, entrepreneurs discussed the value of business continuity and security planning. Lucie Mitchell summarises the debate.
If you hadn’t yet given much thought to the importance of business continuity planning and keeping your data secure, then don’t waste any more time! If you get that plan in place long before any disaster strikes, then you can feel safe in the knowledge that you can keep on doing business in the event of any disruption. Here’s some advice from members of UK Business Forums to help get you started.
According to the Centre for the Protection of National Infrastructure, a business continuity plan is an “essential” part of a firm’s response planning, and “sets out how the business will operate following an incident and how it expects to return to ‘business as usual’ in the quickest possible time afterwards”.
A business continuity plan can apply to any major disruption, including fire, flooding, power failures, absence of staff, as well as more serious incidents such as terrorist attacks.
UKBF member GraemeL says: “Having been involved in the formulation and recording of many business continuity plans for a 'big' business, it was apparent that the plans are often far too distant from reality; not appropriately 'scaled' by time or severity; have so much detailed information in them, it is a task to keep them updated; don't plan for the worst; avoid detailed solutions to difficult problems; and don't include financial plans.
“The conclusion was that to do this properly, someone is required to assist who can push and guide in the right direction, to ensure everything appropriate is adequately covered - very difficult to do it in-house. And then the plans should be tested annually. Moral - do what you can to prevent a 'disaster' in the first place.”
Paul Rosser advises: “The first step of any continuity plan is to analyse the resources you use, this includes data, applications, people and physical things like paper files.
“As part of this step you may also need to put measures in place to ensure all data is held centrally, for example if you have a lot of staff who keep data on the hard disk of their laptop then you need to put in measures to ensure this is copied to the network at regular intervals.”
Rosser then recommends that once you have completed the analysis of your resources you need to assign a priority to each of them.
“Any resource which is critical to the running of your business is given a high priority; things which are needed but not critical are a medium priority; and applications/data which are infrequently used are given a low priority.”
It is then important to update and test the plan on a regular basis, adds Rosser.
“Putting a business continuity plan in place is only the first step to ensuring your company will continue to run smoothly should disaster strike; any plan should be regularly checked and updated to ensure it’s still fit for purpose,” he says.
“Any business continuity plan is only worthwhile if it actually works; at least once a quarter it should be tested to ensure that it’s effective and provides the level of service sought.”
GraemeL adds: “I suspect that a template - a ready written set of (fill in the gaps) forms and instructions - will be needed to get a small business started on business continuity planning. Frankly, it’s not very exciting and does not generate business. Like insurance. Of course it is not a case of one size fits all.”
The government has produced a Business Continuity Management Toolkit, which provides further information and help on business continuity.
A data security breach can occur for many reasons, including loss or theft, equipment failure, and human error, amongst many others, but whatever the cause, it is vital to have a policy in place to deal with it.
The Information Commissioner’s Office (ICO) states that there are four important elements to any breach management plan:
- Containment and recovery
- Assessment of ongoing risk
- Notification of breach
- Evaluation and response
Rosser applies the same theory to IT security as he does for business continuity planning, with the first step being to analyse all the data held, and then assigning a priority to each type of data held.
“After you have prioritised your data you then need to ensure you have adequate measures in place to provide protection of high and medium priority data,” he advises.
These should include logical access, physical access, internet security, anti-virus and encryption, he adds.
Finally, “ensure that your security plan is updated on a regular basis to take into account any new data your company has stored,” he says.
UKBF member Quest Cloud Solutions Ltd gives an example that illustrates how ‘backing up’ data sometimes isn’t enough.
“Some years ago, before we were really pushing online backup, we had a client who religiously backed up to tapes, every night; he was the most dedicated client we had for it, but didn't take our advice about taking them off-site (worryingly, this is common practice in our experience) and instead left them in the server room.
“The air-conditioning failed over the weekend, and the heat from the server slowly cooked his tapes, tape backup machine, and server. He had to pay many thousands to a data recovery specialist to get his data back.”
Rosser says that, when developing an IT continuity plan, it must be scaleable if and when the business grows.
“I've worked for quite a few firms who started off with two or three servers, so a daily backup sent off site to somewhere secure did them just fine. Then one day they realised they had 50 servers, backups of over 5TB were taking longer than the 12-hour window they had, and it was all a bit of a mess. Trying to put in IT continuity when you get to this stage is not only very time consuming but also very expensive.”
When Rosser started his own business, his IT continuity plan from day one included:
- Fully encrypting all machines which would hold client data
- Setting up hosted exchange with a Cloud provider
- Setting up Cloud storage with two providers
- Ensuring all company data was encrypted and sent to both Cloud providers in real-time.
Small businesses are increasingly using the Cloud to store their data, mainly due to its cost efficiencies. In response to this, the ICO issued some Cloud computing guidelines last year to ensure businesses comply with data protection law and remain responsible for the data. These include:
- Seek assurances on how your data will be kept safe
- Think about the physical security of the Cloud provider
- Have a written contract in place with the Cloud provider
- Put a policy in place to make clear the expectations you have of the Cloud provider
- Transferring data internationally brings a number of obligations, including using Cloud storage based abroad
When it comes to disaster recovery for telephony, the real answer is to use VoIP, says UKBF member cjd.
“With a VoIP service you have disaster recovery inbuilt and at no extra cost. This is because a VoIP telephone will work anywhere you can plug it into an internet connection. So if someone puts a spade through the cables outside your office, send everyone home with their VoIP telephones and they’ll work exactly as they did in the office.”
For more information, read the ICO’s IT security guide, aimed specifically at small businesses, outlining the steps they can take to ensure their IT systems are safe and secure.
Case study: How Microsoft Office 365 can protect your business
Web-Transations is a translation and localisation company with a small, office-based team. Having a wide customer base covering various sectors, the needs of each client vary significantly. It has adapted to meet these requirements by building a global network of specialised remote workers. With Microsoft Office 365, the firm has improved cashflow and is helping employees work more flexibly.
Office 365 also provided Web-Translations with significantly improved security:
Improved reliability: Office 365 is delivered from a global network of state-of-the-art data centres protected by multiple levels of security. This makes it more reliable than an on-site version because no email backup is required. Emails are stored in resilient data centres, with high levels of security and energy efficiency, and supported by a 99.9% uptime guarantee.