SMEs are increasingly finding themselves facing IT outages, whether from a cyberattack, a simple failure or a natural disaster. Whilst they may not consider themselves as vulnerable as their larger counterparts, it is just as vital for smaller enterprises to understand the risks and invest in business continuity to keep business disruption to a minimum.
Identifying IT assets
SMEs need to proactively identify which key IT assets, from hardware through to systems and specific services must be protected in the event of an IT outage – rather than waiting until disaster strikes. This can range from email and CRM systems, through to individual devices such as company smartphones and laptops. Any new assets should also be evaluated against a risk register to allow businesses to evaluate potential risks to them.
It is vital that SMEs understand the value of their data. Many smaller businesses do not consider their data to hold value, but there will undoubtedly be an impact on either the business, or indeed its customers, if specific data is lost. This could be anything from a whole day’s sales information to an entire list of client contacts.
Considering the cost
An IT outage can affect a business for an unknown length of time, so it is vital for a business to know the cost per hour of losing its IT service and data, and also to consider the risk of reputational damage. Typically the CEO should agree a budget for mitigation of this risk, or accept responsibility for not implementing a control ahead of time.
A business must know all the risks associated with an IT asset and then allocate controls against each asset to mitigate these risks. SMEs also need to know how long it will take to get each IT service operational again with the latest available data, i.e. if an IT outage happens at midday, how long will it take for that service and data to become available again? Will the morning’s data be available? The final part of gaining control is to determine whether the company has the resources it needs to manage IT recovery in-house in terms of skills and technologies, or whether an agreement should be made with a third-party provider.
Review and recovery
As with any emergency, IT outages need to be tested in as lifelike a drill as possible. Continual testing and review ensures that SMEs are as prepared as possible for disaster to strike, and can assess whether the process can be made faster or whether continual IT protection is even possible. Evaluating options on an annual basis (at the very least) will mean that smaller businesses are ready for any form of IT outage should the worst happen.