Man looking something in a tablet

Plan B: Business continuity plan for SMEs

When IT stands still, most companies stand still. This is why small and medium-sized enterprises need a continuity plan as a plan B. Especially now, when more and more SMEs are falling victim to cyber attacks and, in the worst case scenario, have to reckon with short or longer system and thus business interruptions.

Why is a recovery plan needed?

As the number of cyber attacks increases, so does the risk of business interruptions or outages. SMEs are particularly at risk, as they are often less well protected than large companies due to a lack of resources. With business continuity management as part of their risk management strategy, SMEs prepare themselves for such emergencies and the continuation of critical business processes. According to the Sophos study "The State of Ransomware 2023," an outage costs an average of 1.85 million dollars. In addition, there is a loss of reputation and trust. Prolonged downtime can jeopardize the existence of an SME.

What belongs in a business continuity plan?

A business continuity plan increases cyber resilience, shortens interruptions to business operations and ensures long-term viability. Cyber resilience is the ability to protect against cyber attacks, recognize them, respond immediately and recover quickly from the consequences. These are the four core components of a continuity plan:

  • First, all critical business processes are identified. These are the processes that are crucial to the survival of the SME, from the distribution chain to customer services.
  • Possible threats such as cyber attacks or technical problems and their consequences are then analyzed in a risk assessment.
  • Based on the risk assessment, a recovery strategy is developed so that the SME can resume operations as quickly as possible. For example, with a redundant IT system or at a second location.
  • With the increasing number of cyber attacks, cyber security is becoming vital and must be regulated in the business continuity plan. For example, with preventive measures such as regular backups, software patches and updates, or employee training.

Six steps to a business continuity plan

How to create a business continuity plan in six steps:

Step 1: Identify and assess risks

Start with a thorough risk analysis. What dangers might threaten ongoing operations – and therefore the company – in the event of an IT failure? Consider all conceivable scenarios and assess the probability and impact. Possible scenarios include technological risks such as cyber attacks or system failures.

Step 2: Evaluate business-critical effects

A business impact analysis enables you to understand the effects of failures and interruptions. You can identify business-critical processes and IT dependencies and determine how quickly they need to be restored in order to avoid serious consequences. The analysis helps to allocate resources sensibly and to develop a strategy for risk mitigation and recovery. Some processes and departments or areas may take longer to recover than others, without customers being directly affected. Ultimately, it is about deciding which processes are most important for value creation and relevant for sales.

Step 3: Minimize risks and restore processes

Once all impacts and dependencies have been identified, plan measures to minimize the potential impact with a risk mitigation strategy. You then use a recovery strategy to determine how you can restore the critical business processes as quickly as possible. Plan crisis communication, define clear communication channels and assign responsibilities.

Step 4: Derive, prepare and develop measures

Every business continuity plan is divided into two subject areas. The departments or divisions are responsible for maintaining business operations, as they know their processes best. Internal or external IT specialists are responsible for technical recovery

Maintenance of business operations

  • Print complete process documentation with instructions, plans and directories
  • Print and store forms for process documentation
  • Record contacts of customers, partners and employees and keep them available offline
  • Find alternatives for relocating production and procuring materials
  • If possible, set up an external warehouse with production-critical components
  • Clarify with the bank how urgent bills can be paid in an emergency
  • Look for alternatives to card payment, for example cash or invoice forms
  • Discuss documents and emergency scenarios with key employees
  • Save important documents on a laptop with an independent Internet connection
  • If possible, set up emergency organization with employees and the IT service provider

Technical restoration

  • The first thing to check is the availability of the backup data; how many days or weeks does it go back, and do you want to use this as a basis for the future? Do the data carriers work, and is a sufficient read/copy infrastructure available?
  • Before restoring the backups, it must be ensured that the target systems have been completely deleted and are virus-free. In some cases, it makes sense to procure new hardware or restore backups in a cloud environment
  • For more complex system landscapes, an extensive "clean-up" of the systems may be more efficient than a complete restore from backups. An experienced IT emergency service provider should be brought in to help remove all viruses and backdoors and set up an "alarm system" for new infections
  • With the help of the IT service provider, a secure network area can also be created for recovery, which is physically separated, or separated by suitable firewalls, from any systems that may still be infected
  • First of all, the central systems should be restored or cleaned up, i.e. user management, file servers, email, security and network systems, as well as systems for operating virtual machines
  • The sequence of recovery of servers, virtual machines, applications and databases depends on the criticality of these systems and on dependencies, which should be identified and documented in advance
  • At the same time, desktops and laptops can be reinstalled, and affected control systems in production environments can be cleaned up

Step 5: Involve and train employees

Involve your employees in the risk analysis, business impact analysis and emergency planning. On the one hand, they know their work area, possible dangers and the effects of failures or interruptions best. On the other, this involvement promotes their understanding of the business continuity management (BCM) process and increases their commitment to the BCM strategy. For this reason, it makes sense to organize regular training and feedback for relevant employees and to update the plan in the event of major organizational changes.

Step 6: Test and adapt business continuity plan

No plan is set in stone. The business continuity plan should be tested and updated at least once a year. In addition, recovery tests should be carried out and manual processes practiced in emergency scenarios so that everyone knows what to do in an emergency. As with fire alarm drills. Update the business continuity plan after every major disruption or interruption and after every major change in the operating environment, print it out and distribute it to all affected employees and service suppliers.

Good to know
Zurich Cyber Insurance for SMEs covers not only the costs of analyses such as virus scans or damage assessment, but also the costs of disaster recovery efforts. Calculate your premium or arrange a consultation.

More articles

How SMEs protect against hacker attacks

A hacker attack threatens a company's existence

Every week, the National Cyber Security Center (BACS) receives hundreds of reports of cyber incidents: at peak times over 2,000 per week. SMEs are at particular risk. What dangers lurk for small and medium-sized enterprises?
Two employees in the server room

IT contingency plan: How SMEs protect themselves

Nowadays, no company can afford a prolonged IT system failure. In the best case, the failure "only" costs money; in the worst case, it costs the company its existence. Every company therefore needs an IT contingency plan.
Woman sitting at a computer in a warehouse

Authentication: Protect your network and your data

With strong authentication such as 2FA or MFA, SMEs protect their company network and data with a password and at least one other factor.
Young man

Kaisin: New entrepreneurs with a recipe for success

Success with delicious poké bowls – co-founder Delano Fischer chats about his innovative Zurich start-up.
Men having a cheerful discussion

The story of our cyber insurance customer Planted

The start-up Planted is causing a stir with its innovative plant-based foods.