When everything is running smoothly it can be easy to overlook the need for contingency planning. After all, why worry about something that may never happen? But, as any good business person understands, the business world is full of inherent risks, and even the act of starting a business is a fundamentally risky one.
In 2018, the UK government carried out a Cyber Security Breaches Survey which found that, where a security breach had occurred, 94% of businesses who had contingency plans found them to be effective. But, startlingly, only 13% of businesses had such procedures in place.
Security breaches, theft, data loss, even a member of staff going on long-term sick, all have one thing in common: they have the power to prevent your business from functioning at an optimal level. A well-thought-out contingency plan will act to minimise disruption, safeguard your data and ensure the safety of everyone involved.
There’s every likelihood that you’ll never have to make use of your contingency plan, and we hope you never do, but if the world of business teaches us one thing, it’s that nothing in life is guaranteed. If you’re in the process of setting up an IT contingency plan, take a look at the following ten steps designed to mitigate the risks to your business.
Conduct a Business Impact Analysis
It’s not just a business’ bottom line that is vulnerable to uncertainty. Unexpected events can spring up without warning at any point, and even natural disasters and on-sight accidents can have a huge impact on business operations.
A Business Impact Analysis (BIA) refers to the process of assessing and evaluating potential threats; it should highlight potential weakness in your company and outline how possible threats could affect you. A BIA is a systematic method of predicting worse-case scenarios. The UK government have created a set of guidelines to assist you in conducting your own BIA. Check them out here before you make a start on yours.
Compile an inventory and identify business critical functions
Each business will have different ideas about what constitutes a “business critical” function. By compiling an inventory of hardware (servers, desktops, wireless devices etc.) and software applications and data, a business will be in a position to clearly see where their biggest weaknesses lie.
Any plan should first compile a list of strategies to ensure all critical information is backed up. Consider that standardised hardware will be the easiest to replicate in a worst-case scenario and prioritise hardware and software restoration.
Identify preventative measures
It may be possible that potential outage impacts as identified in your BIA could be alleviated or even eliminated through the correct preventative procedures. Where feasible and cost-effective, pre-emptive measures will always be preferable to post-emergency recovery solutions.
Frequent, scheduled backups should be part of your company policy. Preventative measures should be outlined in your contingency plan and staff should be informed of the role that they have to play.
A variety of easy-to-execute measures are available. Take a look at a few of the suggestions outlined below (which could prevent business outages arising from theft, crime, data loss, natural disasters and more) and consider what would be suitable and feasible for your business:
- Emergency master system shutdown switch
- Offsite storage of backup media, non-electronic records, and system documentation
- Uninterruptible power supplies to provide short-term backup power to all system components
- Heat-resistant and waterproof containers for backup media and vital non-electronic records
- Installation of security systems and a clear strategy for responding to alerts
- Updating anti-virus and anti-spyware regularly
- Encrypting customer data
Develop recovery strategies
It is vital to have the means to restore IT operations quickly and effectively following a service disruption. The strategies that you have in place should address the impact of disruption and realistic outage times identified in the BIA.
When developing your IT strategy, consider cost, security, and integration with other directorate contingency plans. The strategy should include a combination of methods that cover the scope of potential incidents. Consider implementing the following:
- Commercial contracts with cold, warm, or hot site vendors
- Mobile sites and mirrored sites
- Reciprocal agreements with internal or external organisations, and service level agreements (SLAs) with the equipment vendors.
Develop a data backup plan
Identify where your data is stored. Do you use network servers, desktop and laptop computers, and wireless devices, or all of the above? Consider the different backup options required for each and don’t overlook any hard copy records you may hold (backing up vital hard copies can be achieved by scanning paper records to digital formats along with other digital data).
Large capacity USB drives with integrated data backup software are great for storing backup data and, of course, many service providers will offer automatic backup storage on the cloud. The plan should include frequency of backups, security of the backups and secure offsite storage. And remember, backups should be stored with the same level of security as the original data.
Develop your contingency plan
Each contingency plan will be different, but at its most basic level, it should include the detailed roles, responsibilities and procedures associated with restoring your IT system following a disruption. It should document technical capabilities designed to support your contingency operations and be specifically tailored to your company and its processes. Aim to create a plan that is both detailed and versatile to allow for scale.
Test your plan!
Testing that the plan is effective is a critical element of your contingency planning checklist. Thoroughly testing everything from your backup systems to your staff response is vital to identify and address any potential weaknesses or deficiencies that need to be identified and addressed.
Consider the following when carrying out your test:
System recovery from various backup sources
- Notification procedures
- Restoration of operations
- System performance using alternate equipment
- Coordination among recovery teams
Ensure staff understand your policies
It is vital that your staff both understand your plan and the role that they will be expected to play in the event of any emergencies or outages. Create a contingency planning policy statement that is based on clearly defined policies that your company can understand and easily refer to.
Each team member must be aware of the role that they will be expected to play in the event of any possible disruptions. Training and maintenance are key components when future-proofing your contingency plans.
Maintenance is key
Once your plan is in place, it must be regularly maintained to keep it in a ready state that reflects the needs of the business. IT systems, often more than any other in the business, undergo frequent changes because of changing business needs, technology upgrades and new policies.
Therefore, it is essential that the contingency plan is reviewed and updated regularly to ensure new measures are revised if and when required. Plan for a general review at least once a year in addition to anytime that significant changes to the IT systems occur. Certain elements, such as contact details of significant staff members, will require frequent amendments.
Know your sources
An IT contingency plan is business critical and should not be undertaken lightly. Thankfully, there are lots of guides and resources out there to help you plan and develop robust contingency measures for your business.
We’d recommend the following resources for practical guidance and information on IT contingency planning:
- Gov.UK Business Continuity Planning Guide – A comprehensive business contingency planning guide developed by the government.
- Business Continuity Institute – The Business Continuity Institute can offer tailored advice to your business when developing a contingency plan.
- Gov.UK Resilience Guide –The government’s official guidelines for preparing and planning for emergencies, accounting for civil emergencies and other crises.
For more of the latest news, guides and features from the CDL team, click here to visit our blog. If you’d like to find out more about our IT disposal solutions, visit our homepage or call our team now on 0333 060 5203.