Business Continuity for SMB's – A Necessity or Not?

Wednesday, April 13, 2011

Dejan Kosutic


Does it make sense to implement business continuity in smaller companies? Why would they need something as costly as this if the owner of the business has all the necessary information in his/her head?

Let me start with a story I heard recently - a small company (involved in the sales of various equipment to a large customer base) has been robbed - the thief broke into their office during the night and stole all the computers together with other valuable stuff.

The problem is - the owner of this company backed up the data, but saved that backup on another computer in the same office. Very soon the company went bankrupt - they simply weren't able to recover key information about their business.

This is a classic example of the syndrome "It is not going to happen to me" that the majority of small companies have.

Business continuity framework

Does this mean that small businesses need to invest in costly disaster recovery locations with high-availability equipment? Certainly not.

In some cases business continuity is really not needed because the owner of the business does have all the information in his/her head, but such cases are very rare - how many of those don't have a laptop with various kinds of important information?

Just thinking about how to make this information available in case of a disaster is already part of a business continuity effort.

Owners of small businesses need to think carefully about which information (and other resources) are important for their business, how to ensure that such information and other resources are available in case of a disaster, and which steps are needed to recover business activities in case a disaster occurs.

These steps are nothing else but performing business impact analysis, business continuity strategy, and business continuity plans, like any larger company would do when implementing business continuity. All these are described in a leading business continuity standard - BS 25999-2.

How to prepare

Now the difference between small and the large businesses is in the complexity and the price of the preparations small companies need to do for business continuity:

  • Backup of electronic data - small businesses can use some of the tools that backup the data from their computers almost instantly to the cloud. Of course, due care has to be taken that all the necessary data is included.
  • Backup of paper-based documents - small businesses are now in a position to eliminate paper-based documents almost completely from their daily operations and transfer everything to electronic form; for rare cases where paper-based documents must exist, they can be scanned for the purposes of business continuity.
  • Alternative office locations - in most cases it will be enough that employees continue business operations from their homes - the prerequisite would be that they have an Internet connection, laptops/PCs and passwords. If working from home is not appropriate, a hotel room can always be rented in less than an hour.
  • Hardware - unless there is a special kind of computer used for a business, it is very easy to find an alternative - usually there is a private computer at home, or one can be borrowed from a relative; or one can be purchased at the computer shop next door.
  • Workforce - now, this is probably the most difficult one - let's suppose that an employee is not available, and he is the only one who knows certain information (e.g. administrative passwords, steps that need to be taken in an important project, etc.) - for such cases, the preparation would be to document all this information, so that it can be used without that employee being present. The other case would be if an employee is missing and no one else would have the time or the skills to do her job - in such case the preparation would be to identify upfront who would be available for hiring on a short notice to fulfill the missing employee's job; of course, the key here is to identify someone with the right skills/qualifications.

To conclude: there is no difference between large organizations and small with regard to business continuity framework - they both have to think in detail what preparations they need to perform in order to survive a disaster. The difference is in the level of preparations - smaller businesses can make it with very little investment.

Cross-posted from ISO 27001 & BS 25999 blog -

ISO 27001 and BS 25999-2 Webinar Schedule:

ISO 27001

ISO 27001 Lead Auditor Course Preparation Training

ISO 27001 Benefits: How to Obtain Management Support

ISO 27001: An Overview of ISMS Implementation Process

ISO 27001 Foundations Part 1: ISMS Planning Phase, Documentation and Records Control

ISO 27001 Foundations Part 2: Implementation, Monitoring and Reviewing, Maintaining and Improving the ISMS

ISO 27001 Foundations Part 3: Annex A Overview

ISO 27001 and ISO 27004: How to Measure the Effectiveness of Information Security?

ISO 27001 Implementation: How to Make It Easier Using ISO 9001

BS 25999-2

BS 25999-2 Foundations Part 1: Business Impact Analysis

BS 25999-2 Foundations Part 2: Business Continuity Strategy

BS 25999-2 Foundations Part 3: Business Continuity Planning

BS 25999-2: An Overview of BCM Implementation Process

ISO 27001 and BS 25999-2

ISO 27001/BS 25999-2: The Certification Process

How to Become ISO 27001 / BS 25999-2 Consultant

ISO 27001 & BS 25999-2: Why is It Better to Implement Them Together?

Internal Audit: How to Conduct it According to ISO 27001 and BS 25999-2

ISO 27001 / BS 25999-2 Management Responsibilities: What Does Management Need to Know?

How to Write Four Mandatory Procedures for ISO 27001 and BS 25999-2

ISO 27001 and BS 25999-2 Strategy

Risk Management Part 1: Risk Assessment Methodology and Risk Assessment Process

Risk Management Part 2: Risk Treatment Process, Statement of Applicability and Risk Treatment Plan

Organization of Information Security; External Parties; Raising Awareness, Training and HR Management

Asset Management and Classification


Possibly Related Articles:
Enterprise Security
Policy Management Disaster Recovery Small Business Business Continuity SMB
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.