Business continuity for small businesses – necessity or not?

Does it make sense to implement business continuity in smaller companies? Why would they need something as costly as this if the owner of the business has all the necessary information in his/her head?

Let me start with a story I heard recently – a small company (involved in the sales of various equipment to a large customer base) has been robbed – the thief broke into their office during the night and stole all the computers together with other valuable stuff. The problem is – the owner of this company backed up the data, but saved that backup on another computer in the same office. Very soon the company went bankrupt – they simply weren’t able to recover key information about their business.

This is a classic example of the syndrome “It is not going to happen to me” that the majority of small companies have.

Business continuity framework

Does this mean that small businesses need to invest in costly disaster recovery locations with high-availability equipment? Certainly not.

In some cases business continuity is really not needed because the owner of the business does have all the information in his/her head, but such cases are very rare – how many of those don’t have a laptop with various kinds of important information? Just thinking about how to make this information available in case of a disaster is already part of a business continuity effort.

Owners of small businesses need to think carefully about which information (and other resources) are important for their business, how to ensure that such information and other resources are available in case of a disaster, and which steps are needed to recover business activities in case a disaster occurs. These steps are nothing else but performing business impact analysis, business continuity strategy, and business continuity plans, like any larger company would do when implementing business continuity. All these are described in a leading business continuity standard – BS 25999-2.

How to prepare

Now the difference between small and the large businesses is in the complexity and the price of the preparations small companies need to do for business continuity:

  • Backup of electronic data – small businesses can use some of the tools that backup the data from their computers almost instantly to the cloud. Of course, due care has to be taken that all the necessary data is included.
  • Backup of paper-based documents – small businesses are now in a position to eliminate paper-based documents almost completely from their daily operations and transfer everything to electronic form; for rare cases where paper-based documents must exist, they can be scanned for the purposes of business continuity.
  • Alternative office locations – in most cases it will be enough that employees continue business operations from their homes – the prerequisite would be that they have an Internet connection, laptops/PCs and passwords. If working from home is not appropriate, a hotel room can always be rented in less than an hour.
  • Hardware – unless there is a special kind of computer used for a business, it is very easy to find an alternative – usually there is a private computer at home, or one can be borrowed from a relative; or one can be purchased at the computer shop next door.
  • Workforce – now, this is probably the most difficult one – let’s suppose that an employee is not available, and he is the only one who knows certain information (e.g. administrative passwords, steps that need to be taken in an important project, etc.) – for such cases, the preparation would be to document all this information, so that it can be used without that employee being present. The other case would be if an employee is missing and no one else would have the time or the skills to do her job – in such case the preparation would be to identify upfront who would be available for hiring on a short notice to fulfill the missing employee’s job; of course, the key here is to identify someone with the right skills/qualifications.

To conclude: there is no difference between large organizations and small with regard to business continuity framework – they both have to think in detail what preparations they need to perform in order to survive a disaster. The difference is in the level of preparations – smaller businesses can make it with very little investment.

This free webinar will also help you: Writing a business continuity plan according to ISO 22301.

Advisera Dejan Kosutic
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.