May 12, 2020

Last Updated on January 12, 2024

Getting a flat tire is a disaster.
Knowing where you keep the spare is disaster recovery.
Changing a tire in under 7 minutes to get right back on the road is business continuity.
On a recent episode of Virtual CISO, I got a chance to talk with Cosmo Gazzani, Director of Business Development at Continuity Centers and wekos, about the nuance between disaster recovery and business continuity.
“Disaster recovery is the process of recovering from a disaster, just like the name states,” Cosmo explained. “Business continuity means getting your business back to the way it was when it was in production.”


IT & Business Continuity

Cosmo pointed out a FEMA study that said 40% of small businesses don’t recover from an extended outage. Another 25% of those companies fail within the first year that they’re back in business because they didn’t have a business continuity plan.
“Unfortunately, the smaller businesses are a lot more vulnerable than the larger businesses,” Cosmo said. “Keeping a business going is important for survival.”
Getting back to an operational state after a disaster means both having valid backups of your data and processes to make sure that your business is back up and running.
Information continuity speaks to the recovery of the IT processing capability, whereas business continuity tends to mean the recovery of the other business functions.
“Business continuity starts with something called a business impact assessment — looking at how your business can run and what the critical needs are to keep it running,” Cosmo said. 
But a business impact assessment isn’t abstract. It involves extensive testing to make sure you have the redundancy and robustness to survive an extended outage.
Business owners who think their facility is the most important part of their business are wrong. These days, it’s your data.
“Data is the heart and soul of the business, and you have to protect it,” Cosmo said. “The number one way of protecting that data is having a valid backup.”

  • Onsite backup. Backup your files locally so you can quickly restore corruptions or deletions.
  • Offsite backup. Copy your onsite backup one to three times to diversify it and protect it from vulnerabilities. Include a cloud backup, too.

“Cloud backups add more robustness to your data. It’s definitely making it much more resilient,” he said.

Do we need a Business Continuity Plan?

If you’re a SMB, how do you know if you need a business continuity plan?
It’s not employee numbers, and it’s not revenue. “Everyone should have some idea of how to recover from anything that could happen,” Cosmo said.
Not just survival in terms of revenue but also in terms of reputation. 

  • If there is an extended outage, where do I go to work? 
  • How do I recover my systems?
  • If my data goes away, how do I start from scratch? 

Hint: If you backup your data, you won’t have to answer #3.
Whether you need a plan is based on the period of time that it would be acceptable for your business not being able to deliver that service or product.
Different types of outages affect your business in different ways… meaning that you should have an idea how to counter the most likely of them.
Your employees are under quarantine from the coronavirus.
Your building is a smoking hole… or it’s underwater.
Your primary data store is corrupt, and restoring your backup is not instantaneous.
“All these different types of silos, you have to have a plan for each one of those,” Cosmo said.


How to develop a business continuity plan

There are three major areas where you should focus.

1 — Workplace

Can you operate from dispersed locations away from a central site? 
You may be able to have all employees work from home.
You may need to find a place where you can come in to work or provide for temporary remote work. If so, keep in mind that having a place to go where there’s going to be power and internet connectivity might be more important than finding a geographically central spot.

2 — Data & Systems

How quickly can you get the data back up?  What systems and applications are critical to your survival?

3 — People & Processes

Which and how many people do you need to keep the lights on?
You might be able to run with a tiger team of 10 or 15, or you might need over a hundred. To plan for different scenarios, you have to be able to get in touch with the critical people at the right time.
Which business functions (& related applications) need to be recovered most quickly; Sales (CRM), Payroll (ADP), IT (email), Marketing (web site)?
It’s about preparedness in the right quarters. In other words, don’t be like Edward John Smith, Captain of the Titanic. “Not having a workplace recovery is like not having enough lifeboats. That’s not a good execution of a plan,” Cosmo said.
Cosmo pointed out that business continuity is about resilience. “When you think DR and business continuity and even your production side, it’s all about being resilient.”
Get in touch with Cosmo by email at [email protected] or at the Continuity Centers website

This post is based on a Virtual CISO podcast with Cosmo Gazzani and was recorded prior to the COVID-19 pandemic.. To hear this episode, and many more like it, you can subscribe to Virtual CISO here.
If you don’t use Apple Podcasts, you can find all our episodes here.