August 28, 2018

Last Updated on January 19, 2024

Quick disclaimer: We really care about our client’s security.  Because of this, my blood has been known to boil when we hear “excuses” or rationalizations as reasons for making poor information security decisions.
When it comes to Business Continuity and Disaster Recovery, here are the top justifications we hear for not implementing an appropriate BC/DR Plan, and the reasons why these views are usually shortsighted and can harm an organization’s cybersecurity posture:

“We do backups once per day, so we are good.”

This often means that the client rarely or never validates the frequency of their backups to ensure that potential data loss doesn’t exceed the acceptable amount.  This also means clients don’t know what the potential data loss may be or have an approved limit to the amount of data loss they can afford to lose before the data loss / reconstruction effort becomes unacceptable. 
For example; If your business makes 100 financial transactions per hour, and backups are conducted once per day that equates to 2,300 transactions in a 23-hour period if that system went down 1 hour before backups, what would losing that data cost in terms of lost revenue, lost time, lost customers and lost reputation? Would that level of loss be acceptable? Many organizations would be severely impacted by losing one day’s worth of key data, yet they are not prepared to recover it in the event it is lost.

“Our systems and data are in the cloud, why do we need a recovery plan?”

Utilizing the cloud can be a great way to reduce IT costs, manage and backup data; no argument there. But cloud services are not a silver bullet for Business Continuity.  BC/DR is about recovering business functions as well as infrastructure, systems and data.  For instance, you may use an online application to process time cards and payroll data, but the HR functions would still be in jeopardy should a disaster hit. 
The cloud is a great tool for IT and data management that you can factor into your BC/DR plans. But it does not give you a free pass to get out of BC/DR planning.

“If we can’t access our facility, everyone can just work from home.”

If I had a nickel… Telecommuting is a viable strategy that can and should be a viable part of your BC/DR recovery strategy, but it is not your total BC/DR plan.  How long can you go without access to your facility and any records or files that you don’t have with you because you couldn’t get into your office before the disaster struck?  Who needs to be involved to get the facility back up and running? 
A good BC/DR plan will include recovery strategies, like telecommuting, that will describe the optimal way for your business to recover from a disaster. But relying on one individual strategic element as your whole BC/DR plan can leave you wide open to major issues.

“I have our recovery procedures in my head.”

This comment makes the “single point of failure” siren go off in my brain.  If your business is small enough, it’s possible one person (or maybe two) know everything that needs to be done in a disaster. But what if they are not available?  Their unavailability could result from any number of events such as a pandemic or even just a vacation trip.  
Disasters never come at a convenient time (as if there is a good time to lose business functionality). Betting the continuity of your organization and its continued viability in the marketplace on one or two people being available to coordinate everything is a scary plan.

“Why do I need a BCP? We’re not in a flood plain, or on an earthquake fault line.”

To be honest, this rationalization, although frustrating… I get it.  If you live in a place that experiences infrequent natural disasters and have been running a business for 20 years with no continuity problems, why should you care about investing and maintaining a BCP? 
This view ignores what Business Continuity experts have been trying to get across for years. It’s not the “what happened” that matters—it’s the “what can’t I do and for how long” that matters. 
In the end, if an earthquake knocks down your entire building or an employee accidently sets it on fire with the lunchroom toaster oven, the result is the same: no building.  Your BCP will not focus on a list of potential disasters. Instead, it will tell you what to do to recover when you lose something that’s important to the survival of your business. 

Any disaster has only five real impacts that may occur either singly or in concert in a business continuity sense: 

  1. Loss of computing 
  2. Loss of telecommunications 
  3. Denial of physical access to the facility 
  4. Loss of key people 
  5. Vendor disruption 

Having a plan that addresses these impacts and explains what everyone needs to do when they occur can make the difference between a disaster ending up as a funny story you tell your kids, and a catastrophic event that forces you to shut down the company.
Pivot Point Security can help you plug the gaps and put the pieces together to make you successful and create the ideal Business Continuity Plan for your organization. Contact us to start moving forward. 

Business Continuity Management

Ensures that your organizations critical business functions will continue to operate in spite of incident or disaster. The ISO 22301 roadmap will help you understand what a Business Continuity Information Security Management System is and guide you, step by step, from preparation through certification.