Business continuityis best thought of
as the test of how your business would cope when things go wrong.
It is as important forsmall to medium sized enterprises (SMEs)as it is for multinationals.
Bob Tarzey, service director with a focus on SMEs at
analyst firm Quocirca, says that SMEs that overlook business
continuity planning do so at their peril.
"The people and the IT are often the most important assets of
the business. The risk of business failure is high for SMEs because
many have one or a few locations, which house all the IT.
"And if you are lucky enough to have your IT in another facility
that remains unaffected by some kind of failure, you have to make
sure you can access it or ensure it can provide some failover,"
says Tarzey.
Tarzey quantified the scale of the risk inherent in a
growing reliance on technology, citing research carried out by
Quocirca in July this year that found that more than half of SME
workers are PC users and over three quarters of SMEs operate more
than one server.
The majority of SMEs also operate from more than one location,
meaning their IT infrastructure is distributed geographically,
representing a dependence on IT for everyday business tasks and
further issues for IT management.
Yet with such a heavy reliance on IT, only just over 25% of the
602 Quocirca research respondents were either satisfied or very
satisfied with the management of their IT systems.
Tarzey says this is often because many do not have the time or
resources to justify employing a full-time IT administrator.
"Most SME workers are not IT experts and organisations see
productivity impacted if their employees spend too much time
tinkering with IT management," he says.
All this does not bode well for the average SME's ability to
assess its own business continuity needs, much less the likelihood
of its having the knowledge and skills to act on them.
When an SME wants to prepare for the worst Graham Titterington,
principal IT security and business continuity analyst at analyst
Ovum, advises thinking about how the business would cope without
IT.
"No one knows their own business better than SMEs, as they often
rely on limited resources. So they are in the best position to know
how their business would cope with no IT systems for a morning, a
day, or a week.
"Only they can know if their customers would be affected, go
elsewhere, or even come back if their ability to do business with
them was taken away," he says.
Titterington says that assessing the financial impact of such an
outage is also important to estimate the amount of investment
needed to mitigate the risk of losing communication links, stored
data and operational systems.
"Go through a 'what if' scenario. You might find a few minutes
without the internet may not make much of a difference. It depends
on what business you are in.
"An online retailer would be in a different position to one not
so reliant on the internet as its main means of doing business, for
instance. And you may often find that the customer-facing systems
can be prioritised over the back-office ones.
"But then you may find going without the ability to carry out
back-office functions not so easy to cope with after a week as
well," he says.
Assessing the reliance on technology and the potential risk
posed by its failure is the first step to quantifying its potential
impact on the business, and understanding what data and
communication links and systems most need protecting.
Regulatory compliance, often seen as a burden, can here be
turned to an advantage when planning which IT systems to
protect.
Titterington told Computer Weekly that the areas of legislation
most likely to shape SME continuity planning were the Data
Protection and Freedom of Information Acts.
"Data storage should always come first," he says. And whether it
is tape or online, offsite data storage emerges as the key to
unlocking the value of protecting the systems they rely on.
Fabio Torlini, marketing manager for hosting services company
Rackspace, says that more and more SMEs are looking to outsource
data storage and datacentre capacity for both compliance and
business continuity reasons.
"These SMEs know it is better for them to go with a managed
hosting provider like us than handle datacentre maintenance, data
storage and security in-house.
"They know they can take advantage of economies of scale and
technical expertise," he says.
And, just like
Rackspace, a growing number of SME-focused IT suppliers are
offering hosted or software-as-a-service delivery models that claim
to eliminate compliance pressures, boost productivity by reducing
the IT and security maintenance burden and, most importantly,
assure business continuity plans.
One industry where data storage, communications, security and
access intersects heavily with compliance is in legal and financial
services.
Peter Bauer, chief executive of Mimecast, has made a virtue out
of the business continuity plans and IT management headaches so
keenly felt by these firms and others, by taking e-mail out of
their hands.
"We recognised early on that e-mail was becoming a killer
application. You have to have your firewalls, anti-virus and
anti-spam in place and often even SMEs can have four to five
different categories of e-mail systems and archiving.
"We do all of this in one product and deliver it as a service
over the internet. The customer retains full control over the data,
as though they were running the systems themselves," he says.
Mimecast charges £20 per user per month for its entry level
product, while upgrading to a 10-year archive agreement can cost
about £50, Bauer says.
Regardless of whether it is the data or mission-critical
systems, the thing that all these providers have in common is
outsourcing. Outsourcing is a key consideration for all small
businesses reviewing business continuity plans.
The customers of managed IT and communications provider ADS
Portal use their desktop hosting service to ensure business
continuity and alleviate risks associated with managing strategy
and implementation in-house.
Gary Collins, ADS portal technical director, says that
outsourcing IT, particularly for the SME customer, could provide
multi-layer security, negating risks of virus and hacker
attacks.
"Recently, the flood crisis across many parts of the UK resulted
in companies having to close their businesses," he says.
An affected ADS Portal customer was able to carry on with their
business because all their data and applications are stored
centrally, allowing staff to securely log on via the internet and
continue working as normal.
But one key element all these offerings rely on is connectivity.
UK-based Avanti Communications recently introduced a service that
provides a backup satellite relay in the event of the loss or
disruption of a terrestrial broadband link.
Matthew O'Connor, Avanti managing director, says what makes
managers really understand the inadequacy of their business
continuity strategy is when "they realise their Blackberries will
not work, because the servers sit on the wrong side of the
firewall".
He added that the backup satellite service provided by Avanti
does not require the re-propagation of IP addresses as a result of
patent-pending technology and that it costs £50 per month to "rent"
the satellite provision and £90 per month in the event that you use
it.
Quocirca's Tarzey says that third-party business continuity help
and technology is plentiful for SMEs. His research showed that
overall, about 20% of SMEs already outsource IT management to some
extent.
"From consultants to suppliers and hosted providers, there is
plenty of help out there," he says.
In addition, trade organisations such as the Confederation of
Business Industry, Institute of Directors and the government's
practical, online guide for businesses can all help with business
continuity advice.
Ovum's Titterington was pragmatic in his view of how much of the
responsibility for business continuity any new technology or
service could allow the business to delegate.
"Deal with real-world threats and priorities in that order.
Burglary, fire and flood first, then look at your policies for
recovery, people and physical assets, followed by your information
systems. It is all practical, common sense really," he says.