From the Blogs: Business continuity for SMEs
Business continuity is best thought of as the test of how your business would cope when things go wrong. It is as important for small to medium sized enterprises (SMEs) as it is for multinationals.
Bob Tarzey, service director with a focus on SMEs at analyst firm Quocirca, says that SMEs that overlook business continuity planning do so at their peril.
“The people and the IT are often the most important assets of the business. The risk of business failure is high for SMEs because many have one or a few locations, which house all the IT.
“And if you are lucky enough to have your IT in another facility that remains unaffected by some kind of failure, you have to make sure you can access it or ensure it can provide some failover,” says Tarzey.
Tarzey quantified the scale of the risk inherent in a growing reliance on technology, citing research carried out by Quocirca in July this year that found that more than half of SME workers are PC users and over three quarters of SMEs operate more than one server.
The majority of SMEs also operate from more than one location, meaning their IT infrastructure is distributed geographically, representing a dependence on IT for everyday business tasks and further issues for IT management.
Yet with such a heavy reliance on IT, only just over 25% of the 602 Quocirca research respondents were either satisfied or very satisfied with the management of their IT systems.
Tarzey says this is often because many do not have the time or resources to justify employing a full-time IT administrator.
“Most SME workers are not IT experts and organisations see productivity impacted if their employees spend too much time tinkering with IT management,” he says.
All this does not bode well for the average SME’s ability to assess its own business continuity needs, much less the likelihood of its having the knowledge and skills to act on them.
When an SME wants to prepare for the worst Graham Titterington, principal IT security and business continuity analyst at analyst Ovum, advises thinking about how the business would cope without IT.
“No one knows their own business better than SMEs, as they often rely on limited resources. So they are in the best position to know how their business would cope with no IT systems for a morning, a day, or a week.
“Only they can know if their customers would be affected, go elsewhere, or even come back if their ability to do business with them was taken away,” he says.
Titterington says that assessing the financial impact of such an outage is also important to estimate the amount of investment needed to mitigate the risk of losing communication links, stored data and operational systems.
“Go through a ‘what if’ scenario. You might find a few minutes without the internet may not make much of a difference. It depends on what business you are in.
“An online retailer would be in a different position to one not so reliant on the internet as its main means of doing business, for instance. And you may often find that the customer-facing systems can be prioritised over the back-office ones.
“But then you may find going without the ability to carry out back-office functions not so easy to cope with after a week as well,” he says.
Assessing the reliance on technology and the potential risk posed by its failure is the first step to quantifying its potential impact on the business, and understanding what data and communication links and systems most need protecting.
Regulatory compliance, often seen as a burden, can here be turned to an advantage when planning which IT systems to protect.
Titterington told Computer Weekly that the areas of legislation most likely to shape SME continuity planning were the Data Protection and Freedom of Information Acts.
“Data storage should always come first,” he says. And whether it is tape or online, offsite data storage emerges as the key to unlocking the value of protecting the systems they rely on.
Fabio Torlini, marketing manager for hosting services company Rackspace, says that more and more SMEs are looking to outsource data storage and datacentre capacity for both compliance and business continuity reasons.
“These SMEs know it is better for them to go with a managed hosting provider like us than handle datacentre maintenance, data storage and security in-house.
“They know they can take advantage of economies of scale and technical expertise,” he says.
And, just like Rackspace, a growing number of SME-focused IT suppliers are offering hosted or software-as-a-service delivery models that claim to eliminate compliance pressures, boost productivity by reducing the IT and security maintenance burden and, most importantly, assure business continuity plans.
One industry where data storage, communications, security and access intersects heavily with compliance is in legal and financial services.
Peter Bauer, chief executive of Mimecast, has made a virtue out of the business continuity plans and IT management headaches so keenly felt by these firms and others, by taking e-mail out of their hands.
“We recognised early on that e-mail was becoming a killer application. You have to have your firewalls, anti-virus and anti-spam in place and often even SMEs can have four to five different categories of e-mail systems and archiving.
“We do all of this in one product and deliver it as a service over the internet. The customer retains full control over the data, as though they were running the systems themselves,” he says.
Mimecast charges £20 per user per month for its entry level product, while upgrading to a 10-year archive agreement can cost about £50, Bauer says.
Regardless of whether it is the data or mission-critical systems, the thing that all these providers have in common is outsourcing. Outsourcing is a key consideration for all small businesses reviewing business continuity plans.
The customers of managed IT and communications provider ADS Portal use their desktop hosting service to ensure business continuity and alleviate risks associated with managing strategy and implementation in-house.
Gary Collins, ADS portal technical director, says that outsourcing IT, particularly for the SME customer, could provide multi-layer security, negating risks of virus and hacker attacks.
“Recently, the flood crisis across many parts of the UK resulted in companies having to close their businesses,” he says.
An affected ADS Portal customer was able to carry on with their business because all their data and applications are stored centrally, allowing staff to securely log on via the internet and continue working as normal.
But one key element all these offerings rely on is connectivity. UK-based Avanti Communications recently introduced a service that provides a backup satellite relay in the event of the loss or disruption of a terrestrial broadband link.
Matthew O’Connor, Avanti managing director, says what makes managers really understand the inadequacy of their business continuity strategy is when “they realise their Blackberries will not work, because the servers sit on the wrong side of the firewall”.
He added that the backup satellite service provided by Avanti does not require the re-propagation of IP addresses as a result of patent-pending technology and that it costs £50 per month to “rent” the satellite provision and £90 per month in the event that you use it.
Quocirca’s Tarzey says that third-party business continuity help and technology is plentiful for SMEs. His research showed that overall, about 20% of SMEs already outsource IT management to some extent.
“From consultants to suppliers and hosted providers, there is plenty of help out there,” he says.
In addition, trade organisations such as the Confederation of Business Industry, Institute of Directors and the government’s practical, online guide for businesses can all help with business continuity advice.
Ovum’s Titterington was pragmatic in his view of how much of the responsibility for business continuity any new technology or service could allow the business to delegate.
“Deal with real-world threats and priorities in that order. Burglary, fire and flood first, then look at your policies for recovery, people and physical assets, followed by your information systems. It is all practical, common sense really,” he says.