A disaster recovery guide for SMEs

How can your business prepare for unforeseen disasters?

A crisis or incident can damage the reputation of your business. It’s important to have effective incident management practices in place to reduce the damage.

Many organisations don’t have a strategy when it comes to trying to deal with crises or events which will damage the reputation of their business. Incidents involving people or data leaks are the stuff of nightmares for business owners so what can you do to ensure that you are doing the best to protect your business?

1. Why is a policy necessary?

The range of significant incidents (or exceptional events) that a business encounters reflects the scale and diversity of its activities. These may include activities relating to:

•    Duress, extortion and robbery
•    Fires, floods and events of nature like snow storms
•    IT and payments systems incidents

Such incidents are managed by senior teams, escalated to the level appropriate to the severity of the event, and involving experts with the technical background most relevant to the particular situation.

This policy is necessary to ensure that communication with customers and other stakeholders is timely and consistent, to maintain the reputation of your business.  

2. Incident management priorities

An incident may have different characteristics and could include scenarios such as financial crime and IT outage.  In managing any such event, a business’s priorities are to ensure:

1)    Safety and wellbeing of all persons involved, be they staff, customers or members of the public;

2)    Continuity of service to customers (including an invocation of business continuity measures where appropriate); 

3)    The ongoing confidence of clients and other stakeholders and in the industry as a whole.

These priorities are to be considered and managed by those leading the management response, whether the impact is local or widespread and whether the timeframe for decisions is immediate or extended. The requirement for compliance with regulatory obligations relating to industry, health & safety and other matters will be met throughout, with consideration to overall security factors having regard to the preceding.

3. Communication within the business

Regarding communication, a business should aim to:

1)    Provide timely communications and support for affected customers;

2)    Communicate based on what they know – no speculation, no promises that may be unrealistic;

3)    Understand and monitor customers’ and other stakeholders’ expectations; and,

4)    Ensure consistency in messages for customers and other stakeholders, whatever the channel of communication.

4. Communication decisions during incidents 

At each critical decision point, in any event, management will make a decision on the communications strategy to be followed and messages to be delivered. 

In adherence to the communications principles above, the communications person/people in the business should make recommendations about. Key messages to be delivered, include:

• The incident itself, what occurred, and the facts relating to resolution as they are available;
• The impact on services and the alternatives available to customers affected; and,
• Updates for customers and other stakeholders as the incident progresses/concludes.
•    Appropriate channels for communication (including websites, social media channels, branch network, call centres, customer interfacing businesses, national and local media and any other suitable channels); and,
•    Queries and issues being raised by stakeholders, or likely to be increased, and the appropriate response.

5. Example – data breach

Move appropriately to secure your systems and fix vulnerabilities that may have caused the breach. The only thing worse than a data breach is multiple data breaches. Take the necessary steps, so it doesn’t happen again.

Mobilise your breach response team right away to prevent additional data loss. The exact steps depend on the nature of the violation and the structure of your business.

•    Assemble a team of experts to conduct a comprehensive breach response. Depending on the size and nature of your company, they may include forensics, legal, information security, information technology, operations, human resources, communications, investor relations, and management.
•    Consult with a legal team. Talk to your legal representatives. Then, you may consider hiring a lawyer with privacy and data security expertise. They can advise you on laws that may be implicated by a breach.
•    Your website: If the data breach involved personal information improperly posted on your site, immediately remove it. 

Having an efficient and understood incident management plan in place can help mitigate in the event of a crisis. It’s never too late to develop and communicate a plan for your business.