Strengthening the weakest link Business Continuity Management for

Strengthening the weakest link: Business Continuity Management for SMEs Essen, 5 October 2010 Dr. L. Marinos, ENISA

SME working assumption • SMEs are generated out of entrepreneurship and have low level of resources for “non-productive” investments • Most of SMUs (esp. owners) have low level of BC knowledge • SMEs are not in the position to fully develop BCP • Even in case that there is some IT-knowledge, availability is usually not part of it • SMEs tend to use standard components (soft- and hardware)

What is Business Continuity? • Business Continuity is the ability to continue the business in an (for the customer) acceptable. • For SMEs needs to be: • Low cost • Simple • Practical • Affordable on the long term

Business Continuity (Full version) Interface to other operational and product processes Conduct Business Impact Analysis Adapted Risk Management Activities Define BCM Framework Initiate BCM Programme Design BCM Approach Assess Risks and Impacts Determine Recov. Options Analyze Results Agree Recovery Strategy Prioritize Recovery Define Critical Resource Requirements Design BCP Identify the Organisation Business Recovery Plan Test BCP Determine Type of Test Write Test Plan Conduct Test Recurrence Short term Recovery Support Plan Communications and Media Plan IT Service Continuity Plan Deliver Debrief/Test Report Business Resumption Plan Long term Middle term Incident Response Plan Incident Management Plan Assign BCM and Incident Responsibilities Define BCM Policy Deliver BCP Sustain BCM Programme Train Staff Maintain and Review BCP Develop Awareness

Problems with BC (. . as other sec issues) • • • Too complicated Not business oriented Too focused on technical assets Too much concentration on threats Too reliant on estimates of “probability” Threat and vulnerability assessments too technical Unrealistic targets No clear action plan TOO SLOW! Source: Jeremy Ward

Business Continuity „Light“ • Low expertise in the area of BC • Simply structured • Balance between simplicity and effectiveness • Understandable relations between used terminology • Good basis for knowledge transfer

ENISA-Approach http: //www. enisa. europa. eu/act/rm/risk-management-for-smes-and-micro-enterprises

In Conclusion • We see tendencies for simpler approaches • Become business oriented (no technical, threat etc. ) • Promote through professional associations • Develop corresponding certification schemes • Promote generation of a relevant “market”

Thank you for your attention louis. marinos@enisa. europa. eu ENISA Risk Management Web Pages: www. enisa. europa. eu/rmra