January 20, 2016
Getting Small Businesses to Think About the Unthinkable
For our latest blog series, Donna Childs will be sharing her knowledge with the Datto community. Childs is a disaster recovery expert and founder of Prisere LLC, and has advised Fortune 500 companies in risk management and operational continuity strategies. She will also co-host a Datto webinar on February 4. Register now for the Five Keys To Creating a Disaster Recovery Plan For SMBs.
Trusted advisors to small businesses, such as managed service providers (MSPs), know the importance of enabling robust business continuity plans. As tech-savvy professionals, we are familiar with the depressing numbers:
- Over 75 percent of small businesses experience some level of data loss
- 80 percent of data interruptions can close a business for at least a day
Yet surveys of small business conducted by local chapters of the American Red Cross consistently find that two-thirds or more of small businesses fail to implement even basic continuity measures.
Why is it so hard to convince small businesses to protect their businesses, starting with basic data protection?
The answer, in my experience, is that most small business owners have a distorted assessment of risk. They believe that disasters will not strike them. In most cases they are right: extreme events, such as earthquakes, hurricanes and the like, are, by definition, high-severity/low-probability events. It hardly makes sense for a small business owner to divert his or her limited time and financial resources to address a low-probability threat when there are immediate needs, such as making payroll, that must be met.
The manner in which disasters are reported contributes to this distorted risk perception and false sense of security. The television news will broadcast vivid images of extreme weather, but since a computer virus decimating a hard drive is not visually interesting, it will not receive the same attention although, for the small business, it represents the greater threat.
That’s why enabling small-business resilience begins with reframing our perception of risk. In my book Prepare for the Worst, Plan for the Best: Disaster Preparedness and Recovery for Small Businesses, I present a framework for risk analysis along a continuum of threats. At one extreme, we have the high-frequency/low-severity risks. These are the “everyday disasters”, such as human error, computer crashes and the like. At the other extreme, we have the high-severity/low-frequency disasters, such as earthquakes, hurricanes and other major hazards.
Conventional wisdom suggests that we should prepare for the extreme event, the worst-case scenario, and that subsumes preparedness for all lesser threats. That view generally holds true, but it should never form the basis of continuity planning for small businesses. Focusing on the catastrophic risks tends to induce complacency, as most business owners recognize that, by definition, they won’t likely experience an earthquake that measures 9.0 on the Richter scale. It also induces fear and paralysis, as small businesses cannot reasonably take all measures to protect themselves against terrorism and other threats.
A better approach is to begin by preparing for the high-frequency risks, the “everyday disasters”. This approach offers an immediate benefit against a more imminent risk at a more reasonable cost. And it gradually builds resilience against the more serious threats. The data backup the small business needs to recover a file mistakenly deleted by human error (the most common form of disaster) will be critical to the recovery from a more serious hazard.
So let’s begin to enable small business resilience by changing our risk framework. This approach will allow us to better serve small businesses. In the next blog post in this series, I will discuss how to take this new risk framework and translate it into a more compelling business case for continuity planning.