A ransomware attack hits your organisation at 7am on a Tuesday. Your file server is encrypted, your email is down, and your customer-facing systems are offline. Your staff are arriving at the office to find they cannot access any of the tools they use to do their jobs. Orders cannot be processed. Customer queries cannot be answered. Your accountant cannot access payroll. How long can your business survive in this state before the financial and reputational damage becomes irreversible?

TL;DR — Key Takeaways

  • Learn how to build a business continuity plan that keeps your organisation running during ransomware attacks, data breaches, and other cyber incidents
  • Compare BCP vs Incident Response: Understanding the Difference to make an informed decision
  • Assess business Impact Analysis for Cyber Events

Visual Overview

flowchart TD
    A["Risk Assessment"] --> B["Business Impact Analysis"]
    B --> C["Recovery Strategies"]
    C --> D["Document BCP"]
    D --> E["Train Staff"]
    E --> F["Test & Exercise"]
    F --> G["Update Annually"]

For most small businesses, the honest answer is: not long. Yet the majority operate without a documented business continuity plan (BCP) for cyber incidents. This is not because owners underestimate the risk — most understand that a cyberattack could seriously harm their business. It is because building a BCP feels like a large, complex undertaking that gets perpetually deferred. This guide aims to change that perception by breaking the process into practical, proportionate steps that any small business can complete.

BCP vs Incident Response: Understanding the Difference

A business continuity plan and an incident response plan are related but distinct documents, and confusing the two leads to gaps in both. An incident response plan focuses on the technical and forensic aspects of handling a security incident: containing the threat, eradicating malware, preserving evidence, and restoring systems. It answers the question: how do we fix the security problem?

A business continuity plan focuses on keeping the organisation operational while the incident is being resolved. It answers the question: how do we keep serving customers and generating revenue while our systems are compromised or unavailable? The BCP does not replace the incident response plan — it operates in parallel with it. While your IT team or managed service provider is working to restore systems, your BCP ensures the rest of the business does not grind to a halt.

Business Impact Analysis for Cyber Events

The foundation of any useful BCP is a business impact analysis (BIA) — a structured assessment of what would happen to your business if specific systems or capabilities were unavailable for varying periods of time. For a cyber-focused BCP, you need to understand the impact of losing access to each of your critical systems.

Work through your key business functions and ask: if this system were completely unavailable for one hour, one day, one week, what would be the consequence? Quantify the impact where possible — lost revenue per day, customers unable to be served, contractual penalties, regulatory obligations that would be breached. This exercise produces two critical metrics for each function:

  • Recovery Time Objective (RTO): The maximum tolerable period of downtime for this system or function — the point at which the business impact becomes unacceptable.
  • Recovery Point Objective (RPO): The maximum amount of data loss that is acceptable, expressed as time — for example, "we can tolerate losing up to four hours of transaction data, but not more."

These metrics directly inform your backup strategy and your recovery priorities. A system with an RTO of two hours requires fundamentally different preparation than one with an RTO of five days.

Identifying Critical Systems and Manual Workarounds

Once you have completed your BIA, map your critical systems — those whose unavailability would breach your RTOs — and for each one, identify whether a manual workaround is feasible during a recovery period. This is where many BCPs fall short: businesses assume that because a system is critical, there is no alternative to waiting for it to be restored. In practice, temporary manual processes can sustain most business functions for days or even weeks.

Consider a small professional services firm whose CRM system goes offline following a ransomware attack. In the short term, staff can use printed contact lists to reach clients by phone, log activity in a shared spreadsheet, and process invoices manually via bank transfer. It is slower and more labour-intensive — but it keeps the business operational and clients informed while the CRM is restored.

Document these workarounds explicitly in your BCP so they can be activated quickly under pressure, by staff who may be stressed and without access to their normal tools. The documentation itself must be accessible without the systems it describes — store printed copies of your BCP in a secure physical location, and maintain a copy in offline or out-of-band storage such as a USB drive kept off-site.

Communication During a Cyber Incident

Communication is consistently one of the most poorly managed aspects of cyber incident response for small businesses. When your email system is down and your messaging platform is compromised, how do staff communicate? How do you update customers? How do you coordinate with your IT provider, your insurer, and your legal team?

Internal Communication Tree

Your BCP should include a documented communication tree: a list of key personnel with their mobile phone numbers (not just work email addresses), their roles during an incident, and the order in which they should be contacted. This tree must be maintained on paper and kept physically accessible — not stored exclusively on the systems that may be compromised.

Designate an out-of-band communication channel for incident coordination: a WhatsApp group, a Signal channel, or a phone bridge that does not depend on your corporate infrastructure. Establish this channel before you need it, and make sure all key personnel are enrolled.

Customer and Supplier Communication

Prepare template communications in advance for notifying customers and suppliers of a service disruption. These templates should acknowledge the disruption, provide alternative contact methods (such as personal mobile numbers for key contacts), and commit to regular updates. Customers who are proactively and honestly communicated with are significantly more likely to remain loyal than those who discover the problem themselves after days of silence.

The Role of Cyber Insurance in Your BCP

Your cyber insurer should be one of the first organisations you contact following a significant incident — and your BCP should reflect this. Most cyber insurance policies include access to incident response retainer services, legal advice, forensic investigation, and crisis communications support. These resources are often faster and more experienced than anything a small business could assemble independently.

Your BCP should include your insurer's 24-hour incident reporting number and your policy reference. Understand in advance what your policy covers: business interruption losses, ransomware payments, data breach notification costs, and regulatory defence are common coverage areas, but exclusions vary significantly between policies. Understanding your coverage before an incident occurs means you can make informed decisions quickly when it matters.

Many insurers also ask to see evidence of a BCP when underwriting or renewing policies. Having a documented, tested plan can positively influence your premium and demonstrates to the insurer that your organisation approaches cyber risk with the seriousness they expect. This aligns with the broader principle that your BCP is not just an operational document — it is a demonstration of organisational maturity to insurers, customers, and regulators alike.

Testing Your Plan with Tabletop Exercises

A BCP that has never been tested is, at best, a hypothesis. Tabletop exercises — structured walkthroughs of a simulated incident scenario — are the most practical way to stress-test your plan without actually experiencing a real event.

A basic tabletop exercise for a small business might involve gathering key staff for two hours and walking through a scenario: "It is 9am on a Monday. You have just discovered that your file server has been encrypted by ransomware and the attacker is demanding payment. What do you do in the first hour? The first day? The first week?" Work through the scenario step by step, following your documented BCP and noting where the plan is unclear, incomplete, or impractical.

Exercises consistently surface gaps that no amount of desk review would catch: the emergency contacts list has outdated phone numbers; the backup system has not been tested for restore integrity; two key members of staff have overlapping responsibilities with no documented handover; the manual order processing workaround requires a printer that is in the locked server room.

Run a tabletop exercise at least annually, and whenever you make significant changes to your technology environment, staffing, or business processes.

Maintaining and Reviewing Your BCP

A BCP is not a static document. Your technology, your team, your suppliers, and the threat landscape all change over time, and your plan must keep pace. Assign a named owner for the BCP — ideally a senior manager rather than an IT specialist, since the plan covers business operations not just technology — and schedule a formal annual review.

Common BCP mistakes made by small businesses include:

  • Treating it as a one-time exercise: Writing a BCP and filing it away without testing, reviewing, or updating it is nearly as bad as having no plan at all.
  • Storing the plan only on systems that may be compromised: If your BCP lives on the file server that gets encrypted, it is useless at the moment you need it most.
  • Focusing only on technical recovery: A plan that addresses how to restore systems but not how to serve customers in the meantime misses the business continuity objective entirely.
  • Failing to include financial recovery: Consider how you will meet payroll, pay suppliers, and manage cash flow during an extended outage. Your bank may be able to assist if contacted early.
  • Not communicating the plan to staff: A BCP only works if the people who need to execute it know it exists and understand their roles within it.

Cyber incidents are not a question of if but when. The organisations that recover quickly and with minimal lasting damage are not necessarily the ones with the most sophisticated security controls — they are the ones that planned carefully for the moment those controls were not enough. A practical, tested BCP is one of the highest-return investments a small business can make in its long-term resilience.