BPG BPG Beratungs- und Prüfungsgesellschaft mbH

IT emergencies and countermeasures


Regular fire drills, detailed instructions on occupational safety - most companies are well prepared, should any emergency situations occur. But what would be the impact of a prolonged power outage, a hacker attack or a ransomware attack? Few companies are aware that IT emergencies can also have significant effects on their daily operations. 

Whether it's a service provider, manufacturing company or public administration, hardly any organization can manage without IT. Communication via e-mail, working withcompany-critical data and even supporting processes such as financial accounting or human resources would be immediately affected. Few companies have thought about how to protect business-critical processes against IT emergencies. Fortunately, countermeasures can be implemented right now.

First, a business impact analysis (BIA) should be carried out to clarify which business processes are dependent on IT and what would happen if IT is partly or completely down in case of an emergency. The goal of a BIA is to gather information in order to prioritize processes and resources so that the most important goals and tasks can be fulfilled even in emergencies. 

The result of a BIA is a list of processes including documentation. This list should be examined in detail in a risk analysis.  The analysis should not only focus on natural disasters or hacker attacks. Internal risks, such as employee errors, should not be underestimated either. For each risk instance, the probability of occurrence as well as the impact or potential damage must be determined to allow further prioritization.

Both analyses enable companies to precisely allocate their available resources, such as human and financial resources. Risks that would have a major impact but occur infrequently (e.g., earthquakes) can be dealt with as a secondary priority. On the other hand, damage that is supposedly minor but is much more likely to occur (e.g., data loss due to a lost USB stick) should be handled with high priority.

Measures include the creation of an emergency plan that defines responsibilities and actions to be taken in the event of an emergency. But companies should also be proactive, for example by checking and expanding data backups or procuring additional security software.

For the targeted prevention of IT emergencies, an analysis of the existing processes should be carried out in any case, so that the available resources can then be deployed in a targeted manner. We are happy to help you document and analyse your business processes, conduct business impact and risk analyses, and develop and implement suitable measures.