4 Keys to Business Continuity in the Face of Cyberattacks

person stopping dominoes from falling

In mid-March 2019, an unparalleled event sent shock waves through the world’s information infrastructure: Facebook went offline for 14 hours. Insert audible gasp here. It was the longest-ever outage for the social media site and a harsh reminder that any company, even a tech titan, can be brought to its knees by a cyberattack.

Facebook probably didn’t lose many users because of the outage, but it did manage to anger advertisers that had prepaid to appear on the platform. By some estimates, a mere 14 hours of downtime cost the company $90 million in lost revenue. Insert second gasp here.

Facebook’s woes highlight an important but overlooked fact about cybersecurity: The worst damage comes from the interruption to the business, not from mitigating the attack or paying off the hackers. The technical issues are insignificant compared with the revenue they erase. And, ultimately, surviving a cyberattack means safeguarding the bottom line, which requires a focus on business continuity above all else.


No small businesses have anywhere close to the cyber resources of Facebook, meaning that outages are likely to last longer for them. And though the damage likely won’t be in the millions, it will be a lot more consequential for businesses with less to lose.It’s important to put the consequences in context because outages are basically inevitable, whether caused by a malicious attack or an IT accident. When the inevitable occurs, business continuity is about minimizing the resources that go offline while maximizing how quickly disabled resources are restored.

As Facebook revealed, time is of the essence. Depending on the size of the business, one hour of downtime can cost between $140,000 and $540,000, which translates to roughly $5,600 per minute, on average. Every second literally adds up, which is why all small and midsize companies need to make business continuity a top priority.


Business continuity starts with careful, comprehensive planning. Every business is different, however, so the details of every plan will be, too. Regardless, every business should follow these steps when formulating their approach:

  1. Locate all company data:  Losing information, from basic records to sensitive company particulars, can bring operations to a halt, even if the data is gone only temporarily. Start planning by identifying where all the company’s data lives and then ranking it in order of importance. Back up as much as possible, beginning with anything deemed mission-critical.
  2. Consider hypothetical scenarios:  Partial outages — to specific files or applications like email — are more likely than a full-system outage. Consider what kinds of threats face each aspect of IT and what the consequences of losing specific resources would be. Effective business continuity depends on planning for every possible scenario.
  3. Detail the response strategy:  Companies need to respond to outages quickly and systematically in order to minimize the amount of downtime. Create a detailed plan outlining who will play what roles in the wake of a cyberattack, what resources they will use, and exactly how they will respond. The plan should also address the post-outage period. Decide what the company will do to analyze the outage and prevent a repeat.
  4. Review and revise:  Businesses are always changing, and business continuity plans must adapt in kind. Once the plan is complete, run it though some test scenarios to work out any kinks. Then commit to regularly reviewing and revising the plan so that it reflects any changes to your data, IT infrastructure, regulatory requirements, or business strategy.

Bolstering business continuity often requires implementing new technologies. When selecting what to use, don’t mistake basic data backup solutions for a perfect guarantee of business continuity. Meanwhile, don’t assume that solutions not specifically marketed as data backups can’t help preserve access to critical data.

Solutions from Zix and AppRiver are great examples. As part of our comprehensive email protection platform, we help companies preserve access to their email accounts in the midst of an attack. That means having the ability to send and receive emails when communication matters most and to retrieve up to 30 days’ worth of past emails to prevent unnecessary business interruptions. Data backup is part of the platform, but the real purpose is business continuity.

This is just one example of how we help small and midsize enterprises become resilient to the worst cyber threats. Round out your business continuity plan by contacting our team.