Business continuity myth busting – the top 5 misconceptions debunked

20/05/25 Wavenet
Business continuity myth busting – the top 5 misconceptions debunked placeholder thumbnail

For longevity and success, organisations need to be resilient and prepared for anything, to respond quickly if an interruption occurs. Yet, many businesses fall prey to common misconceptions surrounding business continuity that can jeopardise their success. Our team of industry-leading business continuity specialists has identified and addressed the top five myths that are misleading and potentially harmful to your organisation’s readiness for unforeseen challenges.

By understanding and avoiding these misconceptions, you can strengthen your business continuity strategies and ensure your organisation remains strong and agile in the face of adversity.

Discover the top fallacies – with clarification and expert insight - surrounding business continuity, to ensure your business is protected from the pitfalls of these pervasive myths.

Myth one: “Your data is safe in the public cloud” / “Your cloud provider is responsible for business continuity”

It isn’t, and they’re not! In short, cloud providers are subject to the same disruptions as any other organisation, and it’s important to know that outsourcing your infrastructure or services to a public cloud provider does not outsource the risk – you’re still responsible for your data!

On-premises risk

Cloud risk

Flood/fire/environmental at your site

Flood/fire/environmental where your data is stored

Data held and accessed via a LAN

Maintaining connectivity to data in the cloud and ensuring its resilience in the cloud

 

Loss of control of the location and sovereignty of your data

 

Misconfigurations/changes can be difficult to find and track. Could you rebuild in another cloud with all the networking configured?

Email data stored in Microsoft Exchange – a large proportion of infiltration comes via this route

Email data in Microsoft 365 (still needs to be backed up) – a large proportion of infiltration comes via this route

Over-reliance on IT resilience, leading to a lack of planning for recovery from serious incidents requiring data and IT system recovery from backups

Lack of visibility of supplier’s level of reliance on IT resilience (and level of recovery arrangements) Careful project planning required in preparation to failback/recover from backups, in the event of a major incident during the migration to the cloud

Not having up to date and tested plans to recover from IT disasters and major business incidents

Not having up-to-date and tested plans to recover from IT disasters and major business incidents

Make sure SLAs are appropriate and applicable in the event of downtime considering both traditional disasters as well as cyber incidents which require additional remediation

 

 

Public cloud platform SLAs can be difficult to interpret in the event of downtime How will I maintain control of my IT spend when I move to the cloud? Can services be impacted if this gets out of control?

Understanding how to make changes to the service provision and the implications to the business

Understanding how to get your data out of the public cloud and how much it will cost. Egress charges can be difficult to interpret – and will it run anywhere else?

Myth two: “Microsoft backs up your data in Microsoft 365.”

It doesn’t. While Microsoft 365 provides robust services for business, a comprehensive backup for your data is not one of them. As a software-as-a-service offering it is NOT Microsoft’s responsibility to protect your Microsoft 365 data. In fact, Microsoft itself recommends that users regularly back up content and data using third-party services.

Without third-party backup, sensitive business data such as emails or shared files stored in Microsoft 365 are not protected from the most common or most serious data loss issues.

When looking at infiltration into company systems, email can be one of the most accessible to bad actors and it’s not always IT that can help. It’s important to train employees about clicking on links and sending information externally. And it’s important that your culture makes it easy and natural for staff to report anything that does catch them out. The sooner your provider can help you, the better.

Myth three: “There’s not much point in looking at business continuity now, as we’re looking at moving to the cloud / changing technology.”

Regardless of what technology you use and where it is, you need a business continuity plan. What is important, is to make sure your business continuity solution is still appropriate and update it to accommodate any changes.

Our advice: When making any changes to your environment, it is vital to understand how your risk profile changes and how it affects your ability to recover your data and continue running the business, in the event of a breach or outage.

Moving to cloud environments or utilising shared or public cloud services to run elements of your business can deliver significant performance, cost and resilience benefits. But it doesn’t remove the risk or responsibility you have around data legislation, compliance and business continuity. The same applies to changes in the way you utilise third-party or in-house solutions, and the way your staff access data, where from, and how.

One of the benefits of having business continuity services in place, is that you’re able to put them on stand-by to cover any transitions – moves, adds, changes on any scale can lead to unexpected disruptions and are times where you’re more likely to need to use your business continuity plan and services!

Action points:

    1. Utilise your business continuity services by placing your provider on standby to make sure you’re covered during periods of change.
    2. Ask these basic questions to accommodate any changes to your business, into your business continuity planning (including moving to the cloud – see myth 1!)

      Question 1: What has changed?

      Question 2: Will my existing security practices and architectures be as effective after the changes?

      Question 3: What do I need to address to maintain the right level of protection for the business?

      Question 4: How have the changes altered my business continuity planning?

      Question 5: What new risks do I need to plan for as a result of the changes?

      Question 6: What actions do I need to take?

    3. Remember when changing technology, that in a recovery scenario, rebuilding the systems, virtual machines and workloads is only part of the requirement. Connecting to networks and all the upward and downward dependencies is necessary – and generally an area that would benefit from third party recovery services and expertise.

Myth four: “We don’t need Work-Area-Recovery as staff have laptops and can work-from-home”

While it’s true that if staff have laptops, they can (and do) work from home, this doesn’t automatically mean that work area recovery is not required. This is because home workers and office workers may both require an alternative place to work from when the unexpected happens.

Mini case study example:

Finding that working-from-home works in ‘business as usual’ conditions, a multinational finance customer on the verge of cancelling its work area recovery contract, suffered an incident that proved it still needs this service as a critical component of its disaster recovery strategy…

In the aftermath of a cyber-attack, a multinational finance company was left unable to carry out its core operations, which in turn had a major impact on their office-based and homeworking colleagues, and in turn, their customers.

The security breach happened through a third-party telephony service provider, causing all telephony systems to stop working. As a result, the entire IT infrastructure was shut down to handle and restrict the damage – and this meant even employees working remotely via VPN or with softphones were taken offline.

Under the company’s work area recovery contract with us, all critical staff were efficiently accommodated at one of our business continuity centres, and our customer was able to continue to operate critical customer service and finance functions. It was a stark reminder that working from home did not provide a viable alternative to a work area recovery solution.

Our advice is to examine the viability of working from home as a replacement for work area recovery, for your specific organisation. It may be that you need an element of recovery to an appropriate alternative facility, especially if your decision was based on the pandemic environment. What became a necessary way of working during the pandemic may not hold up to scrutiny today from the FCA for financial institutions, or those under the jurisdiction of other regulatory bodies, relating to data security, client confidentiality and corporate governance.

Top risks of working from home include:

  • GDPR breaches
  • Widespread power outage affecting both homes and mobile network masts (which don’t have power backup)
  • Irregular or incomplete backups
  • Unsecured home devices
  • Weak passwords
  • Unencrypted file sharing
  • Phishing emails

Myth five: We’re covered - we have a business continuity plan, it was done only last year.

If your business continuity plan was done over a year ago and has not been updated, how can you be sure that you’re covered? The rate of change just in the technology deployed, migrated and updated throughout an organisation in any 12-month period is enough to invalidate a significant chunk of your business continuity plans, never mind the myriad other changes that happen organically and via mergers and acquisitions, new partnerships and supplier relationships, changing customer requirements, people changes and strategy updates! In fact, it’s generally safer to assume you don’t have one!

A reputable business continuity or disaster recovery provider will have automated and on-demand disaster recovery testing capabilities to allow you to test what you want when you want and only pay for the usage time. This means that upgrades and changes can be immediately validated against any recovery plans to ensure it will work when it’s needed. Regular automated testing also picks up changes made innocently which could impact the business and provides auditors up to the minute proof of recovery.

Finally, a bonus myth that having business continuity and disaster recovery plans means that your sorted. It’s not “job done” until you’ve tested or rehearsed your plans. Those of you who haven’t can be sure of just one thing. You’ll be surprised at how many small and large issues will pop up, that you can then address, so that should you need to follow your plans in a live situation, they really will “go according to plan” and you’ll have a successful recovery.

For more information on how our services can help you, visit Business Continuity | Work area recovery - IT solutions & services

business continuity

Latest blogs

See all posts
Placeholder thumbnail
Expanding our Microsoft Partner credentials!

We've just earned a new Microsoft Solutions Partner Designation - here's what it means for you

Read more
two people in an office looking at a laptop
How CHECK Penetration Testing Strengthens Public Sector Cyber Security

The public sector faces unique cyber security challenges due to its responsibility for safeguarding vast amounts of sensitive information. Government agencies and public institutions are prime targets for cyberattacks, which can disrupt services and undermine public trust.

Read more
Placeholder thumbnail
From crisis to control: building a cyber incident response plan

In the event of a cyber attack, having a detailed response plan will be what separates organisations into two groups. Those confident in their pre-planning and able to manage the incident effectively, and those who have been burying their heads in the sand. Cyber threats are increasing in scale and sophistication, with payloads that can cripple IT systems to cause operational disruptions and reputational damage, so let’s make sure you’re in the right group, by detailing what should be included...

Read more

Stay service-savvy

Get all the latest news and insights straight to your inbox.