Business continuity myth busting – the top 5 misconceptions debunked

20/05/25 Wavenet
Business continuity myth busting – the top 5 misconceptions debunked placeholder thumbnail

For longevity and success, organisations need to be resilient and prepared for anything, to respond quickly if an interruption occurs. Yet, many businesses fall prey to common misconceptions surrounding business continuity that can jeopardise their success. Our team of industry-leading business continuity specialists has identified and addressed the top five myths that are misleading and potentially harmful to your organisation’s readiness for unforeseen challenges.

By understanding and avoiding these misconceptions, you can strengthen your business continuity strategies and ensure your organisation remains strong and agile in the face of adversity.

Discover the top fallacies – with clarification and expert insight - surrounding business continuity, to ensure your business is protected from the pitfalls of these pervasive myths.

Myth one: “Your data is safe in the public cloud” / “Your cloud provider is responsible for business continuity”

It isn’t, and they’re not! In short, cloud providers are subject to the same disruptions as any other organisation, and it’s important to know that outsourcing your infrastructure or services to a public cloud provider does not outsource the risk – you’re still responsible for your data!

On-premises risk

Cloud risk

Flood/fire/environmental at your site

Flood/fire/environmental where your data is stored

Data held and accessed via a LAN

Maintaining connectivity to data in the cloud and ensuring its resilience in the cloud

 

Loss of control of the location and sovereignty of your data

 

Misconfigurations/changes can be difficult to find and track. Could you rebuild in another cloud with all the networking configured?

Email data stored in Microsoft Exchange – a large proportion of infiltration comes via this route

Email data in Microsoft 365 (still needs to be backed up) – a large proportion of infiltration comes via this route

Over-reliance on IT resilience, leading to a lack of planning for recovery from serious incidents requiring data and IT system recovery from backups

Lack of visibility of supplier’s level of reliance on IT resilience (and level of recovery arrangements) Careful project planning required in preparation to failback/recover from backups, in the event of a major incident during the migration to the cloud

Not having up to date and tested plans to recover from IT disasters and major business incidents

Not having up-to-date and tested plans to recover from IT disasters and major business incidents

Make sure SLAs are appropriate and applicable in the event of downtime considering both traditional disasters as well as cyber incidents which require additional remediation

 

 

Public cloud platform SLAs can be difficult to interpret in the event of downtime How will I maintain control of my IT spend when I move to the cloud? Can services be impacted if this gets out of control?

Understanding how to make changes to the service provision and the implications to the business

Understanding how to get your data out of the public cloud and how much it will cost. Egress charges can be difficult to interpret – and will it run anywhere else?

Myth two: “Microsoft backs up your data in Microsoft 365.”

It doesn’t. While Microsoft 365 provides robust services for business, a comprehensive backup for your data is not one of them. As a software-as-a-service offering it is NOT Microsoft’s responsibility to protect your Microsoft 365 data. In fact, Microsoft itself recommends that users regularly back up content and data using third-party services.

Without third-party backup, sensitive business data such as emails or shared files stored in Microsoft 365 are not protected from the most common or most serious data loss issues.

When looking at infiltration into company systems, email can be one of the most accessible to bad actors and it’s not always IT that can help. It’s important to train employees about clicking on links and sending information externally. And it’s important that your culture makes it easy and natural for staff to report anything that does catch them out. The sooner your provider can help you, the better.

Myth three: “There’s not much point in looking at business continuity now, as we’re looking at moving to the cloud / changing technology.”

Regardless of what technology you use and where it is, you need a business continuity plan. What is important, is to make sure your business continuity solution is still appropriate and update it to accommodate any changes.

Our advice: When making any changes to your environment, it is vital to understand how your risk profile changes and how it affects your ability to recover your data and continue running the business, in the event of a breach or outage.

Moving to cloud environments or utilising shared or public cloud services to run elements of your business can deliver significant performance, cost and resilience benefits. But it doesn’t remove the risk or responsibility you have around data legislation, compliance and business continuity. The same applies to changes in the way you utilise third-party or in-house solutions, and the way your staff access data, where from, and how.

One of the benefits of having business continuity services in place, is that you’re able to put them on stand-by to cover any transitions – moves, adds, changes on any scale can lead to unexpected disruptions and are times where you’re more likely to need to use your business continuity plan and services!

Action points:

    1. Utilise your business continuity services by placing your provider on standby to make sure you’re covered during periods of change.
    2. Ask these basic questions to accommodate any changes to your business, into your business continuity planning (including moving to the cloud – see myth 1!)

      Question 1: What has changed?

      Question 2: Will my existing security practices and architectures be as effective after the changes?

      Question 3: What do I need to address to maintain the right level of protection for the business?

      Question 4: How have the changes altered my business continuity planning?

      Question 5: What new risks do I need to plan for as a result of the changes?

      Question 6: What actions do I need to take?

    3. Remember when changing technology, that in a recovery scenario, rebuilding the systems, virtual machines and workloads is only part of the requirement. Connecting to networks and all the upward and downward dependencies is necessary – and generally an area that would benefit from third party recovery services and expertise.

Myth four: “We don’t need Work-Area-Recovery as staff have laptops and can work-from-home”

While it’s true that if staff have laptops, they can (and do) work from home, this doesn’t automatically mean that work area recovery is not required. This is because home workers and office workers may both require an alternative place to work from when the unexpected happens.

Mini case study example:

Finding that working-from-home works in ‘business as usual’ conditions, a multinational finance customer on the verge of cancelling its work area recovery contract, suffered an incident that proved it still needs this service as a critical component of its disaster recovery strategy…

In the aftermath of a cyber-attack, a multinational finance company was left unable to carry out its core operations, which in turn had a major impact on their office-based and homeworking colleagues, and in turn, their customers.

The security breach happened through a third-party telephony service provider, causing all telephony systems to stop working. As a result, the entire IT infrastructure was shut down to handle and restrict the damage – and this meant even employees working remotely via VPN or with softphones were taken offline.

Under the company’s work area recovery contract with us, all critical staff were efficiently accommodated at one of our business continuity centres, and our customer was able to continue to operate critical customer service and finance functions. It was a stark reminder that working from home did not provide a viable alternative to a work area recovery solution.

Our advice is to examine the viability of working from home as a replacement for work area recovery, for your specific organisation. It may be that you need an element of recovery to an appropriate alternative facility, especially if your decision was based on the pandemic environment. What became a necessary way of working during the pandemic may not hold up to scrutiny today from the FCA for financial institutions, or those under the jurisdiction of other regulatory bodies, relating to data security, client confidentiality and corporate governance.

Top risks of working from home include:

  • GDPR breaches
  • Widespread power outage affecting both homes and mobile network masts (which don’t have power backup)
  • Irregular or incomplete backups
  • Unsecured home devices
  • Weak passwords
  • Unencrypted file sharing
  • Phishing emails

Myth five: We’re covered - we have a business continuity plan, it was done only last year.

If your business continuity plan was done over a year ago and has not been updated, how can you be sure that you’re covered? The rate of change just in the technology deployed, migrated and updated throughout an organisation in any 12-month period is enough to invalidate a significant chunk of your business continuity plans, never mind the myriad other changes that happen organically and via mergers and acquisitions, new partnerships and supplier relationships, changing customer requirements, people changes and strategy updates! In fact, it’s generally safer to assume you don’t have one!

A reputable business continuity or disaster recovery provider will have automated and on-demand disaster recovery testing capabilities to allow you to test what you want when you want and only pay for the usage time. This means that upgrades and changes can be immediately validated against any recovery plans to ensure it will work when it’s needed. Regular automated testing also picks up changes made innocently which could impact the business and provides auditors up to the minute proof of recovery.

Finally, a bonus myth that having business continuity and disaster recovery plans means that your sorted. It’s not “job done” until you’ve tested or rehearsed your plans. Those of you who haven’t can be sure of just one thing. You’ll be surprised at how many small and large issues will pop up, that you can then address, so that should you need to follow your plans in a live situation, they really will “go according to plan” and you’ll have a successful recovery.

For more information on how our services can help you, visit Business Continuity | Work area recovery - IT solutions & services

business continuity

Latest blogs

See all posts
Placeholder thumbnail
The NHS leader’s CAF & DSPT checklist: cyber resilience, compliance, and assurance in 2026

For NHS Trust leaders, meeting the demands of cyber security assurance has never been more urgent. With the Data Security and Protection Toolkit (DSPT) now aligned to the Cyber Assessment Framework (CAF), NHS organisations now need to demonstrate not only whether controls are in place, but how effective they are in practice.

Read more
online banking
Why financial services firms need advanced connectivity & security in 2026

The UK financial services sector entered 2026 as one of the most digitally advanced industries in the world. Mobile banking dominates customer interactions, neobanks (a bank that only operates online and has no network of physical locations) continue to disrupt traditional models, and AI is rapidly expanding across fraud prevention, analytics, and customer experience. But with rapid digital acceleration comes increased cyber risk, regulatory pressure, and infrastructure demands. Financial institutions now require advanced connectivity and robust security to stay operational, competitive, and compliant.

Read more
msp it
Top 10 questions to ask before choosing an MSP in the UK (2026)

Choosing a Managed Service Provider (MSP) is one of the most important technology decisions a UK business will make in 2026. With MSPs now responsible for cyber security, cloud management, remote working, data protection, and everyday IT operations, selecting the wrong partner can create major business, financial, and regulatory risks.

Read more
windows-11
Understanding Windows 10 Extended Security Updates (ESU) - what your business needs to know in 2026

As of 14 October 2025, Microsoft officially ended free security updates for Windows 10. Organisations that continue operating Windows 10 devices today - in 2026 - are now doing so in a post‑support environment, relying either on paid Extended Security Updates (ESU) or accepting increasing cyber risk. Windows updates are the backbone of endpoint security, identifying new vulnerabilities and closing them before attackers exploit them. Since the end of support deadline passed, unpatched vulnerabilities accumulate quickly, creating growing exposure across any estate still running Windows 10. Continuing with Windows 10 in 2026 can lead to: Higher cyber‑attack risk, particularly ransomware Compliance issues (Cyber Essentials, ISO 27001, GDPR, FCA/financial sector requirements) Reduced software compatibility with modern applications and security tools Increased helpdesk overhead due to outdated hardware and OS issues For organisations, this is no longer preparation for a future deadline - it’s about reducing risk now and completing the transition to a modern, supported operating system. Your organisation’s options in 2026 Businesses now have three strategic pathways depending on their hardware, budget cycle, and deployment readiness. 1. Upgrade existing compatible devices to Windows 11 If your current hardware meets Microsoft’s requirements, upgrading remains the fastest and most cost‑effective way to move away from Windows 10 ESU dependency. Benefits include: Ongoing security updates Modern protection (TPM 2.0, enhanced kernel security, improved identity protection) Support for AI‑powered features and future Microsoft roadmaps Lower risk and long‑term stability If your business has Windows 10 machines still capable of upgrading, this should be the first route explored. 2. Refresh your estate with Windows 11‑ready devices Many Windows 10 machines still in use in 2026 are now five to eight years old, and often: Fall below modern security standards Cause productivity bottlenecks Increase support tickets Consume disproportionate IT resources A structured hardware refresh offers: Predictable lifecycle management Improved reliability and performance Standardisation across departments Compatibility with modern security and MDM tooling Wavenet supports staged refresh programmes aligned with fiscal planning, ensuring minimal business disruption. 3. Continue using Windows 10 with Extended Security Updates (ESU) Microsoft’s Windows 10 ESU programme is still available, but it is: Paid per device, per year Increasing in cost each year (designed to encourage migration) Security‑only - no features or performance improvements A temporary safety net, not a long‑term strategy ESU is most appropriate when: Line‑of‑business applications are not yet Windows 11 certified You need additional time for a phased rollout Budget cycles are delaying upgrades or refresh Remote / operational environments require longer transition periods Most organisations still using ESU in 2026 should plan to exit it within the next 12–24 months. Assessing your Windows 11 readiness in 2026 At this stage, businesses need more than a simple device‑level compatibility check. A comprehensive analysis includes: Hardware readiness across the estate Application and vendor compatibility Driver and firmware validation Intune / MDM alignment Security baselines and policy impacts User profile and data considerations Deployment sequencing and pilot planning Wavenet offers full readiness assessments to provide a clear view of which devices can be upgraded, which require replacement, and where ESU may remain temporarily necessary. Why 2026 is a critical year for migration With the end of support now behind us, delaying migration further increases: Security exposure Operational risk Compliance penalties ESU costs End‑user frustration from aging hardware A well‑structured migration programme delivers: A secure, modernised endpoint environment Lower long‑term support cost Improved employee experience Better alignment with Microsoft’s cloud and security roadmap Many organisations are now accelerating migration to remove the remaining Windows 10 footprint entirely. How Wavenet supports your Windows 11 journey Wavenet provides end‑to‑end Windows 11 migration services, including: Estate discovery & readiness assessment Hardware lifecycle planning and procurement Application compatibility testing Managed upgrade or Autopilot deployment Configuration, security baselines, and Intune alignment ESU planning (where absolutely necessary) Phased rollouts with minimal disruption Whether you’re upgrading compatible devices, refreshing your estate, or transitioning off ESU entirely, Wavenet ensures a smooth, secure, and controlled migration.

Read more
Placeholder thumbnail
Everything you need to know about network observability

This article is a useful 101 reference for network observability. What is it? Why does it matter? What are the benefits and outcomes from embracing it?

Read more