You’ve Got a Flood Plan, But No Cyber Plan? Here’s Why That’s a Business Killer
The Dangerous Myth of Traditional Disaster Recovery
Walk into most UK businesses and you’ll find a dusty binder marked "Business Continuity Plan." Inside? Procedures for fire, flood, maybe theft. There are evacuation maps, emergency contact numbers, and a vague reference to calling the insurance company. But mention a cyber attack and you get blank stares or a shrug. The most likely threat facing modern businesses is the one most frequently ignored.
Fires and floods are rare. Cyber incidents are not. Yet many business leaders plan for the unlikely and ignore the inevitable.
According to the UK Government's 2024 Cyber Security Breaches Survey, over 50 percent of medium-sized businesses and more than 70 percent of large enterprises experienced some form of cyber attack in the past year. That’s not a risk, that’s a certainty waiting to happen.
Not Just an IT Problem
One of the biggest misconceptions is that cyber attacks are the IT department’s problem. Wrong. They are a business problem. A revenue problem. A reputational problem. A legal and compliance nightmare.
When your systems go down, operations stop. Orders don’t ship. Customers can’t access their data. Staff can’t work. And once it hits the news, your brand takes a hammering.
Cyber incidents need board-level ownership. This is governance, not just infrastructure.
Most Recovery Plans Are Fiction
Let’s dissect what most businesses think counts as a cyber recovery plan:
"We have backups."
"Our MSP said we’re protected."
"We’re ISO certified."
None of these are actual plans. Backups are only helpful if they are tested, offline, and restorable. MSPs only cover you if their SLAs include incident response. And ISO certification might help you sleep at night, but it won’t restore your email.
A real plan includes:
Clear ownership of cyber incidents
Step-by-step playbooks for common attack types (ransomware, BEC, data breach)
Predefined communication templates for internal and external audiences
Legal, regulatory, and insurance engagement workflows
A forensic evidence preservation protocol
Clear documentation of systems, recovery points, and expected recovery times
Regular testing and simulation exercises
What Happens Without One
Day 1: An employee clicks a phishing link. Malware is installed. Systems begin to fail.
Day 2: Files are encrypted, customer data is inaccessible, and your staff is locked out. You call IT, and they’re already overwhelmed.
Day 3: You still don’t know how the attack started, and the backups haven’t worked. The board wants answers, and you’re not even sure which regulator to notify.
Week 2: The insurer asks for documentation you don’t have. Your legal team advises caution. Your competitors are calling your clients.
Month 3: The fines are in. The customers are gone. The damage is done.
What Good Looks Like
Let’s build a better picture. A well-prepared organisation has:
A tested cyber incident response plan
A named incident leads with decision-making authority
A RACI matrix showing who does what, when, and why
Immutable backups are tested weekly and stored securely offsite
Legal reviewed breach notification templates ready to go
A comms plan aligned with the reputational risk strategy
An insurance playbook with contact timelines and escalation flows
Test. Then Test Again.
You wouldn’t skip fire drills. You wouldn’t assume a fire extinguisher works without checking it.
So why do so many businesses trust their cyber plans without testing them?
Simulations reveal weaknesses, tabletop exercises uncover gaps, and red team drills build confidence. Testing separates the pretend plans from the ones that work.
The best time to discover a flaw is not while you’re under attack. During a calm afternoon, there’s time to learn and adapt.
Cyber Essentials Isn’t Enough
Cyber Essentials is a strong defensive start. It proves you have firewalls, patched systems, access controls, and antivirus. But it is not a recovery framework. It doesn’t tell you what to do when everything goes offline.
Recovery means preparing for failure, not just preventing it.
The innovative approach is to combine Cyber Essentials (prevention) with incident response planning (recovery), which together form a holistic resilience strategy.
Regulators and Insurers Expect Better
The ICO requires you to notify them of serious personal data breaches within 72 hours of detection. Your insurer might require notification within 24 hours. Failure to comply could void your policy or lead to enhanced penalties.
Insurers also expect you to have appropriate controls in place. Don't expect sympathy if you can’t prove you had a plan. Expect questions.
This Is a Leadership Problem
If the board doesn’t ask for incident response testing, it’s not doing its job. If department heads don’t know who to call in an emergency, it’s a governance issue. If staff haven’t been trained on what phishing looks like, you’re inviting disaster.
The difference between surviving and closing shop after a breach often comes down to preparation.
Closing Thoughts
You have a fire plan, flood insurance, and maybe CCTV and alarm systems.
Now it’s time to do the same for cyber.
Document a cyber incident plan, assign roles, write the comms, define your response, test it, fix what breaks, and repeat.
Because when the breach hits, and it will, you won’t rise to the occasion. You’ll fall to the level of your planning.
Make sure that the level is high enough to survive.
| Source | Article |
|---|---|
| UK Government | Cyber Security Breaches Survey 2024 |
| ICO | Data Security Guide to GDPR |
| NCSC | Incident Management Guidance |
| FCA | Cyber Resilience for Financial Services |
| NCSC | Small Business Cyber Security Guide |
| National Archives | Preserving Digital Evidence in Cyber Incidents |
| Marsh | Cyber Insurance Claims Trends 2024 |
