Learning Outcomes
After reading this article, you will understand why IT risks threaten business operations and data integrity. You will be able to explain the principles and practical implications of access controls, backup procedures, and recovery solutions. You will be able to identify suitable controls to secure systems, describe how backup and recovery support business continuity, and evaluate threats and responses for exam scenarios.
ACCA Business and Technology (BT) Syllabus
For ACCA Business and Technology (BT), you are required to understand both the risks IT systems face and the controls available to manage these risks. This article focuses on:
- The nature and significance of IT risks for business operations
- Types and features of access controls for securing systems and data
- Principles of effective backup and recovery procedures
- Practical challenges for business continuity and disaster recovery
Test Your Knowledge
Attempt these questions before reading this article. If you find some difficult or cannot remember the answers, remember to look more closely at that area during your revision.
- What are the main objectives of access controls in IT systems?
- List three types of backup and explain the difference between them.
- Which one of the following is a potential risk if a company does not perform regular backups?
- A) Improved data accuracy
- B) Enhanced security
- C) Loss of data after a hardware failure
- D) Faster processing speed
- What is the relationship between disaster recovery and business continuity planning?
Introduction
Organisations increasingly depend on IT systems for daily operations, decision-making, and customer services. These systems bring efficiency, but expose businesses to risks like data loss, unauthorised access, and operational downtime. Effective access controls and reliable backup and recovery procedures are essential components for maintaining security and continuity.
Protecting sensitive data and ensuring continuity even in the face of system failures or attacks are critical for regulatory compliance and business survival. ACCA candidates must know how specific controls and processes work together to protect the business.
Key Term: IT risk
The probability that IT system weaknesses or failures will cause harm, data loss, or disrupt business operations.
IT Risks: Overview
Every business faces risks from internal mistakes, technical malfunctions, and external threats. These may include:
- Unauthorised data access or theft
- Data alteration or destruction (accidental or deliberate)
- Hardware or software failure
- Cyberattacks (e.g. hacking, malware, ransomware)
- Natural disasters affecting data centres or office sites
The impact of these risks may be financial losses, reputational damage, compliance issues, or even business closure if critical data is lost.
Access Controls
Access controls are the processes and tools for ensuring only authorised users can interact with specific systems and data.
Key Term: Access control
The policies, procedures, and technical measures used to limit and monitor access to information systems and sensitive data.
Types of Access Controls
- Physical controls: secure locations, locked server rooms, badges.
- Logical controls: passwords, two-factor authentication, biometrics.
- Administrative controls: user access policies, authorisation levels, regular audits.
Principles
Access controls should apply the principle of least privilege: users receive only the access required for their job. Regular reviews ensure access is updated when staff move roles or leave.
Key Term: Authentication
The process of verifying the identity of a user or device before granting system access.Key Term: Authorisation
The process that determines what resources or functions an authenticated user is permitted to access.
Backup Procedures
Backups protect against data loss resulting from technical failures, mistakes, cyberattacks, or disasters. Effective backups allow a business to restore data to a recent, operational state.
Key Term: Backup
The process of making and storing copies of files or databases to ensure information can be recovered after loss or damage.
Types of Backups
- Full backup: a copy of all selected data.
- Incremental backup: copies only data changed since the last backup.
- Differential backup: copies all changes made since the last full backup.
Key Term: Recovery point objective (RPO)
The maximum acceptable amount of data loss measured in time, e.g. “no more than one hour of lost updates.”Key Term: Recovery time objective (RTO)
The target maximum time between an incident and full business resumption.
Backup Best Practice
- Perform backups regularly (daily or real-time, where required)
- Store backup copies off-site and/or in the cloud
- Encrypt backups for security
- Document backup schedules and test restoration regularly
Recovery and Business Continuity
When disruption occurs, recovery procedures are used to restore data, applications, and essential operations. This is part of the wider business continuity plan (BCP).
Key Term: Business continuity
The ability of an organisation to continue delivering critical operations during and after serious incidents or disasters.Key Term: Disaster recovery
The structured processes and resources put in place to restore IT services and data after a disruption.
A robust disaster recovery (DR) plan should include:
- Steps for system restoration from backups
- Assignment of responsibilities in a crisis
- Communication protocols in an emergency
- Regular testing and rehearsal of recovery procedures
Worked Example 1.1
A company is hit by ransomware that encrypts all files on its main server. Its IT team has full backups from two days ago, and incremental backups for the missing days. Explain the recovery steps.
Answer:
The IT team should first remove the malware, then restore data from the most recent full backup. Next, they apply the incremental backups to bring the data up to date. This minimises data loss and restores operations quickly.
Common Weaknesses in Practice
- Failure to test backups—data may be unreadable or incomplete when needed.
- Storing backup media on-site—physical loss or disaster could destroy both original and backups.
- Outdated access controls—former employees or people in new roles may retain inappropriate system access.
Worked Example 1.2
An HR manager leaves and is not promptly removed from IT systems. What access control failure has occurred and what risk does it pose?
Answer:
There was a failure to update user access after the employee’s departure—a breach of the principle of least privilege. The risk is unauthorised access to sensitive data by the former employee.
Exam Warning
Always link backup and recovery to wider business continuity planning. The exam may test your ability to recommend controls to prevent downtime, not just data loss.
Revision Tip
Remember RPO and RTO definitions and differences—these are frequently tested concepts.
Summary
IT risks are unavoidable, but can be managed through a combination of access controls, regular backups, and clearly planned recovery procedures. Access controls restrict data and system access to those who require it. Backups allow restoration if primary data is lost, while recovery and continuity plans enable operating through or after incidents. Effective strategies increase business robustness and reduce the potential impact of system failures, cyberattacks, or disasters.
Key Point Checklist
This article has covered the following key knowledge points:
- The definition and sources of IT risks facing business operations
- Main objectives and types of access controls: physical, logical, and administrative
- The importance and types of backup procedures
- How backup and recovery fit into business continuity planning
- The roles of authentication and authorisation in system security
- Description of business continuity and disaster recovery objectives (RPO, RTO)
- Weaknesses that can undermine IT security and continuity
Key Terms and Concepts
- IT risk
- Access control
- Authentication
- Authorisation
- Backup
- Recovery point objective (RPO)
- Recovery time objective (RTO)
- Business continuity
- Disaster recovery