You have just accepted a contract with a mid$-$size local company as an IT consultant, with the objective of reviewing the company's overall IT layout and controls, and to make recommendations for any needed changes. During your initial review of their systems, you have noted the following:

A full backup is completed on the last Friday of each month, with differential backups completed at the end of each business day. Files are backed up to a cloud storage location.

System passwords are changed at the beginning of each fiscal year, with each department having its own unique password. The managers and employees of each department do not know, or share, the password for their department.

The company's data center is located on the main floor of the administrative building, with all windows having a protective coating to block out sunlight.

The company does not have a formal written set of continuity or recovery plans.

Based on this information, if you were to make only recommendation that should be immediately addressed, which would you select and why?

Change the password protocol as that is the cheapest course of action.

Create a business continuity plan $($BCP$)$ as that would address many of the weaknesses the company has in the shortest amount of time.

$$ Move the data center to a floor that has no windows and limited access to protect the company's system.

Stop making differential backups as they are redundant. The full backups are sufficient and should be continued.