We’ve seen a few significant vulnerabilities recently. There’s been the Barracuda vulnerabilities, a Microsoft exploit and a recent Citrix / Netscaler vulnerability. Service providers having issues, and warnings from security agencies of more to come. The issues have hit hard and fast, and all hit strong, established, and widely used technologies.
Now seems as good a time as any to consider your resilience and recovery capability. There are lots of different issues that could hit, like a hidden and pervasive vulnerability. A solar storm. A corporate failure. Something geo-political. Whatever the issue is, it is worth considering: what would you and your business do if something major happened to a supplier or national infrastructure?
The easy answer is “everyone would suffer, so we’d be just like everyone else”. However, it’s just possible you’ll need to generate some revenue and manage service to your clients. And to do this, it’s just possible you’ll need something: bank account access, customer names, email addresses and numbers. Some documents. So, what things should you do? Here are five actions to think about:
1. Understand exactly what you need to run your business in an emergency. This seems obvious, but few small organisations do it. Think about what you do and what is absolutely critical to do in the days (and possibly weeks) following a problem. It won’t be everything – a lot of things can wait. But there is a subset of activity you will absolutely have to do from day 1. Be clear on this, you will thank us later.
2. Understand what you need to run these things. So, you have your critical activities. Now – what do you need to run them? I mean systems, people, facilities, suppliers, data – all the bits and bobs you’ll need to run those activities normally. List them and think how quickly you’d need them.
3. Figure out plan B. Now, for each of the things you need, figure out how you’d get them if there was a failure. There’s an assumption in the middle of this – the type of failure – so think: What would I do if I had an issue / a major supplier had an issue / everyone had an issue? Some events will cause you to shrug – there will be nothing you can do, and that’s your tolerance. The point at which you must accept a risk. Other things you’ll look for could be alternative suppliers and so on. These are your recovery actions.
4. Make sure you're backing up your data. Many IT services are resilient, but not necessarily backed up. I’ll say that again, slowly: NOT BACKED UP. If the service fails, you may have nothing to fall back on and might lose all your data. If you’re relying on a big provider, or have a critical small supplier, make sure you back up somehow. There are utilities that can help with this, or you might want to securely store documents, reports, and email archives offline. Yes, this is a very specific point, but so common it’s worthy of note.
5. Figure out who you need to talk to and communicate with. Employees, investors, Board members, clients, regulators, insurers, suppliers, law enforcement – the list goes on. It’s a long list, and if the worst happens, there are some things you’ll likely need for this communication. Phone numbers, email addresses and so on. Maybe even credentials for updating your website. Find a way of storing these securely offline somewhere. Yes, we know that can be dull, and you’ll probably never use them, but still. The minimum you’ll need (for example, banking, client numbers and so on).
Once you have all of this, learn it and practice. And improve and practice. 30 mins – 1 hour a few times a year can help improve and embed your procedures, without distracting from everyday work. And the effort might just help you ride through a major problem with your business intact.
Would like a free one-hour consultant with a resilience specialist? Contact us at the following link: Contact – Reconfort