How do you handle a disaster like Sandy?

With Sandy taking out a large number of businesses on the east coast of the US, how many SMB’s will be up and running again with minimal impact on the two main business items that keep you a viable business entity.   Those items being revenue and cash flow.

To most businesses the disaster recovery plan and business continuity plan are something that is kept in the cupboard, under the sink, behind the drain cleaner or under the stairs (where i actually found a clients BC plan) and is only rolled out when someone makes a concerted effort to look at them.

Statistics show that 70% of businesses do not have a BC or DR plan.   It is something that has not crossed their collective minds usually accompanied by a “it won’t happen to me” attitude.   What is a worse statistic is that 90% of SMB’s have never tested a plan or the plan to actually see if it would work in a simulated situation never mind a full blown disaster.

Most businesses do some level of backup, whether it is complete systems or just critical information.   Although it is a part of disaster recovery it is not and never will be a complete plan for getting your business back from the brink and running successfully in the minimal amount of time.

Having access to your data is one thing, but in the shadow of an event like Sandy it is not going to help much if the Internet, phone, road, rail, airports and people infrastructure is no longer in place.   If you are local to the focal point of a natural disaster then knowing that your information is safe is great but your local clients are going to be in the same predicament as you.  Not only has everyone concerned got to worry about property and loved ones but the stress that your business may have collapsed as well is not worth thinking about.

If you are a Multi national organisation who’s customers are nation wide or world wide then you are going to loose some considerable revenue in the wake of such a disaster, especially if you have not thought through your plan.

The main point of a business continuity plan is to get your business up and running as fast as possible but it is also dependent on having the right people available to fill their roles.    If you are a Multi  national with local, state, country and world wide clients then that also means that you have to have alternatives for cloud providers, hosting and support, sales and marketing and even management.   To have an effective business continuity plan redundancy needs to be located in different geographic locations, with different levels of infrastructure requirements and having people that can “pinch hit” in other business roles.

One of the best ways to prove your Business continuity plan is to role play the problems that could happen.    A once a month hypothetical problem, generated by management, with everyones involvement can be used to get everyone thinking about what to do, how to do it and what happens if the whole area is wiped out.

These role play sessions need to focus on both small and large problems.  Anything that could have a detrimental effect on your business.   From a fire in a server, to a fire in the building, to a fire in the area, to a full blown forest fire all need to have involvement for all concerned.

Role playing also needs the involvement of all stake holders.   This includes the geeks in IT, management, manufacturing, marketing and sales and the most important people, the people on the front lines.   Each role playing session also needs a moderator.   Someone to set the scenario, control the action, define the responses and deliver the final report.

Not understanding the why, in this situation is usually the largest problem.   Why would you need to prove your BC plan?   Not everything goes according to the plan, no matter what.   To paraphrase a world war one general “no plan survives first contact with the enemy”.  This goes with DR and BC plans as well.   The enemy is anything that will damage your business ability to make money.

Any small and medium business or not for profit organisation that does not deploy some level of BC testing is in for a shock when the big one does come around.   Statistically speaking, those without a proven plan will have monumental problems sustaining their business viability after such an event.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.