| by Shawn D. Stewart | No comments

Foundations – Business Continuity

OR Who You Callin’ A Psycho?

What happens if?  Asking this question helps us keep a business (or household) going in the event of an “incident”.  What is an incident?  Oh, it could be anything that is outside the normal, day-to-day operations that disrupt life as we know it.  Doesn’t need to be natural disasters, meteors, or the return of Jesus Himself, but you should plan for all possibilities.  Follow me, your own personal Mad Hatter, down the rabbit hole of Business Continuity.

Already Behind? – Cybersecurity begins and ends with Policy.  You must have a written policy in place to counter potential outages.  Of course, the Incident Response Plan encompasses both incidents, such as Help Desk trouble tickets, and Business Continuity, which focuses more on Disaster Recovery and Crisis Management.  We are interested in those items that arise outside of normal incidents.  We’ll start small and work our way into unprecedented situations.  REMEMBER – A line exists where Business Continuity stops, when the safety of personnel and concern for families’ safety outweigh business.  Where you draw that line is dependent on your business.

Cheesy Cheshire Smile – Don’t say, “I have a battery backup and I back up all my files to an external hard drive and online.  I don’t need a policy or a plan.”  It’s a start but, what happens if…the computer crashes?  Ransomware encrypts all your online and external drive files?  The new intern accidentally formats the hard drive?  Your house or building burns down?  A tornado relocates your computers to another state?  The Internet becomes unavailable?  The power grid fails?  The Sun knocks us back to the Stone Age?  “You ARE Mad!”  Oh, really?  Tell me how you properly planned for Snowmaggedon or Superstorm Sandy?

On a Wall – “Couldn’t happen to me!”  Here are a couple of stats.  More than half of all businesses experience an incident requiring redundancy or failover.  Nearly half of all businesses that experience a major outage, including Ransomware attacks, are out of business within a year.  That includes businesses with cybersecurity insurance!  Are you willing to take that chance?

Tweedledee and Tweedledum – Start with dual Internet connections from different vendors on different mediums.  For instance, your primary Internet is from you cable carrier, connects via copper coax, and your backup/secondary connects via fiber from the local phone provider.  Even a copper-based DSL circuit keeps you connected to the Internet.  Cloud providers keep multiple sites for redundancy, but you still need to access them even if the primary Internet goes down.  A mobile hotspot is better than nothing.  Ensure your firewall is intelligent enough to automatically transition between multiple Internet connections in an outage.

White Rabbit Running – News flash!  Computers and networking equipment will not work without electricity!  Shocking, I know.  Not every computer needs an Uninterruptible Power Supply (UPS), but all servers and network equipment should have the ability to continue running for some time during a power outage.  Nearly all network and server hardware include the option for dual power supplies.  By connecting these into separate UPS units, you are protected from power outages and surges, power supply failure, and accidental power offs.  Placing the UPS units on separate electrical circuits prevents circuit trip fails as well.  Be sure to properly size the UPS to match the total load and desired battery runtime.

Sea of Tears – Back up your data, encrypt it, and keep a physical copy, detached from your network, at least 25 miles away from your office.  Why?  Natural and man-made disasters typically are limited in range to a 25-mile radius, and that’s the military’s safe range for nuclear and biological attacks.  Online backups are great, but Ransomware will encrypt anything accessible, especially Cloud servers.  What’s most important about backups?  Test them through physical restores on new computers!  Anyone working in IT long enough will have a horror story about unrestorable backups.

Blown Away – Pick a real disaster, such as a building fire, natural disaster, or gas leak.  Everyone is forced out of the office for a certain amount of time.  Sound familiar?  Didn’t we do something like this last year?  And many will say, “yes, we plan to just work from home.”  That’s great.  Who will pick up the checks?  Where will the mail go?  Will phone calls follow you?  What if your business is dependent upon producing a physical product?  You will need somewhere else to go, even if it’s for a few weeks.  To that I say you need a secondary site.  Many companies offer temporary office, warehouse, and even manufacturing space when you need it.  The site can be mobile or stationary and can include replicated data and servers, known as a Hot Site, or just an Internet connection and space, known as a Cold Site.

Enough Tarts for Everyone – Let’s say the Sun does send out a solar flare that knocks out satellites, melts the electrical grid, and renders the Internet inoperable.  You and your employees won’t be thinking about spreadsheets or that boring Monday morning meeting.  This is the point where the business will say, “go home, take care of yourselves, and we’ll communicate our return to work when the world recovers.”  The only thing you can do is protect your data, hit the pause button, and not go the way of the Dodo.  Follow state and federal emergency guidelines to ensure your employees and your office have the necessary water, food, and medical supplies when, not if, disasters occur.  All homes and offices should be able to shelter all occupants in place for at least 72 hours, per Ready.gov.  Don’t forget about emergency communications, such as battery-operated radios, in case the mobile network fails.

The Real Jabberwocky – You may think I’ve lost my marbles talking about the Sun as a threat actor, but many modern off-site backup companies and data centers are building concrete and steel enclosures to protect equipment and data from just such threats.  Yes, it costs more, but if your data truly is that important, it may be worth it.

Shrink or Grow? – Risk Assessments, as discussed in previous posts, will attach a dollar figure to your business and data.  This creates a budget for Business Continuity and protection.  There is a line where the cost and risk to personnel should not be crossed.  No matter how important your business or data, nothing is worth that level of risk.  When the line is crossed, it’s time to pause.  This MUST be documented in your Incident Response Plan, particularly the Business Continuity Policy.

Practice Makes Perfect – These policies, plans, and contingencies is useless if you don’t test them.  A Table Read, or walk-through of your plans, allows everyone involved to come together and talk through potential incidents and responses.  Everyone learns their role and time frames for completion.  Such meetings identify gaps and provide a real-world understanding of how an event might play out.  The more voices included, the more scrutiny the plan receives and the more solid it will be.

Business Continuity should ask the question “When” instead of “What If”.  Perhaps your company has been lucky so far.  You can call me “mad”, but most of my preparedness recommendations come from Ready.gov.  Check it now and be sure everyone in your organization creates their own individual plan.  Now is the time to discuss and plan how you and your business will react to disaster before you have to say, “if only.”

Want to see an article on a specific subject?  Need help?  Reach out.  We are all in this together.

mm
Shawn D. Stewart

Mr. Stewart has 25 years of experience with hundreds of international, commercial, military, and government IT projects. He holds or has held certifications with ISC2, Cisco, Microsoft, CompTIA, ITIL, Novell and others. He also holds a Masters in Cybersecurity, Bachelors in IT, a Minor in Professional Writing and is a published author.


Warning: Undefined array key -1 in /home/stewart/www/blog/wp-content/themes/wpxon-blog/template-parts/content-single.php on line 85

Leave a Reply