Posted by Jean McKay on Sun, Sep 18, 2011 @ 04:26 PM
Summer is over here in Arizona. Well, almost. It is time to open the windows during the night, have coffee outside in the morning. We’ll have to close up and let the A/C continue to run during the day for a few more weeks. But for the most part it is getting to be just delightful. How are things are your end?
The changing of the seasons is often a good time to reconnect with people we haven’t heard from in a while. Make a phone call or send a note. It’s also a good time to review the place you live in and make any repairs that might have gone ignored because they didn’t matter much during the previous timeframe. I really didn’t worry about heat from the furnace during the Arizona summer! But now that some cooler temperatures are on the way, may be it should be checked over, the filters cleaned, and all the other things that go with cool weather should be taken care of while there is still time. While we’re at it, this is a good time to consider all the rest of the “what if’s” that can fall upon us from time to time. There are unknown and therefore unanticipated problems waiting at every corner, and they can lead to major disasters. Why not take a little time while you are getting those screens off the windows, and getting ready to put the lawn furniture away, to look around for broken hand rails, and loose steps. While you shore up the cracks and crevices with insulation to keep out the cold, look for things in disrepair that could cause an accident.
Well that is all well and good for home owners, but it holds true for businesses as well. There are problems that lead to disasters, and if left uncovered or planned for, you are in for trouble. Business Continuity Planning and Disaster Recovery Planning are continuous. It would be a good idea to make a special effort at this change of season to renew your efforts and take a fresh look at your processes and procedures to ensure that you are doing all you can to avoid disaster. Review your security policies, backup plan, and training programs. Summer is over – time to get serious again!
Posted by Jean McKay on Tue, Jul 12, 2011 @ 05:54 PM
Vulnerabilities are defined as being susceptible to attack. It also means having your guard down. I did that once! Well, maybe it has been more than once, but I recall one time in particular. I was in the Atlanta airport and had flight problems. No surprise there. And so I was having go down the steep escalator and back up after riding the little train from one terminal to another a few times as I was being kicked around between airlines and flights. On about the third pass at this, I was really disgruntled. While grumbling to myself and with head hanging down, I made another ride down the escalator dragging the suitcase, waited for the train, and then stepped into a car. Now, I don’t really think the Atlanta airport is a dangerous place in general. Usually it’s so full of people! But this was late at night and the crowd was thinning out. After the train started I looked up and noticed I was almost completely alone in the car. Almost except for 1 downtrodden looking man in ragged clothes, and 3 very young, very big, athletic looking men, who did not appear to me the type I would like to meet up with in a dark alley alone. Suddenly I felt unsafe. I had let my guard down. Had I been paying attention, I would not have stepped into that car in the first place. Fortunately, the ride between terminals is not long and it ended quickly. In the meantime however, I did notice that the young men had been shopping and they had bags from nice expensive stores. I decided if that man had tried to rob me, those 3 would have helped and my initial impression was wrong. Happily I’ll never know, but I do pay more attention and refrain from letting my guard down now.
So, how about you? And how about those network perimeters? Are they vulnerable to attack? Have you let your guard down and allowed someone the possibility of unauthorized access? Do you run services that require a port to be open that otherwise you would block? Is there remote access available for some authorized users that someone else might attempt to use? What other vulnerabilities are there and how would you know?
Vulnerability scanning is the process of testing your network to find out what the holes in your security are and the recommendation of corrective action. If you have vulnerabilities, and we all do since nothing is 100% guaranteed safe, you run the risk of someone using it which creates an incident. Now that’s a problem! Perform risk analysis and then have someone test your vulnerabilities. Once you know about them, they can be easy to correct. That’s having your guard up; like watching where you are going.
Posted by Jean McKay on Thu, Jun 23, 2011 @ 06:23 PM
I’m not going to bore you with all the statistics about how much money a company loses if they lose their data. First, it’s really depressing. And second, there are a gazillion places you can find all kinds of data to support this. So use that. What I would like to point out and reinforce in your thinking is that for any small company, if you don’t have your data, you don’t have a business! You don’t have customers, not that you can contact! You don’t have AR, not that you can collect! You don’t have employee records, historical lessons learned, a record of conversations and commitments to support decisions, etc . . . Pretty much you don’t have anything that will help you continue to do business. That is the point!
When a company loses their data no matter to what, a fire or a hacker, there is not much left. That puts you out of business. Insurance will get you some money, but that may not keep you in business. Oh, you didn’t have that kind or that much insurance? Opps.. . . .
Here is the thing, there is data and there is all the rest of what you have in your business. You need to be sure that you are protecting all of it. It is not all that hard or expensive. It takes forethought, and then a few changes in your procedures and policies, and a little money to cover the expense of that planning time. And sure, a little money to cover a good back up system, be it in the cloud, or something more down to earth. It is a consideration, but ‘data backup’ is by far not the end all be all of your ‘business protection plan’. That is just another name for a Business Continuity Plan. It includes the backup process, but also risk analysis and continuity planning. See the difference?
Posted by Jean McKay on Tue, Jun 07, 2011 @ 05:53 PM
What a shame! It’s always just so sad when there is such loss. I suppose you read about it. Did you notice the most important thing?” No one was injured”. And why was that? “Two of the singer's daughters were at home with their babysitter at the time, but were able to call 9-11 and run outside, putting their safety plan into immediate action.” No – it’s not the 911 call – it’s the Safety Plan! They had a plan to meet at a certain tree.
Do you have one? Do you have one at home for your family like they did? If not, it’s time you did. Now let’s talk about business. What if this was your office? How many employees are there? Would they know where to meet up after a fire event that wiped out the office building? This is a real simple easy no cost aspect of a disaster recovery/emergency plan. This is not only aspect that is real simple and no cost. There are many things like this you can implement. Even setting policy isn’t all the difficult and it usually has no cost either aside from the time you spend developing and explaining it. It’s just about having a plan. Thinking through what might happen and then making a plan in case it does. It’s educating everyone involved as to what that plan is. Also, it’s practicing. Remember fire drills in school? Same thing.
The Atkins family was lucky even if they did lose their house and belongings. They didn’t lose anybody. And that’s because they had a plan, and I’d bet you a whole lot they practiced it with those children. So – how about you spend some time together and make a similar plan – at home – and at work. There are many more items you could add besides where to meet, such as a phone tree, and procedures to follow so people don’t have to make decisions under the duress of the situation. It’s worth the effort.
Posted by Jean McKay on Fri, May 27, 2011 @ 01:52 PM
This is too funny. It’s on the CDC website and it is how to prepare for a Zombie attack.
http://emergency.cdc.gov/socialmedia/zombies_blog.asp
They even have a badge and widget you can download to include in your materials!
Okay – it’s funny, but it gets the point across. Maybe you don’t have to plan for a Zombie attack, but should you be thinking about the next tornado, hurricane, or server hard drive failure? The theory is all the same. No matter what the disaster might be, you should have thought of it ahead of time, and made a plan for it.
It’s not fun to think about these things. But it is reassuring when you have done just that to know you have a plan in place! It makes you feel more secure. You can explain how things will go to your children and not scare them. You will have demonstrated to your employees that you care enough to bother to worry about their well being and their future.
Start small. Just do a little bit each day. It won’t take but a few weeks and you will have a full blown emergency response, disaster recovery, and business continuity plan under way.
Posted by Jean McKay on Fri, Apr 29, 2011 @ 04:46 PM
Use the same concept that the theater industry does for plays. They use understudies. The definition of an understudy is: to study (a role or part) so as to be able to replace the usual actor or actress if necessary. It’s the ‘if necessary’ part that is interesting.
When would it be necessary in your business to have an understudy? If the salesperson who was supposed to make it to the big important meeting is help up at the airport due to mechanical or weather delays? You wouldn’t be able to send a different person, but you could quickly set up a virtual conference so another person could virtually attend the meeting. What other situations? Cross train employees. Substitute equipment. There are a lot of situations where if the original is not available for any reason at all, you could have a plan B all set and ready to go, just in case.
Just in case of what? It would be anything that could cause your business to not support its clients and do business. That is what risk analysis is all about. Identifying the potential problems and then making a plan to deal with it should it occur is taking preventive action. It’s always better to be preventive than corrective. But to do it, you have to think about it ahead of time – before it happens!
Posted by Jean McKay on Sun, Apr 10, 2011 @ 01:19 PM
Buying insurance is indeed a good idea. It is an inexpensive way to mitigate potential loss. However, there are some things that having insurance does not help with. In risk analysis, the first step is identifying the risks. The next step is to qualify those risks for probability and impact. As a result you can determine the risks you need to do something about and which are of little concern. Those are response plans. One type of response plan is to transfer the risk. Give the problem to someone else. Buying insurance is a type of transference. The problem with insurance is that if the valuable that is insured is lost (as in destroyed or stolen etc.) you get money. You get money to compensate for that loss. However, it’s not always about the money, is it? The irreplaceable videos of your family vacations, or photos of your daughter’s wedding, or the family old heirloom photos cannot be replaced with money. They would be gone. Gone forever and that’s that. In business, it’s the same thing. If there is valuable and irreplaceable data (an original engineering concept diagram or other unique piece of information) that is lost, stolen or destroyed, it’s gone. Once it’s gone, it’s gone and no amount of money will replace it. It’s actually the same thing with our lives. That’s what life insurance is. When someone passes away there is a payout of money. That’s good, but it’s not the same as still having your Mom around. Believe me!
So, what we need to do, besides having insurance, is to protect that valuable possession or data. That’s why people store things like irreplaceable photos in a safe or safety deposit box. A business needs to find a ‘safety deposit box’ type of protection for its data. This is part of disaster recovery planning, which is an integral part of business continuity planning. The point is to put plans in place so that no matter what happens, you can continue to support your customers, and continue in business in spite of the disastrous event. Find a ‘safety deposit box’ type of protection for data. That might be backing up into the cloud, it might be redundant data storage servers, or it might be a proper tape rotation with offsite storage secured by a company in that business. I’m not saying which method you need to use. That is unique to your situation. What I am saying is that you’d better come up with a backup strategy that works for you to protect what you have. We all now know that the loss will occur, at some time. If you are prepared you and your company will survive it. If you are not prepared, it could mean you are out of business.
Posted by Jean McKay on Sat, Apr 02, 2011 @ 12:40 PM
In our usual risk analysis in most projects and in most companies, it is easy to find the obvious potential risks. But that is not what disaster recovery planning should be about. It should be about the big and low probability high impact risks. Those are the ones that cause disaster. The typical, it might snow a lot and people won’t be able to get to work on time type risks are just part of life and doing business. Those problems should be dealt with as part of the general management plan. It’s the same thing in projects. The risk that there might not be enough resources available to perform the tasks at a particular time is very common. That is not going to cause a disaster; it’s certainly going to be annoying and could even cause a project to fail. However, it is not hard to identify that as a potential risk. And if it is quite likely, then it should be dealt with as part of the project plan, not as a risk.
Disaster recovery planning is a part of business continuity planning. Risk analysis needs to be done to identify the big and low probability high impact risks that could cause a real disaster and stop your company from providing its services and supporting clients. The day to day typical risks don’t usually stop a company from performing their job. It may hinder them, and they may not perform up to par, but they are not likely to put them out of business. Disasters will put them out of business. So it is those things that you want to be looking and making contingency plans for.
This is the real challenge of risk identification in disaster recovery planning, but it is the purpose of business continuity planning. So your company can actually survive and continue to work through the disastrous event.
Posted by Jean McKay on Wed, Mar 30, 2011 @ 06:05 PM
Today I had the best conversation with a most delightful gentleman. He had been a process engineer. He uses the term ‘fail-safe engineering’ to describe building in the ability to manufacture to complete the deliverable – no matter what happens. Isn’t that just what business continuity and disaster recovery planning are all about? Isn’t that what you are concerned about being able to do - deliver?
What’s your fail-safe plan for your most critical business process? Do you have a fail-safe in place for all your processes, data, systems, people? If not, you haven’t done enough risk analysis to identify the vulnerabilities and threats that exist. Once you know what your critical business processes and other artifacts are, you can find all the risks. Then you can start to add in fail-safe mechanisms. They include data backup process, secondary systems, cross training, and much more. Start by identifying your critical business process path first, and everything attached to it. Find ways to build in fail-safe mechanisms into the design. It is not as difficult to build a disaster recovery plan if you know the processes and dependencies and the risks.
Use that term, ‘fail-safe’ at work tomorrow and see if you have any built into your processes. See if there really is proper protection and safety built in to protect your systems and people. If not, it might be a good time to start the discussion.
Posted by Jean McKay on Mon, Mar 28, 2011 @ 03:59 PM
If all the employees and decision makers consider safety as one of the first and most important priorities, they will be less likely to take risks and make risky choices. That kind of organizational culture leads to a place where there are few mistakes and disasters can be managed. There is an overriding sense of control. Having that kind of aura can give employees a sense of security, even sanity in a crazy world.
“Just knowing that someone who is in charge is thinking about my well being is reassuring and allows me to focus on the job at hand”.
If you want a bit more of a sense of loyalty from your staff, think about offering them a place to work where their safety and security is top priority. Be up front about it. Let everyone know what plans and procedures are in place. Be transparent about your disaster recovery and business continuity planning. Ask them for their input and concerns to continually build up the risk analysis process to include what they see as problems. Make roles and responsibilities for everyone person so they are all part of the plan. Keep people informed by being open and honest about the risks and the responses, and involve everyone.
You will find that there will be natural tendency to develop a community spirit around this topic, which can open the path to better communication and relationships among co-workers.