The SB “Business Continuity Plan” is something I have been plugging away at for a couple years now…..but it has always been relegated to a lower priority because keeping hardware running and helping the team with glitches and tasks has always taken precedence. Sound familiar?
When I started at SB 3 ½ years ago we had a written plan that someone put a lot of work into, but when I inherited it, I felt it seemed more “theory” than “action”. Luckily, it gave me a great base to build on in my quest to mitigate for many scenarios and enhance our resources.
Let me tell you some things we’re doing for “Business Continuity” (sometimes called “Disaster Recovery”) to get you contemplating whether you are doing enough. Oh wait … I’ve taken your computers away for a week … so Abracadabra … you’ve got yours back just long enough to read this.
First and foremost, at SB we run full data back-ups every weekend with “differential” back-ups every week night. That means that only the things that changed since the last full back-up are copied to tape. A full back-up here takes about 20 hours, so doing that every night doesn’t make sense. Weekly tapes are kept for a month, Monthly tapes are kept for a year, and once per year I keep a tape forever. Next, for safety and security those tapes are transported to a “vault” company such as Securit or Iron Mountain. Why? Well, what if we had a fire in our server room or office, right where the main computer/servers and the back-up tapes were located? Main files – gone, back-ups – gone.
We also have several lines of defence, because being proactive at security is part of Business Continuity. Getting hacked or suffering a virus attack can completely corrupt your programs and data. Therefore, we have a Firewall (special hardware unit filtering the incoming internet connection), we have SPAM and virus filtering specifically for email, and on every server and workstation we have “Anti-Malware”, aka anti-virus and anti-spyware. These scanners are set to check for updates every 4 hours from the provider – but that doesn’t guarantee they’ll work because virus scanners are always trying to catch up with the new variations “designers” create. Our final line of defence is our incredible staff (in my humble opinion). We have policies laying out rules for computer and internet use, but more importantly we often remind them to be alert and diligent – and when particular kinds of viruses are hitting hard or “phishing” emails are getting through our SPAM filter, I send out advisories. (Phishing is when someone is trying to get your personal information for identity theft.)
Windows Updates are also important. These are patches that Microsoft releases once or twice per month, including the “Malicious Software Removal Tool”. If your computers use Windows and you don’t have an IT Department that uses WSUS (Windows Software Update Services), then be sure you have the Windows Update setting in your Control Panel set to download and install updates automatically – and don’t put off rebooting too long. That’s important too so the updates can take full effect.
Those are the basics. If a hardware Firewall is overkill for your company, then please at least use Firewall software like Windows Firewall or the component that comes with Trend OfficeScan, Trend Security Suite, MacAfee Protection or CA eTrust.
From the basics we move into things like having vendors familiar with our company to be able to help us out quickly if our equipment fails or is stolen or damaged (of course we’ve bought a good extended warranty package for on-site service, but that’s only helpful for day to day issues). Tools we use in trying to be proactive include monitoring software that sends me a text 24/7 regarding any server or power failures. As well, all of our key servers and machines use Uninterruptable Power Supply (UPS) devices for helping with power bumps, drops and outages. For the staff, I’ve created a library on our intranet of helpful documents to reference if I’m unavailable.
Shortly after I came to SB Partners, we had what is categorized as a “catastrophic failure” when our entire internal phone system died quickly – and painfully for those of us left trying to cope. This was my first foray into Disaster Recovery, and let me tell you it wasn’t fun. Our business relies heavily on phone communication. As a contingency, we now have an “Intelligent Routing Services” (Switch Redirect) agreement with our phone provider.
So, the phones are looked after, but what about the rest? Considerations are loss of power, work space, internet, and our critical tools….the servers and/or computers. Two contingencies are in place to help us here. Firstly, working remotely via a system we have called Citrix. If the office is unusable but the power and Citrix servers stay on, staff can work from home. You may have also heard of an alternative to Citrix called VPN. For smaller businesses, there are tools like Remote Desktop or GoToMyPC.
Secondly, for the really big disasters, as a temporary measure we can receive assistance from “Agility Recovery Solutions”. For a monthly fee, we have the ability to “declare a disaster” whereupon Agility would provide to us, within 48 hours, any combination of trailers with office space, desks, chairs, servers, computers, printers, phones, communication satellite, generator, and don’t forget the “lavatory trailer”!
Keeping in mind that leased computers from Agility would still have to be loaded with our specific software, we have a consulting firm on call for assistance, and we have all of our software and licensing information uploaded to the Agility website, which I try to ensure is updated continually. Our vendor list is also uploaded as is contact info for all staff. Any piece of information we would need to recover from any kind or size of disaster should be available to us by logging on over the internet and knowing the password (or by calling in and giving our unique ID number).
What I’ve talked about so far are all very physical failures. Our Business Continuity Committee now meets twice monthly to brainstorm procedures on the softer side of keeping the business running as well…..that being the human side. What would we do if our CEO passed away, or the COO, or the Office Manager? What if the heating or air conditioning was malfunctioning making the office unbearably cold or hot? What if we had a pandemic? What if I smacked head first into a tree while out ziplining? (I saw someone do this last year – I have no idea where they were looking!)
On our committee we have representation from all sections of the staff to try to get every perspective in planning for these disasters. Even so, once we are finished brainstorming sessions and have created procedures, we will still need to do the most important step – and that is to test our plans. The proof is not in the pudding, it’s in the testing.
In the end we hope to have a binder full of tabs, full of procedures, full of answers…..so that if someone asked us, “If I took your computers away for a week, how would you work?”, we could reply, “No problem. I’ll just find the answer in the Business Continuity Plan.”