Business Continuity Planning (BCP) teaches us to expect the unexpected, but did any of us actually plan for disruption on this level? Covid 19 arrived unexpectedly, and immediately exposed flaws and weaknesses in the plans of companies across the globe, impacting business operations and supply chain across the globe.
As a data centre provider, we instinctively think of the worst case scenario - and then double it. The mindset of - “What’s the worst that could happen? Ok, so what else could go wrong after that?” might seem somewhat macabre, but that’s our job. We have to keep the lights on, no matter what. And we do. But it’s fair to say that many, many companies have struggled with business continuity over the past few weeks - even those that had plans in place. It’s also fair to say that the principles of some of the most rigorous disaster recovery plans won’t have stood up to a global pandemic.
Most Business Continuity Plans focus on the failure of the IT systems, and we’re all well versed in the fight against computer viruses. But Covid 19 attacks people, not computers. It’s not the infrastructure that has suddenly become unavailable, it’s your people. This time, you can’t move your people away from the compromised site to an off-site back-up location. This time, it’s your people that are the compromise. And this time, technology is the solution, not the problem.
Even businesses that were ticking a lot of the BCP boxes with cloud based infrastructures, regular homeworkers, VPNs etc. have struggled, because not many of us (if any of us) have fully tested BCP for this type of scenario. Have you ever suddenly shut down your offices, sent everybody home and tried to get 500 staff to connect to the company network via VPN? How did your firewalls cope with that?
The benefits, and the importance, of cloud based computing infrastructures have really come to the forefront through all of this. Businesses that were already fully migrated to the cloud and utilising cloud based communication platforms, hosted desktop solutions and document storage / file sharing are the businesses that are now winning, while the rest are winging it.
But what can we learn from all of this? And how will times change?
Plan for the next pandemic
Business continuity plans should be updated regularly anyway, so make sure that you learn from the current situation and improve your plans for next time. And there probably will be a next time… since 2003 the world has witnessed outbreaks in Bird Flu, SARS, MERS and Ebola. It’s not beyond the realms of possibility for this to happen again. And if it doesn’t, well at least you were prepared.
Think about which core services you must categorically keep running in order to maintain business continuity. Which systems are business critical, and which can you manage without?
Talk to your suppliers - could their lack of business continuity let you down? Include employees and stakeholders in your planning discussions and take their concerns on board. The workers at the coalface will bring a different perspective on the ideas to be considered.
You’ve identified business critical systems, now think about business critical workers. Who are your key workers? List these people in your plans and ensure that they have a way of continuing with their duties if they are no longer physically part of the team.
Consider health and safety. When we plan for computer viruses, we don’t have to think about cross infections with human beings. This time, we do. If you have staff that need to be on site as business critical workers, how are you going to ensure their safety? What happens if they have to leave the business and go into isolation? Will the site run without them? Who will take their place?
And don’t forget security. Just because a virus is attacking humans, don’t think that the viruses that attack computers will go away. If anything, this is a prime time for hackers and cyber criminals to expose loopholes in your systems, because most of your workforce are working from home - potentially on old hardware running out of support software on unsecured WiFi. Make sure business critical workers have access to company issued hardware and that your IT security is patched, up-to-date and monitored. Make sure workers are adhering to BYOD (Bring Your Own Device) policies (if you don’t have one, get one) and consider Mobile Device Management (MDM) and Multi Factor Authentication (MFA).
Test your business continuity plans
Up until now, Business Continuity Planning has been a bit of a tick box exercise for a lot of companies. How many of you can honestly put your hands up and say that you’ve carried out full and regular BCP testing?
You may have tested certain sites, but never tested a company-wide shut down. You may have assumed that because ad-hoc homeworking is the norm, then everything’s hunky dory. But as businesses have discovered, there’s a big difference between the odd bit of home working and company wide remote working - especially from the point of view of your servers.
Ensuring the survival of your business during, and immediately after any crisis is essential, but our experience of Covid 19 from a business perspective is likely to result in us all making some pretty permanent changes to the way we work.
There should be a new norm after this.
From considerations about where our data sits, to workplace recovery plans for key workers and even whether or not we need an office at all - things will change. We’re used to planning for the less severe, but equally disruptive scenarios of fires, outages and thefts, but don’t let the infrequency of pandemics push the associated risks to the back of your mind. Keep the inevitability of pandemic on the radar - think of the worst case scenario, then double it.