Disaster planning for the ‘little’ disruption
March 5, 2018
By Michael Ritsema, Principal & President of i3 Business Solutions, LLC
I had good intentions. I knew it should be a priority, but the demands of running a small business consumed my days.
Every small business owner should have a Disaster Recovery (DR) plan known as a Business Continuity (BC) plan. I said it, discussed it with clients, believed it, but didn’t have a plan for i3 Business Solutions, LLC.
As a small business owner, if you’re like me, the day to day and week to week priorities continued to push that DR project to the side. Moving the Disaster Recovery Plan to the top of the priority list took i3 Business Solutions about a decade. The impetus? We moved from a modern class A brick and steel office building to a cool 150-year-old downtown tinderbox warehouse. I literally woke up at night thinking, “Our office could go up in smoke at any moment.”
As a technology service business, our DR Plan focused on technological continuity and was a requirement for our CompTIA Security Trustmark certification. We did the work and have some recommendations for you.
First, every small business owner or executive has four primary responsibilities:
- Grow profitability
- Improve productivity
- Innovate to differentiate
- Mitigate risk.
Second, I maintain that the highest priority for any business is risk mitigation:
- Financial (don’t go bankrupt)
- Physical (keep stuff from going out the back door)
- Technological (don’t lose everything to ransomware.)
Within a year after writing our DR Plan the Grand River in Grand Rapids, MI approached the 100-year flood plain setting a 100-year record at nearly 25’ crest. Our office is on the West Side of Grand Rapids and was within a foot or two of disaster. My partner, Kathy, called a meeting and we hauled out our DR Plan. While considering the ramifications of limited or no access to our building, we quickly realized that the electronic access system was the only way into the building. If the ‘creek rises’, the Grand River floods our neighborhood, and power is shut down, then we can’t get into our building. We updated our DR Plan and acquired physical keys to the building from our landlord. Three of us now carry physical keys to the building.
How about you? Have you considered the ramifications of a disaster or crisis based on any or some of the above priorities and responsibilities?
I can assure you that your disaster will not come in the form of wildfire, hurricane, flood, tornado, or mudslides. Heck, Michigan is thin to bare on physical calamity. I submit that you should do some disaster planning around:
- Financial intrusion of systems driving theft or inadvertent EFT, ACH, or cashier’s check.
- Technology theft of physical equipment or cloud data
- Complete information data loss or encryption
Disaster scenarios and their planned response are legendary. During the calamitous Katrina Hurricane of 2005, IBM Corp. executed on the Business Continuity plan for a number of their customers in the southern states. They ran into one problem. Employees in the area weren’t interested in executing on the DR plan. Why? They were busy taking care of the families, homes, and friends. Business took a back seat to people, family, and daily life.
There’s lesson number one. Your disaster planning must start with people. That includes a communication plan including accessible cell phone numbers, home email addresses and a decision on who ‘calls the ball’ on activating a DR move or Business Continuity execution.
Your DR plan can be basic or complex. It should address scenarios including financial, physical, and technological disasters. Those lines are all blurring as business disasters now includes spear-phishing of executive assistants and secondary financial employees.
We’re aware of numerous examples, right here in West Michigan, where ACH bank funds in excess of $40,000 were moved and physical checks in excel of $80,000 were mailed due to cyber-intrusions. The former due to vendor email address spoofing and the latter due to a password breach and standard email rules hiding replies.
According to the Ponemon Institute, 86% of small businesses experienced technology down time in the last year and 60% of those instances were due to human error. I repeat: there are high odds that your disaster may not be a huge headline grabber and will not come from a natural disaster, but may be a ‘little disaster’ that comes from an, “Oops, I opened that document,” or “Oops, I thought that directive came from you.”
Your action plan or mandate includes:
- Gather your key company players for a 30-minute meeting to discuss this article.
- Ask the question, “Are we prepared for the 3 scenarios described above?”
- Then ask, “Should we invest 4 – 12 hours preparing a simple or thorough DR plan?”
Finally, Google steps to mitigating a disaster or call a financial, legal, or technology professional to help put together a recovery plan.