BECOMING DISASTER PROOF
Whether you are looking at the current Coronavirus Pandemic, the recent Australian bushfires, or the September 11 terrorist attack, disasters are always unexpected. It's all too easy in good times to assume that the unthinkable will never happen. When it does happen, it's too late unless you are already prepared. Businesses with a good business continuity or disaster recovery plan will usually be able to survive, while those who were unprepared may perish.
A lack of sufficient preparation has caused the loss of irreplaceable music and the destruction of world's ancient knowledge and written history. According to the US Federal Emergency Management Agency (cited by CompTIA), 65% of businesses fail within two years of a natural disaster, and 60% after a data loss. According to the US National Archives and Records Administration, only 7% of companies survive a data centre outage lasting over ten days.
As terrifying as these statistics are, it is certainly possible to plan for the unthinkable and become disaster-proof. Becoming disaster-proof involves careful planning and active consideration of the various types of events your business may have to prepare for, to survive. A few of these include:
1. Epidemics and Pandemics
The ongoing Coronavirus pandemic is giving many organisations the fight of their lives.
Offices are not allowed to open, with employees required to work from home. Service businesses such as fitness centres or dance studios are being told they may have to hibernate for up to a year.
Lockdowns and shelter in place orders prevent customers from coming in. And while some businesses deemed essential are facing high workloads, supply and logistics issues are making life difficult for everyone. If a prolonged pandemic leads to a severe global recession and high levels of unemployment, customers may not have money to spend.
The current situation presents every business in the world with an unprecedented challenge. The only question is whether you are able and willing to rise to that challenge. Given the current situation, it's worth discussing what can be done right now, with whatever resources are available.
Stay engaged with your customers and continue to sell.
Have you spoken to your customers since the situation started? What about your future customers?
Your competitors may be aggressively making plans to survive into the future. Consumers may be daydreaming about a time in which they'll be able to go out and enjoy themselves. Other businesses are planning future production, and considering what products and services they will need. The future may not look the same as the past, and the type and quantity of products or services you sell may change. Being proactive, responsive, and ambitious during difficult times can turn a big problem into an even greater opportunity.
Businesses selling high-volume products can take deposits for pre-orders. A deposit now could allow pre-order of a product available after lockdown at a discounted price. Coupons and gift vouchers can be sold now and redeemed later. Businesses serving consumers should keep in mind that every day, people have birthdays and anniversaries. Gift vouchers for your products or services might be the best presents anyone in lockdown can give to their family and friends.
With lower-cost products and services for customers, discounts, coupons, and competitions with prizes can help you build up your client base and keep your brand on their mind during the long days locked in our homes with our kids and the dog. Your customers need something to hope for, and so do you.
Keeping your website up to date will show that you still exist and are here to stay. Phone calls need to be answered with a cheerful voice and professionalism, no matter how challenging that may be.
Responding proactively will keep your customers engaged, keep the cash flowing, and demonstrate to creditors that it's worthwhile to wait.
Provide essential services if you can.
Currently, many countless passenger planes are flying around the world with boxes of on medical supplies on the seats secured with newly designed netting and seat cargo kits.
Some manufacturers are making ventilators instead of car parts, or face masks instead of t-shirts. Wholesale suppliers of meat to restaurants are delivering smaller retail packages to home users instead. At least one New Zealand manufacturer appears to be doing rather well producing locally made hand sanitiser that is selling in stores at the record price of $10 a bottle.
Not every business can pivot from a product or service that is unviable during the pandemic towards other more urgent requirements. Those businesses that can, however, will have the best chance to survive.
If you'd like a friendly chat with someone trained to help businesses respond to the unexpected, please give us a call. We'd be happy to help come up with ideas and see if there is some way we can make a difference.
Stay Strong and Friendly.
Pandemics are more prolonged than other disasters, lasting a year or more, while most other events are sharp shocks that cause damage but give plenty of time to recover. Pandemics are also global in nature, so every supplier and every customer you have is in this together with you. Remember that this is a marathon and not a sprint, and plan carefully for your endurance.
A big part of the outcome with suppliers, customers, creditors, and debtors will depend on how you present yourself. Stay strong. If you're working through Zoom or Skype video calls, make sure you have a professional microphone and a decent camera. We can get one shipped to you even during the lockdown. Always dress professionally and be ready to show your customers that your business is confident, strong, and meeting the challenge.
2. Fires, Floods, Earthquakes, and Natural Disasters
Events that insurance companies call 'acts of God' can quickly bring a business down to its knees. Insurance may cover the loss of buildings, plant and equipment, but is unlikely to restore your customer lists, your accounts receivable, and all of your irreplaceable business data without which the company cannot function.
Yet a business that has planned its continuity can often bounce back from the brink of disaster. One of our customers lost their entire office to the Brisbane Floods in 2011. However, they were able to continue operating with staff working from their homes, because their data was backed up offsite and critical IT services had redundant offsite backups. They were open for business the day after the worst floods in Brisbane's modern history. Floods in which parked cars floated down the street, thirty-five people died, and the total damage bill came to AU $2.38 billion.
Another example of how crucial offsite backup is was the situation at the Twin Towers in New York on September 11, 2001. Many businesses based in the twin towers had their data centres located 'safely' in the basement of the same building as their head office. A few, however, had up-to-date redundant data centres in locations outside New York City, and their branch offices were able to continue trading. Others kept all of their data in the basement, and added to the tragedy and loss of life by putting all of their surviving employees located outside of New York out of work when the business failed as a whole.
To be prepared, an organisation must have:
It is possible to get comprehensive insurance for these type of events, and while it may not be cheap, it's extremely important for any business that wants to be sure they will 'be there in the long run'. Insurance costs can be managed by seeing a good insurance broker and careful comparing policies and prices.
A copy of all critical business data must be kept well away from the main office. In the case of a fire, keeping some up-to-date backup drives at someone's home may be enough, but in the case of an earthquake or flood, that home may also be lost. One suitable solution is a combination of cloud and offsite backup, with tape backups sent to a secure location in a different city.
Backups need to be tested. Between 42% (Microsoft) and 77% (Storage Manager) of tape backups fail to restore, and the likelihood is that backups on disk media may be no better. NetExperts can test your backups and help you to plan and implement a 'business continuity drill' where we attempt to restore your data and get a copy of your systems working in an alternate data centre.
While the ability to work from home is industry-specific, every company can prepare for at least part of its workforce to work from home, and this may help if it takes time to locate a new building and restart. Being able to answer phone calls, do sales, explain the situation for clients and secure their loyalty for when business can return to normal will make a significant difference to the outcome.
Disaster recovery plans here are specific to each business, but that hardware, software, data, procedures, and people must all be up to the challenge when called upon.
3. Cyberattack and Employee Sabotage.
Small to medium businesses are the number one target of hackers worldwide.
Being hacked may seem unlikely, something you may have seen in the movies or read about in the news. Yet small to medium businesses without full-time cyber-security experts are the number one target of hackers worldwide. According to the US National Cyber-Security Alliance, 70% of cyber-attacks target small business, and nearly half of America's small businesses have experienced such an attack.
The best way to guarantee the retention of data in the case of cyber-attack is secure, offsite data storage (link to our other article). This strategy may not be enough, however, to prevent confidential data from being stolen and posted publicly, or other misadventures such as believable fake invoices sent to your clients with a hacker's temporary banking details in place of your own. Employee sabotage is a particularly serious risk, since insiders with a knowledge of your business may have options to breach your security that an outsider might not have.
The preparations to avoid employee sabotage or getting hacked are quite involved. But the basics are fairly simple. Make sure you know your people, and that they are happy in their jobs. If there is someone you do not get along with, either fix it or fire them. Do not allow someone who may dislike you or your business to turn up at work and have access to your internal systems, even if they are not personally computer literate. Not even for an hour. Make sure your computers run a specialised internet security package. Kaspersky Small Office Security has worked well for us with clients with up to about a hundred PCs and half a dozen servers. It's quite affordable for small businesses, with multi-year plans available.
The rest of it involves working with an IT consulting or specialised cyber-security company, making sure your data backup regime is up to scratch, and that highly confidential data like trade secrets or client records are either offline or encrypted.
As discussed earlier in this article, an unplugged backup of data offsite cannot be altered and erased. In case of employee sabotage, or carefully organised cyber-attack, it is critical that this second set of data be stored securely and that those wishing you malice have no way to steal or destroy it.
Having multiple copies of data in different places is a great solution for both this situation and natural disasters. But it is also important that remote data storage locations are safe and can only be accessed by those who should be there.
Some applications, like WordPress and even Microsoft Office have a reputation for being regularly hacked. Computers with these applications running on them can expose the whole network to security risk, so suitable protection must be in place.
As a basic principle, each computer or employee should only have access to the data they actually need when they really need it. Such an approach may introduce some inconvenience, but it's a lot less inconvenient than getting hacked.
If an email asks you to do something, just don't do it. Anyone can easily send an email pretending to be from almost anyone else. Various techniques like SPF have reduced this risk, but nothing can eliminate it, especially if your computer has been compromised. If an email asks you to click on a link to log into some system that requires a password, do not use the link. Open the website or application in the normal way, and if it was a task you were not about to do anyway, check by phone first.
If an invoice has bank details on it, do not trust those bank details to be correct since the email may have been intercepted. We've had clients make this mistake on a couple of occasions. If the company's bank details have not actually changed, use the old ones. If bank details have changed, call the company with a phone number you already have on record, speak to someone you preferably already know, and reconfirm the details.
Otherwise, call and double-check with the bank. This minor inconvenience, once per time a client changes their bank details, could avoid you sending money to a cyber-criminal. If you pay a fake invoice into the real supplier's bank account, they'll either keep the money in credit for your next order or refund it to you.
The best way to avoid leaking secrets under duress is to not know the secret in the first place. Otherwise, even the spy agencies of nation-states can have significant difficulties keeping the lid on confidential information.
This is the security counterpart to having an 'unplugged' network. No one will ever get your secret recipe of herbs and spices, your manufacturing trade secret, or your customers' credit card numbers if you do not have them online in the first place. Similar, patents are a lot safer in the long run than keeping your processes or technology secret.
Even machines disconnected from the internet can be vulnerable if your employees transfer data to them on USB sticks, or someone cheats by plugging in a wireless dongle to just do that 'one quick download' before they go home for the day.
A compromised laptop or phone with a webcam can record video and audio. If you can hear a person typing, and the sound recording is long enough, some techniques that compare the sound of each key being pressed to the statistical frequency of these keys being pressed, can 'crack the code' and learn the password. It may sound like a difficult technique, but there are services on the darknet that will do it for a small fee.
If you do have to retain extremely sensitive and confidential data, one way to do so safely is to rely on encryption using a one-way key.
This key can be stored on a device such as a USB stick, or even written on a piece of paper. Providing the key is not retained on the network, and that there is no way for a cyber-attacker to steal it, they cannot get to your confidential data. Keys can be sufficiently long that any attempt to 'brute force attack' by trying every possible key could take thousands or even millions of years. Just make sure you have reliable copies of the key printed on paper, stored in secure places, since if you lose the key, you've lost the data forever.
At many of the IT security conferences over the years, a common theme is the ease with which a person with hostile intent can defeat physical locks or impersonate a friendly IT technician and gain access to the inside of the business network. Behind any firewalls or security features that prevent breaches from the outside world, they can exploit various software vulnerabilities to easily do what they please.
To keep the network safe, employees must not allow unknown people to enter the office, even if they look like they are there for a good reason. People who are unfamiliar should be stopped, and their employee ID checked for validity against a secure database. Small businesses, in particular, should not trust a technician who turns up at the door to make repairs unless they know and trust both the individual and the organisation they represent.
Always check by phone with someone in authority, and always ask a new person for ID if they will be able to gain access to the inside of the network. A healthy distrust of emails can also prevent "phishing" attacks, in which a fake email purporting to be from a bank, corporate IT, or some other reputable source will direct the user to a login screen that looks genuine, but is not. Via that login screen, the hacker can obtain a legitimate username and password to be used later.
The best way to avoiding problems with disgruntled employees is to keep morale high. Be aware of what is going on with your people. Avoid workplace bullying of any type, and if you do need to fire someone, to do it swiftly and in a way that minimises any bad feelings from that person or their co-workers.
Additionally, each employee should have their own username and password to access your business files, and that these usernames and passwords are not shared. Many companies with highly sensitive files or trade secrets will go further and require the use of fingerprint readers or smart cards. Where someone has their employment terminated, their username and password should immediately be deactivated in all systems. The employee must be closely supervised until escorted off of the premises.
This is particularly important with skilled IT staff. If there has been any sign that a staff member does not have strong professional ethics or has financial stress or family issues, the resulting risks should not ever be ignored.
Even banks have been guilty of helping someone in an emergency print a key document from a USB stick, but once a properly prepared USB stick has been plugged into a computer inside your business network, it's often too late. Refusing such a service may not keep customers happy, particularly if your business requires customers to submit files or electronic documents. In such a case, having a PC and printer outside of the corporate network, and perhaps a secure guest wifi access point will help legitimate customers without opening your door to cyberattack.
When remote desktop software is used, passwords must be secure and sufficiently difficult to guess for machines that can use dictionary attacks to make up to a billion guesses per second while breaking encryption. A good guideline is to check the How Secure is My Password website.
Make sure your applications and network have provisions in place to prevent 'brute force' attacks. If a user tries to log in a hundred times per minute with various passwords, it's unlikely to be a legitimate user. You should be able to know about it, and should certainly deal with it.
One solution is a policy that blocks login for a specific location or user account after several false password guesses. Another involves tools by Google and others that make a human identify images or solve a puzzle each time they make a password guess. Internet security tools like Kaspersky Small Business Security may also help. Ultimately, the goal is to limit access to the right people, with the right passwords, signing in from valid locations at reasonable times of day.
At the very least, far too many people use the word 'password', or their name, their date of birth, their pet's or children's names, the street where they live, or other easily guessable data as their passwords, or alternatively they used passwords that are too short. The ideal password is an entire sentence that can be typed easily, such as 'the rain in Spain stays mainly on the plain'. And please don't use that particular example.
Where your access password can be reset via a message sent to your phone, it's all too easy to get around. A hacker can learn enough about you to call the phone company, pretend to be you, and get a replacement SIM card with your phone number and put it into their phone. They can then follow a lost password process to reset your passwords and get access to all your accounts and potentially your confidential business data in the cloud.
Remote logins from overseas should only be possible from any specific country if you actually have a staff member working in that country. Better still, you can configure remote access to be limited to a very specific set of remote locations such as your employee members' homes. This one step is the fastest and most effective way of avoiding sudden problems while large numbers of your staff are working from home during emergencies. As long as their individual computers are secure and running suitable anti-virus and internet security software, hackers cannot get in from other locations.
If all of your employees are in New Zealand or Australia, remote access to your work network or employee-specific applications from overseas should be disabled from the outset. If you're not sure how to set this up, we are happy to help.
Many industries need to retain data including tax records, patient notes, or proofs of workplace safety compliance that will reveal manufacturing process trade secrets. Often, those documents may contain highly confidential information. If they do, they should be stored offsite. Media such as tape backup or even paper printouts should be stored in an appropriate location such as a data storage service, while local copies can be securely deleted once the offsite backup process is complete.
Where data is highly confidential, it may be beneficial to have a network of computers that are physically not connected to the internet or other external networks. Secure data is worked with on these machines, and data is transferred in a careful and appropriate way. Protocols can be used for data entering or leaving the network that are either difficult or near-impossible to compromise. We can help to plan and implement such solutions where they are appropriate.
Ultimately, one of the best solutions for locating and eliminating the risk of cyber-attack is penetration testing. This involves getting professional penetration testers (also known as 'ethical hackers') to form a 'red team' and attempt to penetrate your network. If they succeed, they will then report any successful methods, and train your staff so that the risk of such breaches can be eliminated.
After all, it's one thing to tell your team not to use easy to guess passwords. It's quite another if the employee comes into work to discover that they have just emailed the whole office admitting to being lax about internet security and promising to buy everyone free coffee, because the 'red team' managed to guess their password.
Cyber-insurance cannot prevent a cyber-attack. But it can help cover the financial consequences, and help the business to survive. As with natural disasters, however, cyber insurance is not an adequate solution on its own. Following a disaster, the business still needs its data, processes, and hopefully its people around.
4. Being Prepared.
The information above is just a small subset of issues to consider. Disaster recovery is a specialised field that involves customised planning specific to your business, its industry, and its needs.
If you would like to be prepared and ensure the survival of your business no matter what happens, whether the challenge ahead is surviving a fire, a flood, a cyberattack, or even a global Coronavirus Pandemic, NetExperts can help you get prepared. Feel free to call us at any time.