Last week, I wrote “Disaster Recovery is about the information or technology systems that support business functions. It is a component of Business Continuity (BC), which plans to keep all aspects of business functioning during disruptive events.” We also learned together the critical need for DR.
But what really needs to be in the plan? Twelve questions begging to be answered:
1. What are the potential interruptions?
The key is to list all the ways in which business function could lose support, prioritize the likeliest, and address each with a plan. Today, cyber-attack is an increasing threat, and should be in the top of your list.
2. What are all the possible impacts?
A Business Impact Analysis (BIA) evaluates financial, safety, legal and public relations effects, and addresses to ensure the maintenance of confidentiality, integrity and availability.
3. Who calls for the DR to be enacted, and who is called when it is enacted?
A DR Plan spells out expectations of the roles and responsibilities for C-Suite Executives and the employee chain in the event of disruption. The chain of communication must be established as to who calls for DR enactment, and then who is called: What employees must come in and how they are to be contacted, with all contact information at hand.
4. Who updates the DR Plan?
Technology change, systems change and application changes, which are frequent, may all affect the effectiveness of the DR Plan. Who communicates the updates? Who adjusts the DR Plan and communicates the changes?
5. How often will you test the DR Plan and run drills?
Data breaches happen. It’s rare that a job will be lost over it, or a company’s reputation hurt over it. The damage is done on how well the company responded to it. Failure to respond properly leads to loss of employment and reputation. The only way to respond professionally is to have an exhaustive plan and to ensure that it works!
6. Who is responsible for hardware and software inventory?
Make sure the vendor technical support, contract and contact information is readily accessible in the event of a disruption.
7. What is your Recovery Point Objective (RPO) and your Recovery Time Objective (RTO)?
RPO is the maximum period in which data might be lost from an IT service. It answers the question, “How much time can we tolerate having to recover or rewrite lost content?” That determines your backup frequency. RTO addresses the target time to recover IT and business activity.
Prioritize plans based on what needs immediate recovery, what is acceptable to be recovered within a business day and what can be recovered within a few days.
8. What is your communication plan?
In the event of a disruption, Who needs to know What by When and by Whom? This also includes a statement prepared that will be accessible on your public platforms, and a plan on how and when customers receive initial communications and updates.
9. Where do you go if you can’t go to the office (or usual place of business)?
The DR Plan should address alternative worksite options, including telecommuting. Employees will need to know how to access systems from the alternative sites, and IT will need to ensure that compliance requirements are being observed.
10. Are all your vendors and contractors prepared to help?
The DR Plan must ensure that Service Level Agreements are in place, addressing how vendors and contractors are to help and the timeliness by which they are committed to respond.
11. Do you have operations and procedures in place to protect and access sensitive information?
12. Who is in Second Chair?
If a key employee is not available during a disruption, who knows what they do in order to perform their responsibilities in a crisis?
I hope you never have to enact your DR Plan. But I am available to make sure you have addressed all the key components for your business, and that you not only have a plan, but that it works and that you know how to use it.
What other questions do you have about DR Plans that I can help you with? Please comment below so that others can learn with you.
When it comes to taking out insurance for anything, it can be a controversial issue. Many people tend to wonder why they should get insurance when the chances of something happening are slim, or they feel as though the insurance wouldn’t really help them out much if something did happen. This isn’t any different for cyber security. No matter how much you’ve already invested in preventative security measures, it’s still vital that you take out cyber insurance.
When it comes to cyber security, the risks of not getting insurance make it a no-brainer. There are thousands of ways data can be breached, and those numbers are only continuing to grow. You can be hacked through independent devices, social media, software, ransomware, malware, etc, etc. The list goes on and on and a company should never think of itself invincible to an attack.
Even if you take all the proper precautions and have a vendor or IT team to help you with managing your network, there’s never really any guarantee there won’t be a breach. Therefore, it’s really important to take out insurance because it can cover you for indirect costs, such as sending letters to those who were affected (which can be rather expensive).
Cyber security insurance hasn’t been around for too long. In fact, it’s a rather new concept, which began roughly around 2005. However, by 2020, it’s predicted that the total cost of cyber security premiums will reach $7.5 billion. Therefore, there’s still time to take advantage of this new “trend” before it starts becoming more pricy.
Major companies have had data breaches, including Target in 2013. This year alone, there have been attacks on Snapchat, the U.S Department of Justice, Yahoo!, and Oracle. And, let’s not forget about the Ashley Madison hack in 2015. If hackers want to get your information, they’re going to get it, and it doesn’t matter whether you run a jewelry store or thrift shop. Your information and the information of your customers can be gold in a hacker’s eyes. If it can happen to these companies, it can happen to you, too.
When you think about the potential of your company having a data breach, it may seem like something you’d be able to take on, especially if your company is small. However, each data breach, no matter the size or equity of the company, has default costs associated with it. Companies must pay for a forensic investigation, business losses, privacy and notification, and potential lawsuits and extortion. Of course, cyber insurance would help take care of a majority of those things.
Compared to the crazy costs of repairing a breach, cyber insurance costs nothing. While we’d like to give you a precise number, the fact of the matter is that premiums can range a lot. It all depends on the size of your business, what kind of coverage you’re looking for, data risk exposure and the revenue of the company. But, when you think about how Playstation’s 2011 data breach costs them $171M, a lot of which could have been offset by cyber insurance, you might realize you want to avoid that for your business.
When it comes to taking out cyber insurance, there’s not too much you have to worry about. The first thing you should do is create a cyber risk profile for your company. You should think about if you were to have a data breach, what kind of estimated costs would you have to make repairs? Then, sit down and discuss your budget. Lastly, consult insurance companies, many of whom have insurance calculators on their website, to see what your company can afford to pay (and what you can’t afford to lose).
So, are you ready to invest in cyber security insurance? Smeester & Associates can help give you the tools and recommendations you need to choose the insurance policy that’s best for your company.
The IT services market is changing rapidly as technology continues to play an instrumental role in everyday business operations. This has caused small and medium-sized businesses (SMBs) to outsource many of their IT needs in order to cut costs and gain access to expertise they wouldn’t otherwise have. Instead of spending their time and budget managing everything in-house, SMBs are leveraging the IT skills and resources that managed services providers (MSPs) can offer. But what are the main priorities that most businesses are focusing on when outsourcing IT?
According to KPMG, we are entering a “radical new world of outsourcing.” As IT is increasingly being seen as a business enabler, SMBs are quickly recognizing the value of outsourcing their needs to an MSP.
Outsourcing is growing in its popularity and adoption, according to KPMG’s IT Outsourcing Service Provider Performance & Satisfaction Study, and businesses are choosing to pursue IT outsourcing.
According to Continuum Managed Services, cost savings remains a top driver of IT outsourcing, but the trend is that the new priorities are geared more around quality improvement and access to skills. This changes the value proposition for outsourcing—shifting the emphasis toward delivering value-adding services and innovations in addition to cutting costs.
As the SMB tries to find the right service provider, Continuum says the decision makers are carefully thinking about how they can focus on core business objectives without worrying about their IT needs. In outsourcing to an MSP, they can experience more growth with proactive, predictable and preventative IT services.