What kind of disaster can your business take? How many unlucky incidents will you endure? How many malicious attacks are you from ceasing completely?
Data is lost, we all know this. It might be a butter-fingered CEO making a dreadful mistake, a server giving up on life, a cloud provider going bankrupt or a fire causing your office to come tumbling down during the night.
Sooner or later, something will happen, but as John Milton said, “luck is a residue of design”. Good luck is when you are ready to pounce the opportunity or brace for the impact, bad luck is when you are not.
- Do you have a backup plan?
- Do you have a disaster recovery plan?
- Do you have a plan for the one bus problem?
Risk assessment and scenario analysis
Data. Identify critical resources, applications and data, so you know what to protect.
Risks. Make a systematic risk assessment, showing what kind of risks your company and your data acutely are facing.
From the likely – an employee leaving without notice, a server crashing, or malicious denial-of-service attack, to the outlandish – protests physically barring employees from entering or entire buildings collapsing, i.e. natural disasters, to man-made emergencies, and technology related incidents.
Consequences. Combine the information with a thorough consequence analysis. How would this affect your company, your business continuity and your data? How much do you stand to lose in case of a disaster?
Your answers will reveal how much you should be willing to spend on securing your data, and what areas that are most valuable and/or vulnerable, and therefore in most need of protection.
Being aware of the risks, you can decide what proactive measures you need to take to secure your data, e.g. backup and off-site storage procedures. Is the business aware and content with that policy? Maybe it is time to go over that again – the requirement may change as business evolves.
You will also need reactive measures to get a minimum of service up and running, so business can continue while you work to restore normalcy. How will you get service up in case of a total outage? Do you have redundancy for it? If the business has grown, maybe it is time for something more formal?
What if a key employee is run over by a bus tomorrow? Can you execute every step in your backup and disaster recovery plan without this person? Can you even run service without them? Your servers should be redundant, so should the company’s dependency on specific individuals.
The organization’s awareness of social engineering
Do you question the guy in the hardhat with the toolbox doing something in the office? Did the friendly IT guy that opened the door to the server room for him ask any questions? Unfortunately, a lot of the time, the answer is no.
Information security is hardly only about brute force protection, firewalls and backups. Hackers with malicious intent simply smooth-talk themselves into login credentials, or access to server rooms, network switches or other equipment. This so-called social engineering relies heavily on the human factor, and thrive from our humanity and our willingness to help each other.
Hence, every organization needs to have a plan to train the employees as a risk mitigation measure.
Disaster recovery plan (DRP)
The information should be systematized in a disaster recovery plan (DRP), including risk identification and assessment, proactive risk mitigation, reactive procedures as well as testing and maintaining the DRP.
Maybe nothing will happen. But you will surely sleep better at night, knowing that if it does, you are prepared.