Written by Dave Stelzl CISSP

Business Continuity is Security

Confidentiality, Integrity, and Availability.  These are the three pillars of any security plan – although most people think of hacking when they hear “Security”.  Today I’ll be speaking to business leaders in Cincinnati, Ohio on the topic of data security.  It’s not a technical talk, but rather a look at the trends and concerns, the people behind data theft, and the wrong mindsets most people have around security.  If I had time to rewrite my presentation, I might choose to do more of a briefing on disaster recovery and business continuity.

This week’s storms exposed one wrong mindset – the one where everything looks okay, so it must be.  Every week I hear accounts of security assessments being conducted, where engineers are reporting a lack of data backups and business continuity.  You would think that after so many years of PC computing that companies would have put something in place.  Even some of the larger more sophisticated companies are running daily production with untested, outdated, tape based back up systems.  With today’s mobility technology, G4 cellular capabilities, and high-availability storage, we should be in great shape when something like this hits (at least from a data and system standpoint). But news reports coming out of NY and NJ are telling a different story.  In some cases companies had some, but not all, systems backed up – such as in the case of Freshpair.com.  In other cases, companies like MailChimp got lucky – their data was in a location that did not get hit – while their other data centers were hit.  In most cases, it’s the midsized and smaller companies where I see no back up, or a simple onsite tape back up, but nothing off site.  With the low-cost solutions available today for cloud based backups, it makes sense that even the smallest companies would invest in this type of technology.

Failure Leads to “Out of Business”

Garter has stated, “2 out of 5 companies that experience a disaster will go out of business over the next 5 years.”  Its interesting that it takes 5 years – in other words, recovery drains the company, sets it back, and slowly kills it.

Business continuity specialists have given a number of statistics on where the failures are.  Somewhat surprisingly, 40% of disasters are related to human error, 40% come from applications failure, and 20% are technology hardware related.  Somewhere in there, about 4% are natural disasters…of course where you live will increase or decrease this number.

Areas of Impact

There are generally four areas to be concerned with…

According to my friends in the business continuity and disaster recovery business, there are four areas that must be handled when disaster strikes.

  • Direct financial losses – sales stop, investments may suffer, and billing doesn’t happen.
  • Production – people can’t work, plants shut down, etc.
  • Brand and reputation – do people still trust you?
  • Regulatory / etc.  – including compliance, credit ratings, etc.

Long term outages will kill a company over time.  Trying to recover data can be time consuming, labor intensive, and very expensive.  One project I worked on years ago put a global manufacturer on hold for three days, sending three shifts home for all three days.  They would have spent far less on a simple backup solution. The cost of their data recovery was big!

You Need a Plan

Business continuity is not a backup application.  It’s a plan – it provides direction on what to do in the event of a disaster.  It specifies the backup and high-availability of systems and data, provides for a way to continue work without coming back to the affected location (at least initially), and calls for some training and testing so that the employees of that company know what must continue to run, and how.  Every company should have this – it might be that only certain functions must continue during the recovery process, but without a plan, it’s impossible to tell.  The plan will guide you in the midst of confusion.

The plan calls for an initial response – like the moment disaster hits, but then lays out a recovery plan that may take months.  I suspect there are many businesses in both NY and NJ that are scrambling right now, wondering what to do.  Some will just call it quits, while others will die a slow death. Some will recover with a plan, and some will get lucky.  As Gartner stated, it may take up to five years to finally see the death of some of these companies.  The ones that planned well will likely make it.  My guess is that there aren’t many small businesses with a solid comeback plan.  Make sure you clients understand the various threats, the need for a plan, and the impact of not having a plan.  Then help them figure out the likelihood of needing various aspects of a plan – they all need something, but they’ll all be different.  Not having a plan is simply a plan to fail.

© 2012, David Stelzl

 

 

 

 

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s