September 2, 2020 •
Who would have ever thought that in 2020, we would have had to execute a disaster recovery plan because of a pandemic on an international scale? I am sure most organizations planned for the technology aspect of an outage as well as the ability to meet SLAs and recovery point expectations. But did you plan for the loss of your staff?
Most compliance frameworks that you work through have some requirement about availability; however, I do not think anyone was really prepared to address the reframing of how business is done. Past the first few weeks, many organizations we deal with were scrambling to cover the human touch aspect of the services they provide.
ControlScan’s audit and compliance department was unable to escape it as well. We had to move quickly to find a way to serve our client base in areas where we would typically perform an assessment in person, without compromising the integrity of the services performed.
We have had calls with just about every one of our clients that have a call center function, helping to design an emergency solution to support their staff working from remote locations. Their largest concern was that they have physical assets out in the field, giving them little to no control over the VOIP data and sensitive data being provided to the CSRs, once it’s received. At some point, they just have to trust their staff (background checks are meant to help with this).
I once had a conversation with a client who had lived through Hurricane Katrina. He had stated that they had planned and tested until they were absolutely sure that things were going to go as planned. He walked me through every step of their plan, how they were going to recover, how they were going to migrate from one building to the other side of the state…. And then the storm hit.
Key staff members that had been identified as key players in their operations and recovery did not show up; they were home taking care of their families. When staff finally were able to assemble, there was no sanitation, no power, no food, no running water… 95 degrees in 90% humidity. What they did not account for in their disaster recovery plan was the people.
Remember that when defining a program, it should cover people and processes as well as the technology. Technologies are just the tools that are used by the people to achieve a given defined or desired outcome.
During your disaster recovery planning, account for your supply chain, staffing, processes, any aspect of your business that it takes to serve your clients—don’t focus on just the technology. If you are standing in six inches of water and there is no sanitation, is it really that important that the generator will run for two weeks without refueling?
At the end of the day, PEOPLE are your business! Everything else is just an asset or a tool. Please do not forget to account for the loss of staffing or key roles that staff play when developing your incident response and business continuity programs.
Want to learn more about creating solid incident response and disaster recovery plans? Check out this ControlScan podcast, in which Matt Nelson of AvaLAN Wireless and I discuss the best practices that helped AvaLAN successfully ride the wave of the COVID-19 pandemic.