Small Business Defense – Plans and Flexibility
In the event mentioned yesterday, the business was utterly without power. This sort of event had never been planned for, and since we were a technology company, all of our client information was inaccessible due to the outage. Inbound phone and Internet was down.
In that particular case, I believe we all looked at one another, shrugged and pulled out some snacks and started playing poker while we waited for power to be restored. (It was a very small business and we were all fairly young.) After a while, one of us got the bright idea to call the phone company and set up a temporary redirect of calls to some of our cell phones. Someone else carried the workstation that doubled as a fileserver over to a neighboring business so we could fire it up and get the client contact information, so we could start calling out to let people know about the situation.
We wouldn’t connect to the remote systems via modem, but we had decent memories and it worked out OK. The clients were understanding and while we lost some productivity, it didn’t impact us too badly.
Which, really, is the point of this. We in the security world like planning and mitigation. We like it a lot. We might even like it a bit too much. See, it’s not all doom and gloom. Sometimes, bad things happen, and it all works out OK.
In a large enterprise, you have a complex infrastructure that has a lot of moving and inter-related parts, and if there is a massive failure, it’s simply not feasible to shut it down or move it. The financial cost of such an outage can get into the millions of dollars, so it makes sense to devote some resources to coming up with recovery plans. It can take months to build one and then more months to implement it. Then you have to test it.
In small business, you may not need to do this. Should you? Probably. However, not having a solid plan isn’t the end of the world, it’s just more risk. Just as in the rest of the business, you can look at risk vs reward. It often doesn’t make sense to have a full plan that covers details for floods, fires, tornadoes and Godzilla attacks. If your infrastructure is small enough, your employees are good enough and your customers friendly enough, your plan can just be “if bad stuff happens, we’ll figure it out”. It’ll probably be OK.
However… it just might make sense to look at what you need to be flexible. Are your people really as good as you think? (Can you test this?) What about availability? If you rely on your people, how are you set for disasters that impact people? What if the backhoe had hit a gas main and some of your employees were injured during the disaster? (Or, more prosaically, suppose I had banged my head trying to get out of my dark “office” and been unable to accept incoming calls?)
So yes, by all means, avoid the tedious planning that no one wants to do. Bet your business on your people (which, really, you do every day anyway)… just be sure that your people will be able to do what you’re asking of them.
There’s more value in DR testing than just testing the systems, after all.