By Laura Haight
It’s was a tough October in the Atlantic.
Hurricane Matthew had barely left a battered and flooded North Carolina when Nicole formed and swung back around to take a second swipe at Jamaica and roil up the Atlantic Coast last weekend.
Matthew was a monster and thousands of families lost homes and belongings. Nearly 50 people in the US died. And for many businesses, the storm had serious financial consequences - lost revenue, flooded facilities, businesses forced to shut down for several days. Estimates are that damages from Matthew will fall somewhere around $10 billion.
Businesses in the most hard-hit areas will certainly be evaluating their preparedness, but it’s a good time for all of us to dust off those disaster plans, refamiliarize and test, and potentially update the information.
Wait.. you don’t have a disaster plan? In 2015, 66 percent of businesses surveyed by Symantec and the National Cyber Security Alliance reported that their operations were dependent on the Internet. It doesn’t take a Category 4 hurricane to mess with that; a simple power outage would be enough.
Developing a disaster plan is a commitment. It takes time, and demands diligence. It also requires constant evaluation to ensure that staff and technology changes are reflected in the plan. A disaster or business resumption plan is a living document. Here are some keys to developing one that will work for you when you need it.
- If you’re building a plan from scratch, make sure the team you have working on it includes a lot of line staff. Management knows how things are supposed to be done; but they know how it really works. Emergency plans built by management focus on the big picture of what should happen. That’s fine as far as it goes, but the key to a successful plan is not the “what”, but the “how.” To know and prepare for that, you have to ask those who “do”.
- Emergency plans by definition have to imagine the worst. Assumptions that elements of the plan will work will not be effective when those things don’t work. A disaster plan operates in a far-from perfect world where databases are inaccessible, and the key payroll expert is on vacation. The truly effective plan thinks outside the box and plans for mess ups, miscues and mistakes.
- Rely on people not systems. Don’t build a system to back up a system. During an emergency, few things will operate as expected. So it is critical that people get face to face and be prepared to readjust on the fly. A good emergency plan not only draws its backbone from the bottom up, but builds in person-to-person communication so we can work through the unexpected things that happened in step 2.
- The hardest part of any emergency planning process is getting all the stakeholders to agree to a full test of the plan. But it is really the only way to know what you forgot. This doesn’t mean you have to shut down your business for a day; you can game out a number of different scenarios in a conference room. But without a “what-if” scenario testing of your plan, you will not realize that you didn’t know what you didn’t know.
Nothing is as certain as change. Did you lose an employee in the last year? Perhaps an important one? Did you update the contact info in your emergency plan? (I could go on with system vendors, switched digital service, changed passwords on cloud services, but I think you get the picture).
October is Cybersecurity Awareness Month
This is the 13th year that the US has recognized October as Cybersecurity Awareness Month. The awareness project is supported by the National Cybersecurity Alliance, a consortium of public and private businesses, government organizations and non--profits. Portfolio is very proud to be a member of this organization.
The goal of the alliance and its program Stop. Think. Connect. , a global online safety education and awareness campaign, is to help individuals and businesses understand the risks cybercrime poses as well as to learn and promote best practices and safe behaviors.
A major disaster your business could face might have little to do with the weather, but rather with how you recover from a significant cyber attack, hacking incident, or data loss. To plan for that the Federal Communications Commission has developed a template with guidance to help businesses build a cyber event planning guide. While your disaster plan and cyber plan could share many elements, a cyber plan has some different components that are unique to recovery from a hack.