Practical Business Continuity

Uncategorized
Typhoon Soudelor Seen from the ISS / NASAEarth

For the small business owner, should the power going out mean you can’t make money? Should the computer system going down for 20 minutes mean a restaurant can’t take or cook orders any longer? Some basic level of preparation for anything other than ideal circumstances and commonsense needs to be applied to business processes for any organization.

Can business continuity and disaster recovery planning be applied to organizations of all sizes? It’s an extra expense for small business for sure — probably most medium-sized businesses as well. I say, yes, maybe a store can’t process credit cards while the power is out, but it can certainly accept cash.

I hesitate to use the phrase commonsense. What one perceives to be necessary, normal, and obvious can vary greatly based on experiences. Maybe, this is some form of nostalgia for a day when the world was a simpler place from a technology standpoint. One could certainly argue that, but if the options are the world (or your little corner of it) stands still until the power comes back on or we go low-tech for a little while, I’ll take the low-tech solution from yesteryear.

What I am describing is not necessarily Disaster Recovery in the Information Technology or technical sense. Your organization’s business continuity plan may simply be an effective way to switch back to a more traditional “paper-based” set of processes if the computers go down or the power goes out. Somewhere in the last few decades, we moved into a world where nothing can run without computers and technology, but there is insufficient redundancy and reliability in those machines to really deserve the vaunted place in our everyday lives that has been bestowed. Assuming a doomsday-prepper mentality towards DR for your small business is not the point of this article. Rather the point is that there are numerous events every year that result in the power being out, computers being down, or something else that results in sub-optimal working conditions for your organization and your people — and, somehow, the show has to go on.

Maintaining availability of a service is a traditional component of information security. In the case of an IT system, that availability may mean failing securely, but if we can maintain normal processing of an IT system or keep a business process functional end-to-end with a paper-based process for an afternoon, that’s awesome.

Definitions

Business Continuity (BC): refers to plans an organization has in place to carry on day-to-day business operations under less than ideal circumstances. This could be anything from a hurricane/typhoon to the power being out for days.

Disaster Recovery(DR): the focus on and processes an organization uses to respond to and recover from a major disruption to business operations with the goal of restoring normal operating modes/processes. The information technology aspects of restoring normal operating circumstances tends to be a major component.

Business Continuity focuses on planning for support of critical business functions under less than ideal circumstances, while disaster recovery encompasses restoring all business operations to full capacity following a major disruption.

I’ve seen these terms used interchangeably. For the purposes of this post, we’ll use these definitions.

IyaSec As An Example

IyaSec is my cybersecurity consulting firm. From a business continuity perspective, I believe it’s important that I address some possible contingencies to make sure I can pay my rent next month.

  • I travel often for work, but am still at my “home base” for six to eight months out-of-the-year.
  • I have a virtual office service with a building nearby (and around the world) and a home office.
  • My “home base” is in a part of the United States with a high probability of wildfires, earthquakes, and volcanic eruptions. I live within 150km of four volcanoes. Every twenty years or so a hurricane rolls through.
  • In the short-term (one week), I need a laptop, internet connection, and power to run my business.
  • For longer time periods (one month), I will need access to my Network Attached Storage (NAS) appliance (undisclosed location:).

Now, I could hope that nothing bad ever happens and the status quo continues for the foreseeable future, but eventually something will happen. If it isn’t one of the natural disasters I mentioned, it will be some idiot shooting up the local power substation requiring millions of dollars worth of equipment that is hard to replace on short-notice — that happened just north of my location a few years ago.

For most of the situations mentioned above, I’m going to be sitting in my apartment. So, a couple of Ecoflow batteries, Starlink, and an extra laptop addresses most of my concerns. If I had to evacuate due to a wildfire, the batteries and Starlink could go with me; though, it is likely that internet access will be available at the final destination.

So, right there, a business continuity plan has been developed for my small consulting business. Admittedly, this is an easy one. My business and lifestyle are designed to be mobile anyway and my infrastructure requirements are not that great.

For my NAS appliance, I have a second NAS appliance at a geographically separated location with the two connected by VPN. So, I’ll have access to the backup if anything happens to the primary.

What’s the cost of all this? The Ecoflow Delta 2 battery costs about $800, but you can get a used one for about $600. A Starlink generation 2 setup cost about $700 in March, 2023. An extra laptop is $2000 (System76). The reoccurring cost of the Starlink subscription is $150/month for the basic plan; you can keep it turned off until you need it. So, the most basic version of my business continuity plan cost me around $3300USD + the monthly Starlink subscription when I turn it on. That’s a perfectly reasonable cost for me. For other people and other types of businesses, maybe it is, maybe it isn’t.

A balance needs to be maintained.

The point of this article isn’t to go into the technical details of how to address these requirements.

Emergency Power and Internet Access — Things My Small Business Needs

My Favorite Restaurant Back Home

Not so long ago, I was visiting family in the midwest. Naturally, I ate at one of my favorite restaurants from childhood a couple of times that week. It’s a regional restaurant chain that only has locations in two major metropolitan areas on opposite sides of the state. So, it’s hardly a mom-and-pop shop, but they don’t have the resources of a nation-wide restaurant chain either. While I was waiting in line around lunchtime one day that week, the computers went down, or that is what the employee taking the orders described. Everyone I could see in back in the kitchen was staring blankly at screens that presumably was showing nonsensical information. I would have liked to get a look at that for my personal amusement. At this point, the employee taking orders announced that they could no longer take orders and could no longer prepare orders they had already taken. Would some kind of paper-based backup system have been that painful to implement? It’s not like they are doing high-end microchip fabrication or high-energy physics experiments. They are making sandwiches; more-or-less, the same sandwiches they were making nearly fifty years ago — possibly earlier, I can’t remember any earlier than that (I was too young). Some of my earliest memories are my aunts and uncles taking me there during lunch while they worked the farm. For twenty minutes, every employee of this restaurant just sat there staring at each other while the manager was presumably in some back office out-of-sight on a call to an IT helpdesk. I don’t think I am blaming the restaurant employees I could see for this situation. They probably haven’t been trained to do anything else during an IT outage.

That moment in my favorite childhood restaurant does capture perfectly what would happen in a worst case scenario at many small and even medium-sized businesses.

For that local chain restaurant outage, there are a bunch of questions that I wanted to ask. Are the IT systems self-contained within the building? Is there a data center somewhere in the local city? Is it all cloud-based with some stripped down PCs driving the screens that are hanging everywhere? What would it take to start taking orders on paper, pass them to the cooks’ line in back, collect the money, manually count out change, update the transactions in the computer system manually later? Could they still process credit card payments? Or, is that backed into the in-store computer systems as well? Is there any kind of business continuity (disaster recovery) plan on any level?

A Client In Nowhere, Southeast Asia

At one point, I was in the rural Southeast Asian country for a few weeks — long story. I still had to be able to join meetings and perform certain tasks for my business. So, the minimum requirements mentioned above for my consulting business had to be met. The commercial power in some of the provinces tends to be unreliable. At least one day a week, the power is out for twelve hours or more. The power flickers several times a day on the best days. Over the course of a month, maybe we went a day and a half without the power going out for at least a few seconds. If the power was unreliable, commercial high-speed internet access from local providers was was not great. The cellular signal could do three bars on a 4G network, but it was relatively unstable. So, we had to have a diesel generator, plenty of diesel on hand, and spare parts. For internet access, there were redundant Starlink routers/dishes. One Starlink router was active at any moment. The other was packed in the box and locked in a cabinet to keep it safe, which was good because about a week into that trip a dog got a hold of the cable between the active Starlink dish and router and chewed it in half. It took two weeks to get a new cable. We had to break out the cable from the backup system for those two weeks. On future nights, I made sure the dogs were outside the perimeter wall before closing all the gates. Don’t feel bad for them, the dogs were basically feral and did their thing around the town. Whenever the power went out, it took a moment to switch over to generator, manually, and several more minutes for Starlink to start. There wasn’t sufficient resources available to have an inverter and battery bank which would have provided seamless power failover, but gives one an idea for future enhancements to the setup. All this shows a nearly daily use of the business continuity plan described earlier — though, we didn’t have the Ecoflow generators or equivalent.

Low-Grade Domestic Terror Attacks

On Christmas Day a few years ago, several power substations were heavily damaged by some jackasses shooting up the equipment with assault rifles just a few hours drive north of my locations in Tacoma, Washington. Leaving aside all the political aspects of such situations, this could easily have happened where I live, at which point, we’d have more-or-less the same situation that I described in Southeast Asia. Hopefully, without the pack of feral dogs. So, having all those capabilities I described at the beginning of this article would be essential to being able to meet my business obligations even with the power out for days.

Summary

Don’t think your business needs a minimum business continuity plan? It doesn’t have to be complicated. It doesn’t even have to be expensive.

In the examples above, having one or more of following makes an organization and its business processes much more resilient:

  • backup power solutions
  • redundant internet connections
  • redundant hardware
  • paper-based processes
  • cross-training of workers so no one person is a single-point of failure in terms of skill sets or steps in a business process.
  • training workers in what to do during an emergency (or any less-than-ideal operating conditions).
  • alternative payment processing (or ability to handle cash)

Your small business needs to have a viable Business Continuity plan. Go for simple and make sure you address the worst-case scenario. This can vary dramatically from one organization to the other. Make sure you maintain organizational operational security even in the worst cast scenarios.

Want to discuss your organization’s needs? Contact Iya CyberSecurity Solutions: info@iyasec.io.

Please note, I don’t have any relationship with product companies that I mentioned in this article beyond being a user of their products.

Always seek professional assistance when working with electricity. It’s too easy to make things burst into flames if you don’t know what you are doing.

Photo Information

gas pump — ivak Gasoline / petrol / fuel can — Juhele
Propane Tank — s9393
power plant — thermal (coal) — Juhele
Isometric widescreen Laptop — meitzner.net
Solar energy — m1981
Downloaded from https://openclipart.org

Leave a Reply