Despite the best-laid plans you have to be ready for when it all falls in a heap. Contingency planning is like fire insurance – you have to have it but you hope you never use it. But if you have it, you need to make sure it works.
According to the latest security breach survey from the UK Department for Business, Innovation and Skills, 33% of companies polled said contingency planning was in place for just one threat (system failure or data corruption) but wasn't effective. That's as opposed to 37% where it was effective, so almost half the organisations polled saw it fail when they needed it.
Plan it out
The secret to effective contingency planning is to know your enemy. Itemise the things that can go wrong, from equipment failure and theft to cybercrime, environmental impacts or just user error.
It has to be a formal process to really be of use. Draw up policies with the steps to take and the people who will to take them. Multiple staff will need to be mobilised and they all have to know what to do (and when). They also might not all have the skills you need when the crunch comes, so you need a list of requirements for the training and resources they need to be prepared.
You need a schedule of the action plan that everyone's on the same page about – tasks performed out of order or with the wrong equipment or datasets can be as catastrophic as the contingency you're trying to mitigate against. Assess your particular weak spots.
Do customers access data inside the organisation, and therefore need an open channel through which malware might arrive? Might sensitive user information you share with vendors or suppliers be under threat of compromise, like it was in the high profile hacking of US retailer Target in 2014 (the company estimated the cost at US$148m)?
Maybe in-house systems or even co-located servers are getting old. If they're on the verge of breaking down and corrupting data, you'll want to know about it and either replace them or review your SLA with the vendor. Whatever the risk or threat, account for it, rate it, and draw up a detailed ranking of the potential chinks in your armour.
There's no one-size-fits-all contingency plan – it will depend completely on your organisation’s size and industry.
Certain data might need to be backed up offsite, and you might need to balance that with how accessible it is on an as-needed basis.
Stand alone in-house systems might not be included in policy-based backups because they're not considered to contain mission critical data, but what about the business development manager who gets amendments to a contract and leaves them on her desktop, forgetting to move them to the company system that gets backed up?
When you're scoping out the effects of a contingency, imagine the worst. Who's going to be alerted at two in the morning if there's a data breach or server meltdown, what tools do they have at their disposal to start work on it, and have they been trained to use them?
The BIA will answer many unanswered questions that will only strengthen your contingency planning policy. It will reveal the costs of both lost time and emergency remediation in the event of a data failure. It will make clearer exactly what your business insurance will cover. It would tell you how long you could afford to be offline for. And remember, rather than give you an ulcer, a BIA can be good news too.
You might have a lot more tolerance for downtime than you thought, for example, and an informed CP policy will let you solve the problem calmly instead of panicking and throwing good money after bad to fix it.
Finally, armed with ironclad contingency planning policies built on informed and realistic data about your capabilities and limits, it's time to test. Devote or buy a dedicated software sandbox environment and schedule the appropriate staff to be ready for drills, and before you know it, your contingency preparedness will work like clockwork.
Pay as you go contingency planning
It might even be an idea to consider appointing a dedicated contingency planning coordinator to synthesise all the possibilities and action and draw up your policy plan from them. If you don't have the budget or scope to appoint a dedicated contingency engineer, there are services around who'll take all your pain points away for you. Cloud computing is making it easier and cheaper to outsource activities like disaster recovery while you concentrate on what you're good at.
Putting an effective contingency plan in place is just one of the steps you can take to become more proactive in your role as an IT manager. Download our eBook below for more tips
This was originally posted by our colleagues at Oriel