I’ve attended a number of great workshops, webinars, and other events this year that address this growing topic of interest for all businesses and organizations. We’ve all grown too accustomed (and possibly desensitized) to the news story about another data breach by a Fortune 500 company or other large organization. We know that cybersecurity is a significant risk for each one of us. We hear about great solutions and services in the marketplace to address this risk. But how many of us are more focused on preparation, monitoring, and risk mitigation than on actual response? If so many of the largest companies in the world have responded to their own data breach in spite of their complex and multi-layered defenses, it’s just a matter of time until the rest of us are faced with this crisis. We need to plan for a cyber response just as much as we need to prepare for, implement, and monitor our cybersecurity defenses.
Cybersecurity is not just an IT issue
Many organizations that we’ve engaged with relegate the topic of cybersecurity to the IT department alone. The reality is that during a cyber incident, it quickly becomes “all hands on deck” for all departments. If a cyber incident took place at your organization, how many of the following departmental issues would need to be addressed?
- Legal – contractual, legal, and regulatory issues associated with response actions and communications to customers, media, and regulators
- Finance – coordination of insurance policies and claims, approval and payment of unbudgeted and costly response and remediation expenses, resulting in adjustments to financial forecasts and budgets
- HR – managing internal communications to employees, what they can say, what they can’t say, and addressing all sorts of questions and concerns while trying to keep top talent from fleeing
- Customer Service – fielding much higher than usual call volumes from customers about social media rumors, actual news stories, and other reports about the incident impacting their services or data
- Sales – devising strategies and messages to respond to prospect’s concerns over the incident and how it will affect their decision to buy your services or products
- Marketing/PR – managing communications and strategic messaging on social media, in the press, and preparing executives for interviews
There are other departments that could be impacted as well, and that’s before we even consider the impact to the IT department trying to troubleshoot, respond, and resolve the root cause of the cyber incident.
Planning for a Coordinated Response – Tabletop Exercises
A good cyber incident or data breach response plan should include the coordination of activities, communications, and information among all of the departments listed above. The challenge that we all face is – how do we get them all on the same page to even begin writing a plan? The answer is simply a tabletop exercise.
I have facilitated dozens of tabletop exercises this year covering a broad range of topics and scenarios, and cybersecurity is quickly becoming the most popular topic. In my experience there is no better or more effective way to bring everyone together to understand their role and to define their responsibilities that will be required during a cyber incident.
An effective cyber incident tabletop exercise should include the following elements:
The right participants – make sure you include the right representatives from each department that will have a role to play during an actual incident. While the above list of departments is a good starting point, consider other departments that may have a role to play in operations or other areas of your organization. Certainly include the required IT representatives, but make sure the other departments have the right people at the table.
The right time – set aside enough time for an effective exercise. In my experience, that’s a minimum of 3 hours and should be 4 – 6 hours. It sounds like a lot of time but if done correctly it will be highly engaging and valuable. People should leave with a clear understanding of their roles, responsibilities, and issues that they need to address to set them (and the organization) up for success during an actual cyber incident.
The right objectives – define exactly what is that you are trying to accomplish during the exercise. Is it to define the roles, responsibilities, and tasks for each department as the foundation for developing a response plan? Or are you trying to identify and resolve any gaps in an existing plan? Other objectives could include focusing on coordination between departments, developing communications messaging, or determining which external resources may be required.
The right scenario – develop a realistic scenario that will achieve your objectives within the allotted timeframe. Make sure you include scenarios and questions for each of the departments participating in the exercise. You don’t want to have anyone sitting around with nothing to do, so be intentional about the scenarios to cover the likely issues of concern for each of your participants.
If you check all the boxes above, you are well on your way to a successful tabletop exercise that will initiate or accelerate development of your cyber response strategy and plans. People should leave the exercise with a clear understanding of the identified gaps, issues, and action items identified during the exercise so work can begin immediately to address these items. The good news is that most people leave these tabletop exercises motivated to actually tackle the issues and action items that were identified. By placing them in the middle of the fictional crisis, it elevates their attention and engagement. It’s the reason why these tabletop exercises are so effective.
Finally, there is one important element that I intentionally omitted from the above list for your tabletop exercise – the right facilitator. You need to find the right person to facilitate your exercise who is experienced and capable of keeping everyone focused, on task, and preventing the entire exercise from running off the tracks. You might have this person in mind in your organization today, or maybe you are that person. But if you need help, please contact us for more information. As a Master Exercise Practitioner, I’d be happy to help you develop, design, and facilitate your tabletop exercise. Either way, be sure to schedule a tabletop exercise soon. Past experience has demonstrated that it is the best way to engage the various departments on this important topic and increase your organization’s cyber resilience.
As the impacts from Hurricane Florence affected many coastal and inland communities, our thoughts and prayers extend to those who suffered from this storm. While the recovery process may continue for some time, one of the best practices we’ve found to be extremely valuable after every disaster is the After Action Review. This process helps organizations to identify areas of improvement in plans while the event, actions, and timeline are all still relatively fresh. It’s great to have and implement plans in response to an event like Florence, but a critical improvement opportunity is missed if organizations don’t make time to identify and implement improvements quickly so the plans work even better next time. Following are some key areas to review and evaluate your plan’s performance, along with our observations during Florence.
Plan Triggers – Is your plan based on number of days until landfall or government announcements such as Operating Condition levels (OPCONs)? Generally those plans that used OPCONs or other government activation level announcements were in better position to coordinate with government along an evacuation decision timeline and were not caught unprepared when the Governor announced an evacuation order. We’ve also noticed in some cases that a hybrid approach, including both government triggers and days to landfall triggers, are effective in more complex organizations or plans.
Evacuation Team – Does your plan have a pre-identified evacuation team? While some of us may debate the timing and effectiveness of an evacuation order, the fact remains that the Governor’s order changes things quickly. Schools close, transportation routes change as lane reversals are implemented, and basic staples and supplies such as gasoline and groceries can become scarce. Plans that have an evacuation team identified to leave early and establish remote operations are in a much stronger position to maintain critical operations while these evacuation impacts are experienced even before the storm approaches.
Communications – Does your plan have redundant communication methods? If phone lines, cell towers, and/or internet service are disrupted, can you still communicate with your key people? Planning to evacuate key personnel, especially those responsible for communications to large audiences, to safe areas ensures that these critical functions continue. Always plan to position people with communication responsibilities (website updates, social media updates, email blasts, conference calls, etc.) to safe areas where power, phone service, and internet can be assured to remain active. Following Atlantic’s plan, I evacuated to a safe location well before landfall so I could continue providing support and updates to our customers and the business community at large. I had multiple means of communicating with a team back in the impact zone to get local reports and discuss the situation at regular predefined intervals.
Re-entry Passes – Does your plan include regular annual updates to re-entry passes for evacuated areas? I helped facilitate daily conference calls for business and industry as part of my volunteer responsibilities with the Charleston County EOC. During those calls we answered a number of questions regarding re-entry passes. Make sure you have the correct people identified and updated on your re-entry passes with local and state authorities as part of your annual preparedness tasks.
Operational Rhythm – Does your plan include predetermined meeting times, conference calls, and communication updates to employees and customers? Maintaining an efficient and predictable schedule of daily operations helps everyone to find some structure in the middle of the chaos. People awaiting information updates during a disaster appreciate predictable times for communications. Decision-making is more effective when team members can plan to collect the necessary information in time for a meeting when those decisions will be discussed. Make sure your plan has a daily operational agenda that can be adjusted as needed.
Worst-Case Plans – Does your plan account for worst-case scenarios for people, facilities, communications, technology, and operations? We’ve seen some of the devastating impacts from Florence in North Carolina. Make sure your plan accounts for the recovery of all aspects of your organization following a major disaster that takes months or even years to get back to normal. Too many plans we review make too many false assumptions regarding staff, communications, technology, and alternate facility availability following a major hurricane or other disaster. Plan for the worst of a Katrina, Sandy, or Florence impacting your area and prepare accordingly.
Now that you’ve reviewed these common planning shortfalls or issues associated with Hurricane Florence, conduct your own After Action Review. Assemble your team and review each of the above areas in addition to those issues that were identified during this storm. Then develop your list of actions to address each issue and track them through regular monthly meetings until your plan has been updated and all issues have been addressed. If you need any help, we have a comprehensive and effective After Action Review process that we can facilitate for your organization. Please contact us for more information and make sure your organization is even better prepared for the next storm.
Start Planning Now for a Better Recovery
Hurricane Season is upon us, and the predictions and forecasts are generating many of the same questions in recent years:
Will we see El Niño this year, which may inhibit hurricane activity in the Atlantic?
How warm will the tropics be this year, and what will that mean for hurricane intensity?
These and many other hurricane questions are often difficult to answer accurately and confidently, even by the experts. However there is one question with a simple and certain answer.
When should you start planning for Hurricane Season? Now.
Hurricane Season begins June 1 and runs through November 30.
Although most of the powerful hurricanes generally occur between August and October, we have seen tropical systems appear earlier and sometimes even before the official June 1 start of the season. The reality is that we never know when and where these systems will form, so best practice is to have your organization’s plan ready to go by June 1.
When you consider the difficultly in completing this type of planning during the summer months with vacation schedules and other competing priorities, the best time for most organizations to complete their hurricane planning is in May or June.
We have reviewed many hurricane plans from a variety of organizations, businesses, and municipalities over the years, and have seen first-hand where most of these plans fall short. Following are three of the most common issues we see in hurricane plans that could lead to a poor or lengthy recovery from the next storm.
Does your Hurricane Plan suffer from any of the following issues?
1) Detailed preparation but vague recovery
Most hurricane plans we review fall into this trap. The plan may have 20 pages of detail covering the actions to be performed leading up to the hurricane, but only one or two pages of actions after the hurricane. The preparatory steps are important, but the recovery steps are even more important. The purpose of your plan should be a quick and effective recovery, so don’t skimp on this section of your plan.
2) Assumption of immediate return
Many hurricane plans assume that everyone will be able to return to their office, business, and homes very soon after the hurricane passes. Unfortunately, the failure to plan for lengthy evacuations can lead to disastrous results, and these stories have been told repeatedly after Katrina and Sandy. Make sure your plan anticipates the need to establish temporary office and housing inland for extended periods of time.
3) Limited or no alternate communications
Most of the plans we review do not have adequate redundancy for communication systems. After life safety, communications is the top priority for any organization following a hurricane or any other disaster. It is an all too common, but faulty assumption that standard landline, cellular, or internet access will be available following a significant regional disaster like a hurricane. Plans must account for the need for alternate communications to your employees, customers, vendors, and other stakeholders.
We will cover additional hurricane planning tips in future articles. Please share your questions about your hurricane plan so we can address those as well.
Now is the time to start, review, or update your Hurricane Plan. Start by taking our Readiness Assessment to benchmark your organizational readiness for hurricanes and other disasters. Then contact us for a complementary review or your Hurricane Plan by one of our certified experts.
As the 2016 Hurricane Season opens, another year has passed since most organizations have experienced one of these devastating storms. Many years or even decades have passed since communities or organizations in Florida, Georgia, South Carolina, North Carolina and many other states have experienced the full impact of a major hurricane. While most are thankful and rejoice in this reprieve, the reality is that the more removed we are from experiencing a hurricane the less prepared we are for the next one… unless we practice.
Over more than ten years of working with organizations to prepare annually for each hurricane season, we have found that the best indicator of an organization’s hurricane readiness is the extent to which it actively tests, or exercises, its hurricane plan. We have reviewed all types of hurricane plans of varying complexity, detail, and length, and even the most impressive looking plans can be rendered ineffective if they haven’t been exercised, especially within the current year.
The main problem with most plans is the people responsible for implementing them. People are often the weakest link in any hurricane plan because people require regular training and practice to become proficient at most tasks, especially during the stress of a crisis or disaster. If we expect people to perform their crisis responsibilities effectively during one of the most stressful events of their lives, then we must give them the opportunity to practice these tasks, at the very least annually.
Hurricane exercises also identify plan gaps, issues, and false assumptions that refine and improve the plan and the organization’s overall readiness. Exercises improve the plan in a unique way by placing the organization, people, and plan through the many expected and unexpected impacts in a simulated and relatively stress-free environment. The improvement plan that results from these exercises allows an organization to put lessons learned into action, yielding a much higher degree of preparedness and overall readiness.
Fortunately, more organizations are making exercises an active and integral element of their overall continuity or preparedness program. Over the first half of 2016 Atlantic facilitated (or as of this writing was scheduled to facilitate) at least a dozen exercises. Following are some best practices that we have learned through this recent and prior exercise experience:
1. Just do it. Plan and schedule your exercise now before other projects or priorities get in the way. Put it on your calendar at least 6 weeks from now and start planning for it.
2. Dust off that plan. Make sure your plan is ready to be tested. Spend some time reviewing, discussing, and updating the plan in preparation for the exercise.
3. Train first. Don’t throw your people into an exercise “cold” without some training on the plan they are supposed to test. Warm them up with a thorough review of the plan, their roles and responsibilities.
4. Crawl, Walk, Run. While it may be tempting to use that worst-case scenario Category 5 hurricane for your first exercise, it probably won’t accomplish much. Set realistic objectives for each exercise and design the scenario to reasonably achieve them without excessive complexity. Exercises should begin with a relatively simple scenario and build in complexity and difficulty over time through successive exercises.
Make sure your organization is ready for this hurricane season. Schedule your hurricane exercise today using the tips listed above. If you’d like an experienced facilitator to help with your exercise, please contact us so we can partner with you in this critical best practice and leading indicator for hurricane readiness.
As many of us begin 2016 with a list of resolutions, it is important to consider the one resolution that could actually save your organization when the next crisis or disaster occurs. Resolve to be resilient by implementing these three steps to begin your path towards a resilient 2016 and beyond.
1. Expect the Unexpected. One lesson learned from the October 2015 flooding in South Carolina was the rapid timeline that many disasters follow. A large rain system can quickly turn into a 1,000-year flood. Resilient organizations don’t limit their planning to predictable events like a hurricane or utility failure. Expand your planning horizon to consider worst-case scenarios that often come with little warning, such as earthquakes, loss of key employee, and terrorism. These events continue to occur with regular frequency and require more diligent advanced preparation, starting with the remaining two steps below.
2. Develop multiple recovery strategies. Too many plans that we review are based on a single recovery strategy, whether it is a single alternate worksite, a single IT recovery method, or a single method of emergency communications. Recent events like the South Carolina flooding and others have shown that plans often don’t go according to plan. The best plans often are those that have multiple options. When you identify the critical elements of your organization that require timely recovery, be sure to develop multiple recovery strategies for each. That means multiple alternate worksites or strategies, multiple IT recovery methods and options, multiple communications methods (not just relying on cell phones and email), and so on. Resilience often depends on flexibility and having several options available.
3. Prepare your workforce. People are the most valuable asset of any organization, but often are the weak link when plans are activated in response to a crisis. Schedule time on your calendar in 2016 to prepare, train, and test your staff’s ability to implement plans when needed. Make a recurring quarterly (good) or monthly (better) appointment to prepare your people for the various plans and conditions they may face. Schedule time during annual reviews to talk to each person about their home and family emergency preparations. Review cross-training gaps and identify multiple back-ups for each key position. Make your workforce resilient.
These three basic steps will put your organization on the quick path towards resilience in 2016 and beyond. Don’t let this resolution go unfulfilled. Resolve to be resilient this year by carving out a little time each month to make incremental progress on your plans and preparedness efforts. The payback for your time investment will be huge when faced with the next crisis or disaster, and it may save your organization and your livelihood. Our mission is to support you in these efforts, so please let us know if we can assist you. We look forward to partnering with you to keep this critical resolution in 2016.
As the calendar is now firmly into 2015, it is the perfect time to take action towards improved readiness for whatever 2015 may bring to your organization. Last year saw a number of trends, old and new, dominate the headlines for business disruptions. Organizations that want to stay “ahead of the curve” must head these lessons learned from 2014. The following readiness steps will address the key areas of vulnerability that were underscored by last year’s news, and will help keep your organization ready for these increasing threats.
1. Make Data Security a Top Priority. Although not a new trend, this issue hit new heights last year, including the Sony Pictures breach that many believe to be the most destructive cyberattack in U.S. history. Organizations of all sizes and industries are vulnerable to this growing threat, and it is imperative that all organizations conduct a comprehensive security assessment to identify security vulnerabilities and solutions to address each gap in your data security. Don’t let another year go by without addressing this top threat to the continuity and survivability of your organization.
2. Develop or Improve a Remote Work Strategy. Last year, and even early 2015, saw a number of winter storms shut down entire states for days, forcing many organizations to take a closer look at their remote work strategies. The ability for employees to work remotely is no longer a fringe benefit; it has become a foundational requirement for the business continuity of any organization to respond to a variety of threat scenarios. Make sure your organization has a robust strategy to address the long-term ability of all employees to work remotely. For many organizations this strategy will include some sort of cloud option to allow employees to continue working even if the corporate servers sitting in an office are unavailable due to power or internet loss. Make sure your remote work strategy includes security and other policies to address the use of personal devices, location of corporate data, and other issues.
3. Assess and Implement a Cross-Training Plan. While the Ebola outbreak so far has been mostly isolated from the United States, it offered a grim reminder of the pandemic threat our country will face at some point in the future In South Carolina and other states, the seasonal flu virus had a significant impact on absenteeism last year. These public health crises underscore the requirement for organizations to conduct a comprehensive assessment of cross-training gaps in their critical functions. Make sure each of your critical business functions have at least two levels of back-up personnel to fully support these functions if necessary. Then develop a plan to cross-train additional personnel where necessary.
4. Train Staff and Test Plans. The Ebola outbreak also revealed the lack of training and testing in the hospitals and other health care organizations that were exposed to an infected patient. Whatever plans your organization currently has, including Business Continuity Plans, Emergency Management Plans, and Disaster Recovery Plans, commit to a training and testing program in 2015. Time and again we see that these plans cannot be relied upon if they are not routinely tested. Recently we facilitated the sixth exercise in as many years for a South Carolina client that resulted in 33 action items to improve their plan. We cannot overemphasize the critical need for, and unique value that, plan exercises have for all organizations.
5. Identify and Empower a Readiness Champion. In our work with many businesses, municipalities, and communities last year it was clear that this key ingredient led to the most prepared and resilient organizations. This year will be similar to other years in that there will be multiple priorities tugging on the limited resources of most organizations. Who will take a stand for committing to the readiness for, and implementation of, the items listed above in your organization? Each organization must have a Readiness Champion to keep making incremental progress towards resilience. Don’t let your organization fall behind in its readiness for whatever 2015 may bring. Be a Readiness Champion and start planning today. If you need any help we would be happy to partner with you in this effort.
Atlantic can help your organization succeed in each of these five readiness areas. Contact us today if you have any questions or to request a complementary assessment and consultation.
On September 21, 1989, Hurricane Hugo made landfall in Charleston County, South Carolina as a Category 4 storm that forever changed the landscape and history of the Lowcountry. As we recall the details and timeline of Hugo 25 years later, it is instructive to look back and take stock of what we as a community, state, and nation have learned about preparing for these destructive storms. What exactly have we learned in the 25 years since Hugo made landfall the night of September 21, 1989?
First, we have learned the importance of heeding evacuation orders. Government officials are burdened with the responsibility of balancing the significant cost of ordering an evacuation against the risk of death and injury for a large population. When an evacuation order is declared by the Governor it is done so after carefully weighing these and other considerations. While the last evacuation declared in South Carolina was a debacle for Hurricane Floyd in 1999, state officials have completely revised the evacuation procedures for the Lowcountry over the last few years. Organizations and their employees must know the current evacuation zones, procedures, routes, and timeline to develop their hurricane plans correctly. Further, re-entry guidelines following an evacuation require planning ahead to develop and register the appropriate credentials with each County.
Second, we have learned that hurricane planning is not just a coastal issue. Hugo was a fast moving storm, blowing through the Charleston region in the middle of the night before charging inland towards Columbia and then up to Charlotte, North Carolina. In fact, Hugo was still a Category 1 storm when it hit Charlotte just hours after passing through Charleston. These inland regions were caught off-guard by the strength of Hugo’s winds, and were faced with the reality of quickly reacting to a fast-moving and damaging storm without the benefit of comprehensive advanced planning for such an event. Many organizations and communities within a three hour drive of the Southern and Mid-Atlantic coastline need to include hurricane planning in their larger business continuity, emergency, and disaster plans.
Third, and most importantly, we have learned that hurricanes are long-term events. Storms like Hugo, Andrew, Katrina, and Sandy have demonstrated the lengthy recovery timeline associated with major hurricanes, as well as the false assumptions that so many organizations and residents have about returning and recovering quickly. Recovery plans are the most important component of any hurricane or emergency plan, and often times the recovery process is a mere outline or a few narrative paragraphs in these plans. After Hugo, Charleston, Columbia, Charlotte, and many other areas were without power for weeks. Now as we add to the recovery process the complexity of cellular networks, internet infrastructure, and increased populations, the recovery process is even more tenuous and complex today. Recovery needs to be a comprehensive planning process to ensure that organizations have enough detail, flexibility, and strategies to deal with these complex variables while allowing for a quick resumption of critical operations and infrastructure.
Let us pause to remember the tragedy, struggles, and stories that accompanied Hugo 25 years ago, so we can resolve to honor those who worked hard to rebuild and restore our great community by planning more effectively for the next one. Start by telling your Hugo or other disaster story in our Storm Stories contest. We are archiving a collection of these stories to develop other lessons learned and best practices. What will be your story after the next storm?
Resolve Today. Consider the three lessons learned above and review your hurricane plan with these questions in mind:
1) How closely does your plan follow the current state evacuation plan? Are you prepared to deal with an evacuation that may come as many as three days before the storm’s projected arrival? Do you have the proper credentials registered with your County to re-enter shortly after the storm passes?
2) Have you considered the inland impacts that major hurricane could have on your organization or your evacuation routes and locations?
3) Have you spent enough time developing a comprehensive recovery plan that contemplates a long-term out-of-area recovery while clean-up and rebuilding could take weeks or months?
Please contact us with any questions you may have about implementing these best practices in your organization’s plans or for a complementary review of your hurricane plan.
Take advantage of a post-storm analysis to improve your operational processes.
Now that the recent series of ice storms and winter weather have given way to warmer temperatures and thoughts of Spring, it is a good time to review what we all learned from the impact these storms had on our organizations.
Organizations that proactively plan to not only survive, but thrive in the face of adversity, take every opportunity to learn important lessons during an emergency event. This reflective process is a critical step to improving your Business Continuity Plans, no matter how complete or mature your plan may be.
Following are the lessons we compiled from our own observations and stories from around the Southeast.
1. Early and clear communications are critical.
As the ice storms and their impacts on school, road, bridge and other closures evolved over time, quick communication of this information was critical. Your organization needs an effective Crisis Communications Plan as part of your Business Continuity program to allow for quick and effective communications, including mass notification, social media utilization and internal communications with staff.
2. Remote work capability is important but must be well planned in advance.
Many organizations relied on the ability of employees to work remotely from home when transportation was difficult or near impossible. However, the loss of power throughout many metro areas such as Charleston, Columbia and Greenville challenged the ability of many employees to work effectively during the storms. Advanced planning is needed to consider multiple options of power and internet access at home, including the potential use of generators, car inverters and internet capabilities through cell phones.
3. Expect the unexpected.
Organizations need to build flexibility, options and nimble response into their plans to deal with many unforeseen aspects of these events.
South Carolina saw its second largest earthquake since 1950 occur a few days after the latest ice storm, and it happened in the Aiken area, one that rarely sees earthquakes.
Charleston had to deal with lengthy and unexpected bridge closures, due to icy road surfaces and falling ice.
Many areas throughout North Carolina, South Carolina, and Georgia had to deal with longer than expected power outages. As these events evolve over time, organizations need to have comprehensive plans that can guide them through the variable challenges and impacts on their services and stakeholders.
4. Training and testing is an essential component of plans.
How many years had passed since the last disruptive emergency or disaster that your organization faced?
Were your plans, staff and stakeholders fully ready to execute your plan because of recent training and tests?
Because it is nearly impossible to predict when and how disruptive events will occur in the future, organizations must commit to a regular training and testing program to maintain awareness and readiness of the plan when needed. Organizations that had updated plans and trained staff to deal with the impacts of communication challenges, road and bridge closures and power outages were able to work effectively through these storms.
Take the first step to improve your organizational readiness for the next emergency by identifying the gaps, weaknesses and issues in your current plans that were exposed during our recent storms. Then take the opportunity to update your plans, train your staff and test the plans to make sure everyone is ready to execute the plan effectively the next time.
Want to schedule a visit? Click here to request a free, on-site Readiness Assessment today!
Mount Pleasant IT Firm Dodges Catastrophe
A security alarm immediately notified employees and triggered a call to the fire department.
“I could see smoke pouring out of the windows by the time I got to the office around 7 o’clock,” said Willis Cantey, founder of Cantey Technology.
Lightning surged through the IT company’s network connections, despite surge protection devices, and started a blaze which destroyed their network closet. Even though the building didn’t burn to the ground, the fire melted and burned cables, computer hardware and networking equipment beyond repair.
“It looked like a charred marshmallow,” said Cantey, describing the damage he surveyed in the aftermath.
When you run an IT company and hosting client servers and data is your bread and butter, the destruction of your network infrastructure is the last thing you want to happen.
But, despite the fact that Cantey and his staff were forced to work in a temporary location for several weeks, their clients never felt the effects of the disruption.
“Our clients had no idea.”
Cantey Technology’s 200 clients had no idea lightning struck the company’s office, because there was no interruption in service.
Five years ago, Cantey began implementing a business continuity plan. This involved moving all of his client servers to a remote data center and scheduling continual data back-ups.
Before the fire, Cantey Technology’s data was safely stored in Immedion’s Ladson, South Carolina data center. The data was still there after the fire.
The data center even allowed Cantey and his employees to set up a temporary office in its conference room, so they could have a central location from which to continue serving their customers.
Had Cantey not put a plan in place, he firmly believes his story would’ve turned out much differently.
“If we didn’t take continuity of operations seriously, if we had our client servers on site, didn’t back up data, we wouldn’t be in business right now.”
Cantey and his 17 employees are now back in their office. Reflecting on his experience with disaster, he urges business owners to think about the ‘what ifs’.
“What if there is a fire? What do you do the next day?”
Cantey says the bottom line is to have a plan. For him, it provided a roadmap to follow during the recovery process, so he didn’t lose customers. Having a plan ultimately saved his entire business.
And here’s a little known fact: Atlantic’s planning processes will prepare you for many potential disruptions to your business. Fire, flood, hurricane, loss of key employee, IT meltdown and more. Remember, we can’t predict; but we can plan. Just ask Willis Cantey.
Interested in a faster recovery from any disaster? We can help you get started. Contact us today for a no cost, no obligation site visit.
What will you do when your organization can’t talk by cell phone or landline?
Over the past week or so we have witnessed terrible tragedies in Boston and Texas. Our thoughts and prayers continue to be with those impacted by these events, while our respect and appreciation go to those who responded to, cared for, and assisted the many victims. There will be many stories of resiliency, loss, and unknown heroism that will unfold in the coming weeks and months, but some of the lessons learned from these events are already clear. Business leaders and responsible citizens should take the opportunity to learn these lessons and apply them to their own plans to effectively increase their odds of resiliency.
In the context of preparing yourself and your business to function in the midst of rapidly unfolding events such as the Boston Marathon bombings or the Texas fertilizer plant explosions, we once again learn how critical it becomes to retain our ability to communicate quickly and clearly. As a society we have become alarmingly dependent upon our cellular communications, and during a major crisis we increasingly learn that our cellular networks cannot handle the volume of traffic that is generated as people try to stay in touch while the tragedy unfolds. Business Continuity Plans, Family Emergency Plans, and all other types of Crisis Communications Plans must include alternate methods of communications during a crisis.
At the very minimum, everyone in your family and business should know to use texting and e-mail as the primary communication method during a regional disaster. These low-bandwidth communications are consistently promoted by wireless companies as the best chance of getting through to someone when cellular networks are overwhelmed.
Businesses with key employees that absolutely require communication during a crisis should consider satellite phones as an alternative to cell phones during an emergency. The cost of satellite phones, and even an emergency service plan, have come down significantly in recent years and should be considered as a reliable alternative to cell phone service when communication is critical. Other satellite/GPS messenger devices are available on the market today that report your location and condition to a predetermined group of people if you are in the middle of a crisis. The bottom line, is that businesses need to consider planning beyond cell phones to ensure effective communications when it is most needed.
Designate a back-up work location when employees can’t get to the office.
Secondly, businesses need to consider how they will operate when their employees are forced to stay at home for a period of time for any unforeseen reason. During the man hunt for the bombing suspects in Boston, all public transportation was shut down and all citizens were requested to stay indoors. The lesson to be learned here is that any number of events could prevent people from coming to work, traveling to a customer, or delay time-sensitive shipments. More importantly, can your employees reliably work from home without prior notice?
We are often amazed when we conduct the “red sticker test” with our clients: we ask each employee to place a red sticker on the items in their office that are critical to get the job done. Many employees need more than just a computer and phone to do their job, and it requires planning to identify, evaluate, and provide these critical resources in an alternate location. Even more important is the fact that power and/or internet may not be available or reliable at home, depending on the type of event. So business continuity plans need to consider alternate worksites beyond just the employee home, as well as helping the employee plan effectively to work remotely.
Let us not miss the opportunity to learn from these tragedies and improve our own plans so we can be even more successful in our response to and recovery from the next disaster or crisis.
RESOLVE TODAY: Review your business continuity plan for crisis communications and alternate/remote working.
- How will your employees and key people communicate if cell phone networks and landlines are overwhelmed?
- Where will your employees work if transportation is no longer available or allowed?
This New Yorker article provides a powerful look at what happens when disaster preparedness becomes second nature. No doubt, the readiness of Boston’s hospitals kept many of the critically injured from becoming another fatality.
Please reach out to us if you need help incorporating these powerful lessons learned into specific actions you can take today, to make your organization more ready and resilient.