The devastating CrowdStrike software failure in July impacted companies around the globe. CNN reported that this unparalleled IT outage resulted in $5 billion in losses—for just the Fortune 500.
Among the key takeaways from this unfortunate event is that every company needs a Business Continuity Plan (BCP). Cyberattacks aren’t the only thing that can disrupt IT and negatively impact businesses. There are also power outages, natural disasters, and technical failures, as with the CrowdStrike episode.
The better a company is prepared for a technical disruption, the more likely it is to overcome it with greater speed and minimal damage. Here are the steps to take when crafting your BCP:
Conduct a thorough risk assessment: The best way to be prepared for the unexpected is to, well, expect it. Think through all the situations that could disrupt your IT and, therefore, your business. For starters, there’s unintended human error and, of course, intentional malicious activity. In addition, there are potential concerns based on your location: floods, hurricanes, tornadoes, etc. In some cases, terrorism is a plausible concern.
Ponder the potential impacts: Once you’ve considered your risks, it’s time to ponder their implications. What impact would the scenario likely have on your business, employees, customers, partners, neighbors, and other stakeholders? How might you lessen or remedy the impact? How might the situation impact your finances? Are their reputational matters to consider? Legal concerns?
Ask the question, “What would we do?”: After considering all that could go wrong, it’s time to figure out: 1) what you can do to prevent it from happening in the first place, and 2) what you’ll do if the situation comes to pass. Create detailed response plans, especially for those possibilities that are more likely to occur. You don’t want to attempt to create a plan on the fly after some episode has occurred. Such spontaneous decision-making could make the situation worse.
Ask another question: “What would we say?” What are you going to tell employees, customers, and other stakeholders? It’s best to figure that out beforehand and draft sample emails, text and IM messages, and news releases. You can always modify them to better suit an actual situation, but having drafts will save valuable time.
Establish a transparent chain of command: Regardless of the cause, when your IT fails, you don’t want to leave any room for doubt about who will lead the efforts to remedy the situation. Who is responsible for directing the team and making the final decisions must be crystal clear.
Have easily accessible contact information: You should have contact info—email addresses as well as work and personal phone numbers—for anyone and everyone who might be involved in rectifying a bad situation. This includes the BCP leadership team, other vital employees, relevant vendors, such as your MSP, and stakeholders, such as customers. Don’t forget to include contact info from your financial, insurance, legal, and PR advisors.
Make time to rehearse and rehash: Don’t just place your BCP on a server, and hope you never need it. Make the time to do some dry runs. Include the appropriate vendors and partners in the rehearsal. This will go a long way toward facilitating smooth communications and teamwork should an actual disruption occur.
Should you have to deploy your BCP, evaluate how well you and your team performed and what learnings you gleaned that might help you refine it.
Contact Emerge if you’d like assistance developing your IT Business Continuity Plan. We’re here to help.