Colin Jeffs, Head of Business Continuity Management Consultancy, Daisy Corporate Services, talks about business continuity in the digital age.
Digitisation has changed the business landscape forever: technology is the king of innovation, evolution and progress through the savvy manipulation of data – enabling disruptive business models and driving differentiation. But has this changed our approach to business continuity? Colin Jeffs shares what he feels are the most important considerations today.
Listen to the podcast here, or read on for the article.
Tell us a little bit about Global Digital Business.
First of all, let’s put global digital business into perspective. It’s HUGE! While facts and figures vary, here is some food for thought, courtesy of Simon Kemp, CEO of Kepios, and chief analyst at DataReportal, who reported last year:
- Of the global population, there were 4.3billion Internet users and 5.1 billion unique mobile phones
- Digital is growing rapidly – Internet users grew by 9.1% (367million) 2018-2019
- E-commerce is enormous with 2.8 billion people purchasing consumer goods via e-commerce (3.1% up on previous year)
- The value of the consumer goods e-commerce market was $1.78Trillion (up 14% on the previous year)
- E-commerce in the UK is more popular than in any other major country where the UK spent $233 billion online in 2018 (up 18.2% on 2017)
- Internet penetration is extremely skewed to the Northern hemisphere with North America and Europe sitting at around 95% penetration compared to 60% or less in the rest of the world
- Bernard Marr published in Forbes that 90% of all the data in the world was generated in the last two years with more than 2.5 Quintillion bytes created every day (that 2.5 with 18 zeros after it)
- Whilst Irfan Ahmed, published in Social Media Today that in 2020 it is estimated that there will be 1.7Mb of data created EVERY SECOND for EVERY PERSON ON EARTH!
- And finally… By 2025 the International Data Corporation says worldwide data will grow 61% to 175 Zettabytes with as much residing in the cloud as in data centres – 1 Zettabyte is 1 with 21 zeros behind it! To put that into real perspective, 1 Zettabyte is equivalent to 1 trillion Gigabytes!
Currently, thanks to with COVID-19, the only way to buy from most businesses has been online, potentially forcing a change to the business model for some businesses, towards a more digital way of working. Regardless of this, the way we use data to understand the market in real-time and help us differentiate from our competition means that keeping our data secure and being able to recover it quickly, is more important than ever.
A brief overview of business resilience and future planning
Business resilience is essentially planning for the future and making sure your critical services and products are secure and can continue in unforeseen circumstances. Any business that doesn’t have strategies and plans in place is at significant risk of failing should a major incident come a-knocking. You only have to look at what’s happening right now with COVID-19 around the world. Incidents don’t wait for a business to prepare themselves for the worst, they just come along whether you are ready or not. There is an old but pertinent saying that sums this up better than any other: if you fail to prepare, prepare to fail.
At Daisy, we provide resilience services to some very large UK organisations and we’re finding that people are coming to us because they weren’t quite as ready as they should have been to deal with a pandemic, or because they are starting to suddenly see the importance of some of the services that we provide that haven’t previously been considered as important. Knowing your business intimately is the key to surviving any major incident. If you know what’s critical in your business, and you understand what those critical things need in order to continue, you can put measures in place to protect them. If you do this, you stand a far better chance of being able to continue to provide those critical services during or after an incident. At its core, this is business resilience – although there is much more to it than just this.
Why is it important for businesses to have a strategy in place to cope when things don’t go as planned?
In August 2019, large parts of England and Wales were left without electricity following a major power cut that had a serious impact on rail and road services, including city traffic lights. A lightning strike on the grid affected Little Barford power station and the Hornsea offshore wind farm. This was closely followed by a double generator failure – something that was unheard of at the time. The outages occurred within seconds of each other, immediately after the lightning strike. Ipswich Hospital lost power, a backup generator failed and outpatients, x-rays and scans were impacted. 1.1 million electricity customers were without power for up to an hour.
Whenever I’m working with clients, we always try to work to the worse-case scenario. If you can handle that, then you will also be able to handle anything less impactful.
COVID-19 is an extreme event with specific conditions that are common to any pandemic – such as the widespread impact as opposed to the more specific events that impact just one organisation, one small geographic area, one industry and so on. There are a great many other types of events that have brought businesses to their knees in the past, and will continue to do so in the future. Two great examples of this are the NotPetya malware incident on global shipping company Maersk, which cost them $300m and the WannaCry cyberattack which cost the NHS £92m and caused 19k appointments to be cancelled. I’ve been involved in incidents myself such as a Norovirus outbreak which closed our building for one week, the effects of the 7/7 terrorist incidents in London, not to mention power failures, floods and the like. Every incident takes its toll on a business to differing levels.
The main reasons the organisations I worked for were able to continue effectively is because we had robust, tested plans in place that allowed critical services to continue. A very simple example of how you can plan to be more effective, is having pre-prepared communications templates ready, where you effectively just fill in the gaps to quickly issue clear information and instructions to staff. I have seen on several occasions now where an incident has occurred and people freeze up in panic, or are too emotional for their thought processes to enable them to decide what needs to be said and done, due to the pressure or shock of the incident. In that situation, it’s all too easy to write ambiguous or misleading messages that can hinder a response or add further chaos to an unexpected situation. Having basic template messages pre-agreed and pre-prepared just takes that pressure off and allows people to focus more clearly and methodically on the next steps. It’s incredibly simple, but trust me, it works!
Why is understanding the criticality of your data so important?
There are so many different categories of data and so many different ways to store data, that one storage strategy doesn’t necessarily fit all. I myself have been caught out by critical data that was stored on a file server along with many tens of terabytes of other non-critical data. When we had a failure of that file server, we had to wait for the critical data to be restored along with all of the non-critical data. So whereas we needed the critical data back within four hours, it took over 48hrs as we couldn’t segregate it and restore it separately from the non-critical data. As a result, the critical services that depended on that data suffered a prolonged outage.
If we had truly known what data was critical, we could have put in place a better system for storage and recovery to allow it to have been recovered not only first, but faster and within the time required by the business. Needless to say, that is exactly what we did following the incident. A great example of how to achieve this might be to store non-critical data in the cloud and keep critical data on-premise in your own data centre or server rooms where you can control the backup and recovery priorities more effectively.
How do you understand what is critical?
By performing a business impact analysis (BIA), you can identify what is critical in your business, what IT systems are deemed critical by the business, how quickly the business needs systems recovered should they fail (this is your recovery time objective, usually called RTO), how much data the business can afford to lose from a system (this is your recovery point objective, usually called RPO), what resources and interdependencies they need and have and who in the business, is critical in terms of your staff. The data provided by a BIA is pure gold when it comes to an incident. If you haven’t done a BIA, I recommend you do and if you don’t know how to (as it is a specialised process) then don’t be afraid to ask for help!
Is this the case even now, during the current pandemic?
All of our consultants are currently working remotely because of the coronavirus and government guidelines. BIAs are usually completed face to face but we can absolutely still complete them remotely and still get relevant data to support your business.
How can people support their company’s digital strategy in order to protect it effectively?
The nature of business continuity means that it does involve everyone within an organisation to some extent. You can think about your role and how resilient you are. Who depends on you most within the organisation – which other people, departments or outcomes rely on aspects of your role? What would happen if you were unable to perform critical tasks? What would prevent you from being able to perform critical tasks – for example, what people, systems, data, and applications do you rely on and for what?
Don’t be afraid to question where data is stored and how long it would take to recover it, should the server it resides on fail. Don’t be afraid to ask what your role would be during an incident. Tell people if you think there is a problem, perhaps there is a critical point of failure that a lot of other things depend on but that has no inherent resiliency and inadequate backup provision – or perhaps you think you would struggle to know what to do during an incident. Waiting for an incident to happen before you think about it might mean you become one of the “headless chickens” we see in every crisis situation as a result of people not knowing what to do. Take the time to find out so that you can calmly carry out planned steps defined by your business continuity planning process.
Key business continuity takeaways for all staff
Make sure you know what data is critical to you and why. Make sure to tell the right people how quickly you need that data back and make sure you explain the consequences of not having it back in your required time frame.
With cyber incidents on the increase and becoming a more common reason to invoke business continuity plans, it is critical to make sure you follow your company’s IT security policies to the letter. Most of the cyber incidents have occurred because a member of staff clicked on something they weren’t sure about or shouldn’t have! You can have the best IT security strategy in place, but cyber criminals are becoming smarter in finding ways to breach a company’s security wall.
Business resilience is the responsibility of everyone in the organisation, not just senior management and IT. Get involved and question if something doesn’t seem right or you are not sure what your role is or what you should do during an incident.
About Colin Jeffs
Colin moved into the realm of business continuity from IT project management where, as part of implementing IT systems, he had to implement resiliency. Colin has worked in business continuity and crisis management for more than 25 years, holding senior roles in both disciplines for many years at major financial institutions in the city. Colin now heads up Daisy’s award-winning business continuity management division.