Were your IT systems prepared for COVID-19?
Most businesses will have never faced the challenges that they are experiencing today. Many will be prepared for natural and man-made disasters, security threats and major outages. However, a pandemic on this scale is unlikely to have appeared high on the risk register.
One of many videos currently being shared regularly on social media is from Bill Gates, the founder of Microsoft who, back in 2015, said:
“If anything kills over 10 million people in the next few decades, it's most likely to be a highly infectious virus rather than a war. Not missiles, but microbes. Now, part of the reason for this is that we've invested a huge amount in nuclear deterrents. But we've actually invested very little in a system to stop an epidemic. We're not ready for the next epidemic. ……… The failure to prepare could allow the next epidemic to be dramatically more devastating than Ebola.”
Many businesses will have contingency plans in place, but few were prepared for the level of disruption that COVID-19 has caused. Some companies will have backup IT systems that provide resilience if access to the primary production environment is lost. Call centres, for example, often have alternative locations that they can relocate staff too if its premises become unavailable. But when everyone has to self-isolate, this presents a new challenge.
Most knowledge workers will be familiar with remote working, and many businesses encourage it since it reduces the need for office space. The adoption of home and mobile broadband has allowed workers to be anywhere in the world and continue to work as usual.
Some of the challenges
However, COVID-19 has presented new IT challenges that many businesses were unprepared for. For example:
- Some staff may be using desktop PC’s that cannot easily be relocated.
- Not all staff will have an internet connection at home, or it may be slow and have a low data allowance.
- Internet connectivity to internal systems may not have the capacity to support the entire workforce.
- VPN connectivity may be limited by licences on the router or firewall.
- Older phone systems may be difficult to redirect, and users may not want to use their own devices.
Businesses that have adopted a cloud-based strategy, that provides remote access to systems from anywhere, will be congratulating themselves. But for many, it will be a mad rush to build laptops, purchase 4G dongles, upgrade firewall licences, at a time when many are doing the same.
There will be many lessons learnt from COVID-19, and if we ever find ourselves in this unfortunate position again, then we should be more prepared. So, when normality does eventually return, Business Continuity and Disaster Recovery should be high on the agenda.
Business continuity planning is not just about keeping the IT available and accessible; it impacts the entire business. Senior management should, therefore, ensure that a detailed risk assessment is conducted in all areas of the company to consider its exposure to the various threats and hazards. Typically, these can be categorised into three principal areas:
- Natural (acts of nature). For example, floods, hurricanes, tornadoes, earthquakes, and epidemics/pandemics.
- Technological (accidents or the failures of systems and structures). For example, fires, pipeline explosions, transportation accidents, utility disruptions, dam failures, and accidental hazardous material releases.
- Human-caused (intentional acts). For example, cyber-attacks, terrorist attacks, war and sabotage.
Although many of these threats and hazards will appear to be low risk, there are several that occur more frequently. For example, floods, fires and cyber-attacks are widespread, so you should consider these as a priority.
Identifying the risks
Every business is unique and will often be exposed to different levels of threat, so when conducting a risk assessment, the likelihood of it occurring and the impact it could have on the business, should be recorded.
This assessment will include most of the threats and hazards identified above. The likelihood will be determined by the characteristics of your business and where it is located. The impact should be a monetary value, usually based on the number of business days lost. However, consideration should be given to other factors such as compliance requirements and reputational loss.
Multiplying the likelihood and impact, will determine the cost of the risk to the business and will, therefore, set the priority. From this, you will be able to decide on the high-risk areas that should be addressed first.
How much will it cost?
How much you spend on your continuity planning and disaster recovery strategy should be based on the unique requirements of the business; there are no estimates or guidelines for this, although you should consider how much the company can afford to lose.
Above all, be prepared. A risk assessment is the first step, but once you have completed this, for each risk you should consider:
- Prevention - Stop the risk from occurring in the first place.
- Protection - Have controls in place that limit the risk.
- Mitigation - If the risk occurs, how can you limit the impact?
- Response - How will you respond to the risk if it occurs?
- Recovery - How will you recover from the risk after the event?
MHA MacIntyre Hudson’s Technology Advisory Services (TAS) team has over 35 years of experience in helping organisations ensure that its IT systems and services are reliable, resilient, scalable and secure.
Our highly experienced expert team work across all industry sectors and provide independent vendor-agnostic advice that will ensure your IT is making your organisation more efficient, competitive and innovative. Since we are not tied to any vendor partnerships, dealers or solutions, our advice is based on our extensive experience and exhaustive knowledge of current IT trends.
If you would like to discover how we could help your organisation, or you have any queries relating to this or any other IT matter, please contact Gavin Davis. Alternatively, please send us an online enquiry.