By Simon Heath, Director, The Final Step
Often, but not always, I check the fire exit plan on my hotel room door to understand how to get out in a fire.
That's because one night, in San Francisco, I had to evacuate because of a fire. The corridor was a bit panicked with guests. I thought I knew enough not to take the lift and to advise those doing so against it. I followed the crowd to the stairs. After descending a few floors, we met smoke coming up. We now knew this wasn't a drill and making a good decision felt more urgent. Should we keep walking down; walk upstairs instead; or go back into the corridor to find another stairwell? None of us had looked at the map or knew our options.
Most of us tend to ignore fire drills, signs and extinguishers, but they are worth paying attention to every now and then. If you ever need them for real, being familiar with the detail keeps you calm and gives you options.
Cyber "attacks" are intended to knock us off-balance. Criminals want us chaotic with limited options so that paying a ransom makes sense. Planning and practising how to recover your operations in an emergency helps you take back some control.
If you want to be better prepared to deal with this problem, you need to pay it some attention and think ahead.
Practising your plan is valuable because of what you are going to learn from it and how you are going to improve your resilience. The first time we practised our own we realised the recovery plan we printed out wouldn't have been available to us. In the scenario we were testing, the printer we just used would not have existed and nor would the storage location of our plan.
That was the first of many learning points. I would say that if you don't learn anything from a recovery drill you are probably not thinking about it in the right way. The aim is to recover better and quicker whilst accepting it will never be as full, or as quick, or as painless as you want it to be.
These drills take place outside of normal office hours to avoid disrupting your business and clients. Although the plan should include how you are going to communicate to clients when it happens for real and you can't service them. It's best that the drill involve your own staff as well as your IT provider. You learn more this way. We once had a client report that a continuity solution was unworkably slow. It turned out this was due to them working on a Mac and on public WiFi, neither of which was "in the plan". Here was a conflict between what the plan said and what people in the real situation would actually want to do.
Watch Tony Thomas, Vice President of Strategy at ConnectWise, talking about resilience and citing The Final Step's fire drill approach as building peace of mind for organisations in the short video below.
There is a huge variance in how small and medium sized businesses approach cyber security and recovery. It varies from "it will never happen to me" to "let's get ISO 27001 certified".
When we had to evacuate that hotel in San Francisco, what ended our stairwell dithering was a firefighter coming up the stairs telling us all to keep going down, despite the smoke. That was still our safest, quickest way out.
If you are of a mind to improve your resilience it is good to find that trusted partner whose advice you can trust. Resilience is born of not just the right tools, but of setting expectations and practising your ability to meet them.
Non-technical business owners are going to want some expert input in order to make important decisions for their organisations:
As risks, technology and your environment change you are going to need to adjust your plan. But you have to start somewhere. Here's a high-level view of how to start planning your response to an incident.
James Clear says: "When you need to learn quickly, learn from others. When you need to learn deeply, learn from experience." Even for small and medium sized businesses, a cyber security incident is considered an inevitability. So, it's really a question of whether you want to get ready before it happens or if you are okay to learn in the middle of it.
If you want more on how to make your business unstoppable in the face of increasing risks, here are some resources: