business continuity – Cooper Mann Consulting

October 3, 2024

A Hurricane and the Port Workers Strike Force Conversation About Business Resilience and Continuity

Hurricane Helene is one of the biggest storms to have hit the Gulf Coast in years. An analysis done by a scientist at Colorado State University, Helene was larger than almost every storm that has hit the gulf since 1988. Only Opal and Irma were bigger than Helene. The toll in life and property is not small, nor is the disruption of services. There are troubles enough getting help and supplies to impacted areas, so the focus on doing everyday business just isn’t a thing.

To make matters worse, there is a strike going on right now. A big strike that is already impacting supply chains nationwide, and things will only get more strained the longer it lasts.

“The 2024 United States port strike is a labor strike involving over 45,000 port workers who are part of the International Longshoremen’s Association (ILA), impacting 36 ports across the United States primarily along the East Coast and the Gulf Coast.” (Wikipedia)

While there are many people currently facing larger life issues, the entire nation is forced to consider what happens now, and if they weren’t directly impacted by these events, what would they do if they were? It is a bit of a wake-up call for many business owners, because business interruptions can come from all angles, and it is always best to have made at least some attempt at a set of plans for when things happen.

One critical type of plan is about making the business more resilient and better able to recover or adapt. It’s a broad strategic plan that focuses on overcoming unexpected disruptions and adapting to changing conditions or circumstances. This includes addressing business continuity, which is about how operations may be maintained during a crisis. Business continuity planning is part of what makes a business resilient.

The Importance of Business Resiliency

Business resiliency has become a critical factor for success. In today’s rapidly changing world, the ability to stand up to or quickly recover from disruptions is no longer a luxury but an imperative. Resilience means being able to adapt to changes and challenges swiftly, maintaining continuity and minimizing losses. Customers want reliability, so a business that can continue to deliver products and services despite disruptions will build trust and loyalty, leading to long-term relationships and a strong reputation.

A resilient business will have contingency plans for finances, creating buffers to mitigate the impacts of short-term shocks so investments in long-term growth continue. Also, where competitors may struggle to cope, resilient companies may not simply continue to operate but even capitalize on new opportunities that arise from the changing landscape. When a business is prepared for disruptions, it can focus on growth and innovation rather than mere survival.

Technology plays a big role in developing resilience. Cloud solutions can ensure data is backed up and accessible from anywhere, cybersecurity solutions help protect businesses from cyber threats, and automation technologies streamline operations while reducing dependency on manual processes.

Prioritizing resiliency is crucial for small businesses to navigate uncertainties and thrive.

Mendelson Consulting and Noobeh cloud services help businesses of all sizes improve their agility, streamline operations and implement the technologies and services necessary to shore up business and operational continuity and improve overall resilience.

jm bunny feet Make Sense?

February 18, 2014

The Business Cloud: Hype versus Reality

There is no doubt that cloud and mobile computing models are driving technology adoption as well as changing the landscape of how consumers and businesses purchase and use IT. Accompanying any great shift – which in this case is fueled not simply by cloud technologies but by social computing – are the purveyors of propaganda and hype. Cloud computing and social media won’t make you popular, is not always safe or free, and it doesn’t whiten your teeth. What it can do is help businesses increase agility, collect and use information better and reduce the cost of change. There are many benefits to be achieved with cloud computing models, yet many providers continue to play on the hype rather taking the more difficult road of communicating how their solution actually solves real business problems.

Gartner research tracks this type of activity, producing reports offering assessments of the “maturity, business benefit and future direction of over 1,900 technologies”. In the Gartner 2011 Hype Cycle Special Report, entries were grouped into 76 different “Hype Cycles”, revealing the similar patterns of “over-enthusiasm, disillusionment, and eventual realism” that comes with every new technology or innovation. Hoping to provide guidance business IT decision makers, the report intends to inform businesses about when they should consider adopting technologies or IT models in order maximize the value of the approach.

Yet the market is bursting with definitions for “cloud computing”, and services providers offer their wares with varying levels of service and capability. It’s really difficult to compare one private cloud solution to another, as they are all seemingly offering the same value proposition described in the same language – and none of it really describing what the solution is, how the business takes the greatest advantage of it, and what disruption can be expected along the way. Layer on top of that confusion a big heap of expectation, and the belief that cloud computing technologies are somehow different from “real” on-premise systems in that they are not subject to the same potential for breakage, failure, or unexpected cost.

elastic-2

For example, even though Amazon may use the term “elastic”, cloud computing does not automatically create a stretchy and eternally-dynamic resource that can grow without end. There are still limitations and costs associated with growth.

There is also a great deal of hype around applications and their performance in cloud environments. When a piece of software is poorly designed and crashes frequently on a local computer or network, it is just as likely that the application will perform poorly in the cloud. It’s simply a reality of software that even great products that are designed to run exactly the way they are being run don’t have a guarantee that nothing will ever go wrong. With cloud computing models, however, there may be a service provider working in the background to manage the systems and keep things running. You simply might not notice the failures and hiccups as much, but they are still there.

And not all cloud services mean everyone is sharing servers and infrastructure. While the term cloud generally applies to multiple scaled systems, it doesn’t mean that everyone shares everything and benefits from tremendous levels of redundancy and fault tolerance. In most cases, a solution described as a “private” cloud means that the service has been customized for the unique needs of the organization, and that there are resources of certain types allocated exclusively to the use of that customer. On the other hand, a private cloud may mean that the system elements are all contained within the business infrastructure, providing “cloud” type of services but being delivered from company resources. There are a wide variety of ways to describe these configurations and approaches, and quite a bit of inconsistency in use of terminology.

The best thing for a business owner to do now is to just ignore the term “cloud” and simply consider how the business might leverage resources from service providers to gain more IT capability at reduced costs, and how outsourcing certain technology needs allows a greater focus on internal innovation and improvement. Centralized management, improved security, disaster recovery, and increased mobility are all benefits to be realized with the right business cloud implementation. Just because it is to be an outsourced solution does not mean that the business organization should not still architect and understand the solution they will depend on. If this level of participation and understanding is not in place, the solution is unlikely to deliver the resulting benefits expected and hoped for.

Outsourced IT service, remote access and server-based computing aren’t new concepts. It still requires using common sense and reasoning when considering any change in business technology and the innovative application of IT in a business – this cannot be outsourced. When it comes to cloud computing… to put it bluntly, just avoid the hype and stay away from unrealistic marketing and sales messaging. If it sounds too good to be true… it probably is. Technology hasn’t come that far.

Joanie Mann Bunny Feet Make Sense?

February 11, 2014

Migrating Business Data to the Cloud

When businesses elect to have their desktop applications hosted in the cloud with a hosting service provider, they are also electing to have their data hosted with the provider. This point is not always obvious to non-technical users and those unfamiliar with the hosted application concept. Many business owners have adopted an online or hosted application solution and then realized after-the-fact that their data was no longer present on their computer. At least, no current data was present, and it was quite a surprise the day they wanted some information but could not get it because they were not connected to the Internet at the time. An important thing to remember, and the essential factor in measuring risk associated with use of cloud services and hosted solutions, is that adopting online applications in almost any form means that the data associated with (and possibly even data remotely associated with) the application will also migrate to the cloud.

Migrating on-premises servers – and the applications and data residing on them – to the cloud makes sense for many businesses. Particularly as network and internet threats increase in number and as system vulnerabilities are more frequently introduced with remote and mobile access technologies, cloud solutions can significantly assist a business in mitigating the risks of being connected. Yet business owners and IT managers must be diligent in terms of understanding the measures their service providers take to protect and preserve as confidential the customer’s business data. And it becomes more than essential that any and all tools or services implemented be part of a strictly controlled information management and data protection plan.

Where applications are simply interfaces and logic; the value for a business is in the data used by the applications – data containing information about the company, how and with whom it does business, and how it makes money. It is critical that the business consider how and where users need access to applications and data, so that any cloud deployment does not wind up hindering productivity rather than facilitating it to a greater level. It is when the user becomes disenfranchised, unable to perform their work due to lack of access to information or tools, that “shadow IT” deployments appear, and data sharing solutions are introduced outside of the governance of management or IT.

The vast number of offerings for hosting applications and managing business data in the cloud makes finding and implementing the right business solutions a complicated and often frustrating process. Even large providers that specialize in delivering from a menu of business cloud solutions often forget that their target customers may not be particularly tech-savvy, and will fail to recognize the nuances in service delivery or protection that could make big differences to the business down the line – like in the case of a system failure or outage.

Among the keys to a successful cloud solution deployment, particularly when critical and frequently used applications and data are to be migrated off-premises, is a thorough understanding of how users currently work with the tools provided, ensuring that processes and utilization can be fully adapted to the new IT model.

As long as users are able to retain their productivity and efficiency, and when improvements in workflows and information access become additional benefits, the security and protection of the business data is more likely, as users will feel less compelled to find alternative and less secure means for making the business data available from the cloud. You may want to migrate your business data to the cloud, but you don’t want your data to migrate further than you can reach.

Joanie Mann Bunny Feet Make Sense?

January 6, 2014

Security and Users: Change is the Only Constant

Managing user accounts and access to business IT assets is challenging, particularly as cloud and social computing models introduce new wrinkles in security and identity management. Information has become “mobile” along with the users accessing it, yet management of user behavior is even more complicated that trying to manage a digital resource.

If you look at the history of security breaches, you’ll find that many of them started with a user making a mistake – like losing a laptop or clicking on a phishing email, downloading bad software, or forgetting to report an employee termination to the IT dept – something which inadvertently created a vulnerability that could be exploited. It’s tough to stop breaches because there are so many possible ways for them to happen.

If most security breaches start with a user mistake, then IT departments have their hands full because users aren’t static, unchanging objects to monitor and manage. Users change, sometimes a lot. It is this constant change which undermines the ability for some IT departments to meet the demand to adequately secure company information systems and data. Now is the time to take control of user security and identity management, creating automation and controls to protect business assets in a constantly evolving environment.

It is not simply employee turnover that challenges security management. Certainly, IT departments have been dealing with user account creation and termination for a long time. And sure, users have sometimes been promoted and demoted, resulting in the requirement for IT to increase or perhaps decrease access to information and applications. These are normal and expected activities for a business IT department. Unfortunately, IT often doesn’t hear about the user’s change in status. An account isn’t disabled, access isn’t restricted, and the system is left vulnerable.

Just to pile on, think about what happens when a user is more than just a single system user. It may be manageable when where a single identity and set of credentials governs their access to applications and information. But the proliferation of web-based services and SaaS solutions has made it commonplace for users to have multiple applications and services available to them, each with their own approaches to identity management.

For even a small business IT department, the security of all of these access points and applications must be managed and monitored – no small task when the department may not even be aware that the solution is in use. It is not unusual for file sharing, data sync, or other applications to be implemented in businesses without the knowledge or participation of the IT department. Actually, many services attract users due to their simplicity and ease of use, leveraging the fact that they can be deployed without the “assistance” of IT.

Users are becoming increasingly mobile, accessing information and applications from public and private locations while using any number of possible mobile devices. Vulnerabilities which may exist in public networks and the increased potential for device loss or theft are high on the list of concerns of IT departments managing remote and mobile user access. Mobility is driving many changes in how information technology and access to systems is provided to users, and it is changing user demands for what they should be able to easily accomplish while being mobile.

Businesses need to recognize that their continued existence may rely on keeping their information systems and assets safe and secure. Disaster recovery and business continuity applies not only to loss of physical systems, but also to losses of various forms due to data breach. The disaster recovery and continuity plan (you have one, right?) should not only address situations after they happen; planning by definition is proactive. It is not enough to have a plan to recover from loss or failure; the business must actively engage in activities which will prevent loss and reduce vulnerability.

Part of this plan necessarily centers on managing users and user identities, ensuring that the company knows about all access or user accounts involved and employs strict processes and guidelines for making sure they are constantly up to date and have the authority to do what they’re trying to do. In short, the plan must also be a plan for change, providing change management processes to guide the business as the evolution of information technology and the dynamics of user interaction continue to change.

jmbunnyfeet Make Sense?

November 13, 2013

The Line in the Sand: Your RPO (Recovery Point Objective)

Businesses and individuals are increasingly more dependent upon the technology supporting their various activities, and the volume and velocity of information moving through these systems is increasing at astonishing rates. With the growing reliance on information technology and electronic business data, you’d think that more businesses were paying close attention to protecting these assets. I recognize that there is a broad understanding of responsibilities as they pertain to system security, and businesses of all sizes and types are increasing their awareness of the variety of threats facing their systems and are taking steps to address them. Yet there remains an aspect of business data protection that too few businesses are really zeroing in on, and that is the time and complexity of recovering or restoring business data in the event of an outage or loss – and the absolute line drawn in the sand which says that “here” is the tolerable loss we can experience: no more and no less.

This line in the sand is referred to as the RPO, or Recovery Point Objective. A recovery point objective is part of the business continuity plan (or should be!), and describes the maximum tolerable period of time for which data might be lost from a major IT service incident. The necessity to establish this time frame – the RPO – exists whether the business is small or large. In fact, small businesses have data protection needs quite similar to their enterprise counterparts. In an article in SmallBusinessComputing.com, Kieran Maloney of Quantum Corporation is quoted as saying that “from a data protection standpoint, smaller businesses face challenges that are similar to those of larger enterprises; the amount, and the value, of their data is growing significantly while their budgets are not”.

What doesn’t seem to make sense is that businesses continue to view data backup as a necessary evil rather than a strategic element, and spending considerations for creating and meeting a realistic RPO remain low. An article in TheStreet.com on the subject quotes Terry Cunningham, president and manager of EVault, saying “When largely preventable data loss conservatively costs businesses hundreds of millions of dollars annually, it is time to rethink your priorities”. The author also writes that “while 95 percent of US IT decision makers said they have some type of disaster recovery plan in place, only 44 percent have remote, cloud-based recovery capabilities… More than twenty percent of IT organizations that manage between 2-7 TB of data suffered a data loss in the past year – in fact, more than half of this group suffered 2-3 data losses – each with an estimated average cost of 2-5 percent of total company revenues”.

Part of the continuity plan and a consideration in developing an approach which will meet the RPO timeframe should be the implementation of remote cloud based service, yet this has remained a low priority for many business owners. Reliance upon more traditional data protection approaches, including tape backups and on-premises HDD solutions provides IT managers with a false sense of security and often cannot even reasonably address recovery from data loss due to hardware outages, much less for potentially catastrophic failures including loss of the location.

When considering the RPO – the minimum acceptable point for data recovery (or maximum tolerable point for loss) – businesses must look at their data management and backup strategies in order to address recovery approaches for various types of outages. There are benefits and drawbacks associated with the different methods of backing up data, and the cost/benefit of employing any solution must factor in to the requirement to meet the stated RPO. Daily backups may be the standard procedure, but is a potential loss of 24 hours of data acceptable to the business? On the other hand, what is the potential cost of re-creating the data, if it can even be recreated? Consider also that the timeframe for data recovery is not the point at which the last backup was completed; it is the point when the last backup was started. This could result in a loss window greater than the established 24-hour boundary.

Many businesses would suggest that their tolerance for lost data – due to the cost of lost productivity and order activities – is far less than 24 hours, yet solutions employed to reduce the potential data losses often do not fully address the issue in any comprehensive manner. IT personnel working with separate products to handle incremental data backups, machine recovery (bare metal) and snapshots of disk arrays often have a tough time trying to piece together the various pieces of the puzzle and often simply hope for the best in terms of outcome.

The prudent move is to thoroughly consider the business disaster recovery and continuity plan, and establish the boundaries for tolerable loss. No business wants to expect to lose valuable data assets, but expecting technology to perform flawlessly is unrealistic, not to mention the unexpected impacts from acts of nature or other forces majeure. Architecting systems to withstand service outages and having a comprehensive plan for recovering from system outages in a timeframe survivable by the business is the essential element to making a continuity plan worthwhile. Draw the line in the sand, and then develop the system protection and recovery plan that will help make sure you never have to step over it.

Make Sense?

Here are a few data loss statistics for your reading pleasure… Enjoy 🙂

(stats drawn from summary on BostonComputing.net. They may be a bit dated, but the numbers have only increased since then.) http://www.bostoncomputing.net/consultation/databackup/statistics/

The following statistics were gathered from various sources:

6% of all PCs will suffer an episode of data loss in any given year. Given the number of PCs used in US businesses in 1998, that translates to approximately 4.6 million data loss episodes. At a conservative estimate, data loss cost US businesses $11.8 billion in 1998. (The Cost Of Lost Data, David M. Smith)
30% of all businesses that have a major fire go out of business within a year. 70% fail within five years. (Home Office Computing Magazine)
31% of PC users have lost all of their files due to events beyond their control.
34% of companies fail to test their tape backups, and of those that do, 77% have found tape back-up failures.
60% of companies that lose their data will shut down within 6 months of the disaster.
93% of companies that lost their data center for 10 days or more due to a disaster filed for bankruptcy within one year of the disaster. 50% of businesses that found themselves without data management for this same time period filed for bankruptcy immediately. (National Archives & Records Administration in Washington)
American business lost more than $7.6 billion as a result of viruses during first six months of 1999. (Research by Computer Economics)
Companies that aren’t able to resume operations within ten days (of a disaster hit) are not likely to survive. (Strategic Research Institute)
Every week 140,000 hard drives crash in the United States. (Mozy Online Backup)
Simple drive recovery can cost upwards of $7,500 and success is not guaranteed

September 30, 2013March 26, 2019

Considerations for Disaster Recovery Planning | Accounting and Business Technologies

Disaster Recovery Planning is currently a leading topic of discussion for business IT administrators and owners, just as issues relating to business and technology operation and continuity have become a central point of discussion for many organizations. After the disaster occurs is the wrong time to determine whether or not your company is adequately protected. Unfortunately, when you need your plan most is when you find that you either do or do not have things well in hand.

Hurricanes, floods and tornadoes have taught many companies some hard lessons ranging from the inability to locate or communicate with employees to the entire loss of the business and surrounding community infrastructure. Certainly, the current situation is a reflection of the worst-case scenario, but it also points out some fundamentally important considerations that a company must incorporate when creating a technology plan for disaster recovery and business continuity.

EMPLOYEES ARE PEOPLE

One of the first things to remember in any disaster is that your employees are people. They have families, homes, lives outside the office, and responsibilities. They have fears and concerns. In short, they are human beings. This is a reality that is frequently overlooked in a disaster plan.

Much consideration may be taken with respect to handling business issues such as customer or vendor communications, technology and systems continuity, etc. But in the event of a disaster where lives are at stake, can the company expect personnel to overlook those personal impacts that present themselves, all in the name of keeping the company going? Probably not, unless perhaps they are in health care, law enforcement, or the military. Even in those cases, caring for family and loved ones may take precedence over job responsibilities. Businesses need to make certain that there are SYSTEMS in place to assist with continuity and recovery, as personnel may be hard to come by.

YOUR BUILDING IS NOT AN ISLAND

Businesses rely on facilities.

Facilities are created from infrastructure.

Infrastructure, more often than not, is not in your control.

Telephone service, connectivity, electrical power, street access to the building, access to the surrounding areas – these are infrastructure elements that you have little control over, if any at all. The loss of infrastructure, however, impacts you significantly. It does not matter how much backup power you have if you have no physical access to the building. And telephone service becomes valueless (frequently) if the power is out.

Redundancy can come in many forms, but creating fully redundant facilities means being redundant with the infrastructure. Opening offices in multiple locations, distributing personnel and resources to various locations – these all come with potentially tremendous cost impacts to the business. There are, however, affordable technologies and services available today which can help mitigate the impact of the loss of a location or facility, and whenever possible these services should be incorporated into your daily processes to ensure portability and a smooth transitioning of systems should the worst occur.

DEGREES OF PROTECTION

Developing an IT recovery and continuity plan is similar in nature to purchasing various types of insurance. The level and cost of protection must be evaluated based on the benefit to be derived, and weighted by the risk. For example, low-cost flood insurance is probably not worth the investment where there is no water. Obviously, there is cost associated with different levels and types of protection, and different situations warrant different types and levels of coverage.

In terms of IT continuity and recovery, the most frequently implemented form of “insurance” is redundancy or the duplication of a resource. Every business, however, has requirements that extend beyond a reasonable ability to fully duplicate. A small flower shop, for example, cannot reasonably afford to implement “alternative business locations” or a remote office in the event of the loss of the primary facility. With this reality in mind, the business must focus on addressing those conditions that are within its reasonable ability to control, as well as those that it can mitigate to some degree.

via Accounting and Business Technologies | Joanie Mann: Considerations for Disaster Recovery Planning.