- Who, in our organisation is in charge of ensuring that we have appropriate Disaster recovery Systems in place?
Again, this will vary from organisation to organisation. For those that have dedicated IT staff, it is likely to be the IT Manager. However, don’t treat this as an absolute. There are often departmental problems between staff. Where firms are large enough to have an IT Manager, there are likely to be other Heads of departments. In such a case, it is advisable to have a minimum of three Heads in a project team, headed by the IT Manager, working together to ensure that all systems are appropriately catered for.
If, as in many cases, IT support is external, then the same processes still need to be followed. The IT firm should be contractually tied into any Disaster Recovery process and evidence of the process working should be seen and verified on a regular basis, by a responsible person/s from within the organisation.
- Are we investing enough in our IT and Disaster Recovery Systems?
Ha, Ha. I hear you say. Here is a guy advising us that we need to spend more on what he is selling. You may well be correct. There is an element of truth here. The major question here is, and I have seen this hundreds of times, what is the cost of not spending sufficiently on IT security and Disaster Recovery Systems? It is not our policy to frighten organisations into ridiculous spending on security software and other systems that are not appropriate for them.
What needs to be considered is what is appropriate for each particular firm? If the appropriate investment isn’t made, then the real cost of an incident is likely to be increased by a factor of at least ten. There is a lot of information, out there on the Intranet, regarding the average cost of a cyber-crime attack. For most firms, the talk of millions is wildly exaggerated. Here is a link to a report published by the Cabinet Office, not a company trying to sell services.
Everyday there are stories of cybercrime in the news. This item was found on the day of writing this section. https://www.bbc.com/news/business-49823935
Having been established for more than 20 years in the IT Sector, it has often been possible to see amazing purchasing, or non-purchasing decisions that have been made in relation to IT. For example, instances where the purchase of secondary or replacement servers have been rejected, on a cost basis. Something a business simply couldn’t afford. In a particular instance, the purchase of luxury cars, for Departmental Heads, was made without any consideration as to cost. At RedDrum, there is a fleet of Volkswagen Polo cars available to all staff, including the MD!
- The Human factor. What do we do with our staff?
The unfortunate reality is, that whatever security systems are put in place, it is highly likely that they will be defeated by a member of staff, doing something that they shouldn’t do. This could be opening an email, clicking on a link or giving a criminal information, over the phone or in person, that will give criminals access to data or systems.
Whilst the IT security systems should rule out as far as is reasonably possible, the ability for anyone to break into a network, or IT system, it is impossible to completely prevent such an event happening. This is because of a number of reasons, some mostly technical, which don’t merit discussion. The stark reality is that it is highly likely that it will be a member of staff that defeats the security policies.
There are so many scenarios where this can happen, has happened and still happens every day. As mentioned above, just clicking on a link in a rogue email, entering email and password information in relation to a website request, or any of the many means by which people give their usernames and passwords away. How would any security system be able to prevent a member of staff providing their username and password to a telephone caller, who pretended to be a BT Engineer? Even with appropriate training, staff have still been known to do this!
The reality is, it is often impossible to establish who has let the criminals in and how it was done. This is because, in the event of 100 employees not being able to work in a firm, the critical factor is to get them up and running again. It isn’t possible to dedicate several days tracking down when and how the system was compromised. Sometimes, depending upon the situation, this can be done afterwards, but often not.
GDPR requires that staff should be REGULARILY trained in security procedures to ensure that data is protected. Appropriate, regular, enforced training is a necessity. Many of the security programs now have training facilities in them. They can be configured to send dummy false links and bogus emails, to train staff, to make them think before they do anything with them. Training is a necessity.
After considering the 7 questions, it should be possible for a particular organisation to be able to make a decision about what is an appropriate Disaster Recovery Policy. This could be from the simple backing up of a server or data offsite, to the requirement for a fully fitted out alternative office, with real time access to software/data programs. It is very much a horses for courses scenario.