- If an incident of whatever type should happen, do we have insurance to cover any loss that might result from it. If not, why not?
Many companies have business interruption insurance but very few have considered insuring against cyber-crime. Larger companies might want extensive cover to include appointing a Project Manager or someone to defend their brand. However, for any reasonably sized business, even at the lowest level, any incident that involves loss of access to data – which normally includes the replacement of servers etc. – should at least include six figures, just for the basic IT side of the insurance.
- What data backups do we have in place?
For most SMEs, this is quite a problem. The vast majority of the smaller end of the SME market, subcontract out their IT to a third party provider. Often, backups are a part of this contractual process, but it is often a grey area and little time is spent in establishing that the data that is being backed up is; a) everything that is required and b) current.
For this process to function correctly, the backups would have to be restored and checked on a regular basis. Often this doesn’t happen. Unfortunately, many managers of SMEs, simply wouldn’t be able to answer this question. Several years ago, RedDrum were involved with a large firm of solicitors, that religiously took a backup tape to their safety deposit box, every night. Their IT support firm had advised them to do this and they did it. However, when the backup tape was checked by RedDrum, it contained a set of data that was 5 years out of date.
Even larger companies, those that have dedicated IT staff, can also fall foul of data problems. Is the correct data being backed up on and off site? Is it regularly restored and checked by the IT team and verified by other departments. Is the process sufficient for the requirements of the firm?
- What are our mission critical processes?
This ties in completely with the question relating to data. What do we need to be able to do to continue operating as a business, in the case of disaster? For some firms, it might just mean that their website continues to function. Others might need email, telephone systems or the ability to receive clients. Most will be dependent upon some form of data, software programs and office facilities.
- What is a critical time period for our business?
There are some businesses for which the critical time period can be measured in minutes, if not seconds. The Stock Exchange springs to mind. They have to have multiple, redundant systems in operation, live, that they can switch to. We have recently seen examples of certain banks falling foul of this. Banks obviously need to be constantly live and haven’t been so, even when the disaster has been of their own makings.
For most businesses, a morning or afternoon will be about as much as they can reasonably get away with. It really depends upon the nature of each business, their field of operation, clients and reliance upon the particular aspect that a disaster is preventing them from being able to access. Dependent upon this, choices must be made in relation to the provision of appropriate measures.
The next article will continue with the remaining questions ……..