How to prepare for the worst by assessing your technology and vulnerabilities

Mike Maloney, Vice president, Comcast Business Services

In the aftermath of major disasters like Hurricane Sandy, renewed focus on planning for catastrophic incidents can actually undermine effective preparedness for more likely events and distort perception of risk in a way that makes businesses more vulnerable.

In a spectrum of risks, high-severity, low-frequency events are major natural disasters like hurricanes or earthquakes. On the other hand, there are high-frequency, low-severity disasters, such as human errors, computer crashes and power outages. Disasters such as fires and floods fall somewhere in between.

“We often focus on the catastrophic risks, those at the far right end of the spectrum,” says Mike Maloney, vice president, Comcast Business Services. “We assume that preparing for the worst-case scenario automatically includes preparation for all lesser risks. But, it hardly makes sense to initiate a full-blown disaster recovery plan every time the business experiences a minor deviation in operations. That is too expensive and cumbersome.”

Smart Business spoke with Maloney about how preparing for everyday disasters can keep your company — and its technology — on track.

Why is it especially important to prepare for everyday disasters?

If you prepare for the everyday disaster,  you will also be ready to address the more serious and less likely threats. For example, power outages commonly occur on a standalone basis, such as brownouts during the summer months with peak air conditioning usage, but power outages also follow more serious threats like hurricanes.

How can you guard against human error?

Human error is the most common form of disaster. Of course, the best way to address this is to ensure proper staff training and good management practices. But, you will also need a strategy to mitigate cost when error does occur, such as on-demand, user-generated data backups and clear recovery procedures.

What’s the best strategy for preparing for equipment or third-party failures?

By making good vendor selections and following proper equipment maintenance procedures, you reduce the frequency of occurrence. Also, build in redundancy for when those failures will occur and have extra equipment in inventory.

Third-party failures are the failures of service providers needed to deliver products and services like telecommunications. The basic strategy is to invest in due diligence to make wise choices for third-party vendors to entrust with your critical services, negotiate appropriate service guarantees and support, and build in redundancy to cope with failure when it occurs.

How is planning for environmental hazards extended to more severe threats?

Environmental hazards are conditions that displace staff and could be as trivial as a water pipe bursting and flooding the office. So, plan for human safety and assure the technology is in place to enable temporary remote operations. This concept is extended for fire, natural hazards and sabotage, which pose more severe threats to safety and longer periods of remote operations.

Once you’ve established your planning framework, what’s next?

The next step is to identify the business’s key assets, which may sound simplistic but is not necessarily obvious. For example, a small software development company insured its property, so after a fire, it was fully reimbursed for the replacement costs of office furnishings. But its critical asset was its intellectual property, embedded in hundreds of thousands of lines of software code. The company had failed to back up the software and subsequently went out of business. If it had a severe budget constraint, as start-ups often do, it would have been better served to forfeit insurance on physical assets and invest in off-site secure data backup.

In addition to determining how best to protect the business, this provides insights as to how to better manage the course of normal operations. Several years ago, a disgruntled systems administrator of the city of San Francisco refused to relinquish key passwords to computer systems controlling, among other functions, employee payroll. A little due diligence to understand the key processes, assets and functions of operations might have revealed this vulnerability.

Mike Maloney is a vice president at Comcast Business Services. Reach him at [email protected]

Insights Telecommunications is brought to you by Comcast Business Class