The Status of Purgatory

Purgatory: A situation of temporary suffering or torment.

It’s early April and the UK is in lockdown, everything is shut other than a select few essential shops, most businesses have either had to shut up shop for the foreseeable or are trying to work from home as efficiently and as effectively as possible. The coronavirus, or Covid-19 to be precise, has brought the entire western world to a screeching halt, be you a huge multinational organisation with thousands upon thousands of employees, or a small restaurant in your local town. The reach is endless and business owners everywhere are feeling the pinch and worrying endlessly about their business’s health and stability in a business market that has placed all of us in the un-envious place called purgatory.

The simple truth here is the whole business world is in a state of purgatory, from the employees worrying about if they will get paid this month, to the business owner worried about getting paid by his customers, as well as no doubt attempting to get the state-promised support and having to negotiate the nightmare which is the CBILS loan schemes with the accredited banking institutions. We are all in a very precarious state of hell and at the moment there is very little insight into when all of this will start to go back to normal – we are in this for the long haul and by all accounts this is going to get worse before it gets better… there is a lot of concern here in the business world and for very good reason.

What makes this eminently more frightening is that we are all predominantly at home (other than those heroic health service staff and those services critical to keeping individuals fed and healthy). This makes the task of working and keeping a business running even harder because everything has to be done remotely – talking to anyone and keeping all the business plates spinning is dependent on communications and somewhere quiet in a household to work, if you have small kids out there it can be extremely difficult.

“Thank you for stating the hideously negative reality of the situation Jim,” I hear you say…

I don’t mean to be negative, usually in my articles and posts I err on the side of positivity but we have to accept and acknowledge that things are pretty difficult at the moment, and for a lot of companies it’s probably highlighted the need for a good BCP plan. I know a lot of companies that have had to cobble together quick and dirty BCP operations that can be used in the interim during the isolation requirements.

This actually has made me sit back and reflect on BCP projects we have done in the past. Razorthorn has undertaken a number of business continuity and disaster recovery plans in the past, I myself have been a part of BCP and DR projects going back even further than the 13 years Razorthorn has been around, and predicting risks, eventualities and how to handle them. The one thing that I have found in all of that time is that people have a hard time envisioning a total shutdown. It’s something I have put to groups before in “What If?” planning sessions and quite often the response is, “Well that will never happen.”

And now it has.

One thing I predict that will come out of this current crisis will be a resurgence in interest in BCP and DR planning. It has to really because now people have experienced a serious event that has put millions of businesses at risk across the country, the businesses that are left after this financial meltdown will definitely be seeking to put measures in place to ensure that if this issue should occur again, their organisation will be able to handle the situation better than it has currently. In short, there will be a lot of lessons learned from this event and many organisations will put BCP/DR plans right to the absolute top of their to-do lists.

So, as usual, here are Razorthorn’s Top Tips:

Plan correctly

BCP planning is about ensuring that the business can continue during a crisis, DR planning is about ensuring the company can effectively recover operations back to normal once the crisis has ended. Don’t mix them up and they are TWO different sets of plans.

Technology is only one piece of the puzzle

Too many plans focus on technological access – whilst this is a huge part of the puzzle you need to remember this bit is only one part of the equation. Yes, it needs to be done, it needs to be efficient and effective in its delivery of service, but there are many other aspects also to consider.

Business Impact Assessments / Critical Asset Identification

Assess the DNA of the company, what makes it tick, how it makes its revenue, how it operates within itself and with its customers. Understand the ecology of the business and make a list of the critical functions and assets of the organisation, then conduct a BIA on those functions and assets with the business owners AND those that manage those functions and assets.

Don’t plan for every eventuality

You can’t predict the course of one event, let alone develop plans for all possible events. It’s not possible and it’s counterproductive. This is what makes me cringe when I see people creating a library of plans. Work on handling the three states (point above), not an individual event. This is what drags a project out, it’s what makes them cumbersome and expensive. You can never predict the course of an event, so don’t try. When an event ACTUALLY happens it likely won’t follow the predicted path, so just… don’t.

The only time I go against this is if an event has occurred that is likely to occur again (like this pandemic shutdown), then by all means write a playbook but focus on the shutdown and not how it happened…

Business BCP/DR

This is critical and often forgotten in favour of technology. Does the business have capital stored away to pay staff during a BCP event? Does it have contingency plans for third parties with critical services going out of business? There are a whole raft of business level issues that need to be included in any BCP plan. Another good example often forgotten is PR people. If you are having a serious event that is being discussed in the media, MAKE SURE you have a good PR person on the BCP team to manage the publicity. The business aspects of a BCP plan are critical and usually left out.

Review historical events

Always start your planning process with a review of historical data and events that have caused the company pain in the past which, let’s face it, should not be too difficult at the moment. Talk with the C Suite, the business owners and the directors on what issues they faced, the problems they dealt with and the sacrifices they made. It’s important not only to build plans that work but also to get support for the project from those that suffered the most pain.

Consider the three states

There are only ever three states an asset or business function can be in, other than working efficiently.

  • Partially unavailable – not working as intended/partially effected
  • Wholly unavailable – not working or available at all
  • Purgatory – available physically, but cannot be used for some reason

The one that gets people questioning me a lot is that last state, which is the title to this article… purgatory. How can something be available but not be able to be used? Well, this current business climate is a great example. A very relevant example is that many businesses have offices and premises they cannot use, whether that’s because it’s been mandated by the government to close or due to staff having to self-isolate.

Get help

I know us Information Security professionals have a reputation for sounding a little negative, indeed you can see that at the beginning of the article… but do make sure you get an Information Security professional with a history of BCP planning to help you build your own plans, it’s a really important part of making a BCP/DR plan work. You can go it alone, but this is what we train for and work with in our daily lives, so use that experience to your advantage.

As a final statement, please all stay healthy, we at Razorthorn hope you are all ok and well during these rather unpleasant times. If you would like to talk to us about this or any other security requirement then please feel free to contact us and we will be more than happy to assist.

Follow Us