Campfire 365 Podcast – Episode 2: Anatomy of Big Disaster

Velosio | |

Table of Content

    Podcast Details:

    Tue, 8/9 2:01PM • 52:45

    SUMMARY KEYWORDS
    organization, business, people, server, security, clients, data, hit, distraction, ransomware attack, threats, disaster, ransomware, technology, human element, big, employee, talking, cloud, lost

    SPEAKERS
    Carolyn Norton, Rich Fowler, Daryl Moll, Amy McKie, Jason Wietharn

    Carolyn Norton  00:14

    Hello, happy campers. This is your host, Carolyn Norton. And today’s episode, we’re going to be talking about the anatomy of a big disaster. How business decisions impact disaster preparedness. In our last episode, we discussed all the potential threats that could cripple your organization, from the devastating effects of Mother Nature, malicious hackers, and more. In today’s episode, we’re gonna pull out a magnifying glass and investigate how poor decision making can set up an organization for a big disaster. Joining us today. Hi, I’m Daryl Maul. I’m a principal Cloud Architect with over 25 years of experience in cloud and it. And I’m rich Fowler, I work with our worldwide partner channel to help partners move forward. And I’m at MCI and I’m Director of Client sales. I have over 25 years of experience working with Microsoft Dynamics customers. Hi, this is Eric Robertson, Director of it. I’ve been doing it for more than 20 years and have had the pleasure and pain to deal with big disasters.

    Daryl Moll  01:20

    That’s a that’s a wonderful comment to jump right into our theme for today. So I wanted to take a moment and and talk about what what are what are some signs? What are some indicators to look out for we all know that there are issues that are out there some some threats to organizations, and yet, I always sit back and wonder what what are the signs? What are the warning signs? What are the telltale signals that we could be looking out for to make sure that we’re keeping an eye on the latest and greatest threats, and what we can do to prevent them? I’d say in my mind, and over the time that I’ve been doing this, in the industry is if you haven’t if you don’t have a regularly occurring, meeting, or plan to go over your plan for what you’re going to do with it. And when a disaster strikes, and you aren’t having active conversations with these on a regular basis. That’s your biggest warning sign that you’re not ready, or you know, or to be on the lookout for something like that. Because, you know, I we see it all the time that people just don’t have the conversations, don’t think about it, because it hasn’t happened to them. But that’s not when you need to have that conversation. And I think Darryl brings up a good point in my in my fun time I do triathlons. And for the bike portion of that there is a there’s a phrase in the triathlon world that there’s two kinds of bike racers, there’s those that have wrecked and those that haven’t wrecked yet.

    Rich Fowler  02:54

    The same thing applies to some some type of disaster, whether it’s a hacking or a true disaster. It’s not a matter of if it’s a matter of when and how big. So the questions that Darrell mentioned are exactly what people need to be thinking about. When it happens. What do we do?

    Amy McKie  03:12

    Well, it goes back to the mindset I think we see with a lot of the clients is it’s if it’s not broken, don’t fix it. So they’re not even thinking about, you know, the security and you know, the disaster part of it. I can still do my job today, I’m just going to keep doing it and not even thinking outside the box there.

    Carolyn Norton  03:28

    So what are those? What are those symptoms? I equate it to? You know, health, if I’m getting a headache immediately I know I’m going to have to go get some aspirin. So what can an organization look out for to prompt them into taking action and preparing themselves for a possible disaster? What are they? What should they be looking out for? What are those? What are those signals?

    Eric Robertson  03:52

    Looking at studies, 90% of vulnerabilities come from human human error. And if you’re not training your employees, or having a buy in from senior leadership and employees to protect your systems, you’re already at a disadvantage, because that’s the easiest way for your company be compromised. So having regular training, making sure there’s at least an annual security training for all employees going through and having phishing internal tests to see which which users are having a harder time realizing and understanding which you know, which emails or items or text messages are fake and what to do in response to them. So having a system in place that they can follow easily.

    Rich Fowler  04:30

    I’m sure Eric, Derek didn’t mean to look at me when he’s talking about that, because I think I don’t know how many phishing things. It’s valued. It’s valuable across the board. It teaches us old dogs what to look for. And, you know, some of the new folks already know that but it’s it. The hackers are getting better and better day by day. And businesses have to keep up because it just takes one

    Carolyn Norton  04:53

    you know, I also think it’s a it’s a helpful reminder, especially when you test someone out it’s not a real life thing. Aereo but boy, if you get burned on one of those tests, you go, Ooh, maybe I need to remember to watch out on what I’m looking for.

    Daryl Moll  05:08

    When I think one of the things too is I those are it best practices, you know, I mean, all those things that Eric ran through and stuff like that, those are things that should be happening on regular free with regular regular frequency. But you know, outside of that, there’s also you know, the the other pieces to, you know, that you need to watch out for in outside of just specifically the technology that you need to make sure that you know, for in, you know, in a disaster that you’re, you know, preparing for so it’s more of the, you know, disaster, you know, impact for that. But also the business continuity is, you know, there is more than just technology that you need to keep in mind. And again, it’s it’s making sure that you’re going through that on a regular basis with frequency to make sure that you’re addressing all these different areas of your teams, and in with your teams and stuff like

    Rich Fowler  05:52

    that. So you bring a business continuity, that’s something I was going to both talk about and ask about. So I think business continuity means different things to different people. What does it what does it mean to this group? Because I have my own idea, but I might be wrong.

    Daryl Moll  06:06

    That business continuity to me means is my business still operating after this? After this event? You know, what, what is my What do I need to do to keep my core business up and running?

    Rich Fowler  06:16

    Okay, that’s, that’s kind of what I thought I bring it up because we worked with a company, which was a nonprofit, and they have a big festival every year, the big festival came around, they had 30,000 people at this festival, all of their systems were on prem, being held together with I’m gonna say not quite literally duct tape and coat hangers, but I don’t think it’s too far off. And they decided to switch to an online ticketing for everything that they did. And the system failed. So they’ve got 30,000 people trying to do everything from kids games, to beer tent to other things, and they couldn’t operate. So that’s what that’s why I was asking about business continuity. Is that Is that what we’re talking about? Because that made a huge difference to them. And they immediately switched from the coat hangers and duct tape to something that has a recovery plan.

    Daryl Moll  07:10

    Yeah, I mean, so that’s, I mean, that is one of that, you know, that is one event, but that may be the one big event that drives, you know, their, their whole, you know, year or, you know, different things like that you mentioned, it was a nonprofit. So, I mean, that could be, you know, the vast majority of their whole year, I mean, it could be, you know, a company that has, you know, seasonal sales for, you know, a holiday season coming up, you know, whatever that may be, or different things like that. Or it could be, you know, a company that is tried and true. And you know, does this, you know, X amount of dollars every week in business. And, you know, it’s different for every business, and it’s different for every company, you know, what what that business continuity plan is going to look like and what it’s what it’s going to entail. But you need to have that conversation, and you need to vet out what that conversation is. And that needs to happen on a regular basis. So that if there’s any changes that, you know, that comes through,

    Eric Robertson  07:59

    exactly, I think I think that’s a big point is, is a lot of the times people aren’t having those conversations and understanding exactly what systems and data they’re trying to protect. And I’ll throw out an acronym because love acronyms RPO, the recovery point objective is trying to help identify if there is an incident, what are we trying to get back to? What what are we willing to lose? Is it 30 seconds of data, is it a whole day, understanding what you’re willing to lose is a big part of it, because you need to understand also what you have, if you don’t know what you have, you don’t you can’t understand what you’re willing to lose. And then it’s finding that that balance between what you’re willing to lose and how much you’re willing to spend to make sure you don’t lose more than that amount. And it’s, it’s a big, it’s a big hard concept for people to get their heads around. But if you start at the basics, figure out what you have figured out the type of data you have, you’re gonna have to understand that type of data. Is it more sensitive than others? And you have to put protections around that, depending on the level of, you know, the level of the data is, or the systems that you’re you’re looking at? Well, Eric, I

    Amy McKie  09:05

    know that there’s also $1 amount that goes with that, you know, how much data are you willing to lose? But then how much? How much money? You know, is that going to cost you with that loss of data? Are those down systems or anything like that?

    Eric Robertson  09:18

    And that’s a big part where the buy in I know, I know, it’s like common term when you but the buy in from the senior leadership level, and understanding exactly what business risks are. This goes back to what Darrell was saying. If if you have those regular cadence of conversations of knowing exactly, hey, here’s the systems we have. But if this was to go down, you know, we’re not gonna be able to send emails or if this was to go down, we can’t put in new orders. You know, what is that period of time that you can operate without that or can you even operate without that and understanding what it’s going to take to bring those back up in a reasonable amount of time without spending infinite amount of money?

    Carolyn Norton  09:56

    Let’s let’s take a step back and drill into a little bit more I do Identifying these risks, we’ve been talking about the technical aspect, but what are we? What what do we look out for? What do we plan for when, let’s say the power go out goes out in a building, the internet is out, there is weather to contend with, employees are getting sick, you know, aka, you know, all the fun illnesses that are going on today, all these variables that are happening, you know, how can organizations use that information to also outline what those risks are going to look like? And how that would impact their organization and prepare for those elements as well. Right? Because there’s still that human, there’s still that human element with the with, with business in general. And then, of course, the offices, the other operational needs that an organization needs to run, how do we look out for those aspects and make sure that organizations are taking those into consideration, because that’s been happening a lot lately.

    Daryl Moll  11:01

    I mean, taking a step back and looking at I think, again, from a generic standpoint, you need to ask the questions, and you need to do it with regular frequency, you know, I go back to even the best laid plans, you know, can can get kinks thrown into them. The first company that I ever had a full time it job for, as a sysadmin, you know, we had, we came from, we transitioned from a main mainframe as 400, and a mini computer system to a client server. And we still had the battery backup systems that were meant to run the large ones, and it would run the client server environment, for an estimated four and a half days when the power went out. That was all great when the huge blackout happened to the whole east coast. Back in the late 90s. The only problem was, was somebody had the brilliant idea to plug in the microwave into one of the battery backup powered things so that they can make their microwave lunch during lunch. And we went from four and a half days, down to about one and a half days in the span of one frozen dinner.

    Carolyn Norton  12:04

    So food was also important. I see.

    Daryl Moll  12:07

    Yeah, I mean, so I mean it, you know, you have to have plans. And you know, not that anybody’s gonna sit there and have that conversation in the middle, what happens when someone gets hungry and wants to make a microwave dinner, you know, but you know, you need to, it needs to evolve, it needs to go through these planning processes and go through these things. And you need to ask the questions, because, you know, there are different things and every business is going to be different, you know, can you know, are some companies affected when the power goes out? Many of them yes, some of them them? No. Is it a regional outage? Is it a local outage? You know, Can you can you push people out? These are all questions that you have to ask and and plan for and have these conversations to have a plan for what your staff does, when the power does go out. If there’s a you know, if there’s a fire in the building, obviously, the immediate need is, you know, hey, we need to get everybody out safely so that everybody’s safe, then this, then it quickly transitions to Okay, everybody’s safe. Now, what do I need to do to make sure that I can continue shipping product or doing whatever I need to do as quickly as possible so that I don’t lose revenue.

    Rich Fowler  13:04

    So in my hearing, you say, prioritization,

    Daryl Moll  13:06

    there’s absolutely prioritization, because, you know, it goes through and these are all conversations that, again, in that planning phase, in the planning conversations need to happen. What’s most important, obviously, everybody getting out safe or staying safe? What second, keeping my business on track and operating with as much too close to normal as possible. And then inside of that, you know, that’s where you have to start defining what is close to normal, what are my core business things that I need to do? You know, that those are the questions that need to be answered.

    Rich Fowler  13:36

    And does that change? I’m going to assume it does. But does that change industry industry?

    Daryl Moll  13:41

    That changes Yeah, within from, from business to business, from industry to industry, it’s all different conversations that need to happen. I’ve worked with companies that, you know, hey, I don’t, I need to get these orders, and I need to accept the orders and place them I can deal with a 24 hour lag of shipping something out. Because I just need to accept the order and tell the people hey, this is when it’s going to ship out, I can tell them, it’s going to ship out two days from now, and that’s fine. But I need to be able to get that information to them. And I’ve also dealt with people that are like, I don’t care, I need these, you know, we can take these orders on paper, I can write them on post it notes, I need to get this product out the door, and I can backfill my my IT systems, you know, after the fact but this product needs to get out the door. I’ve dealt with, you know, both, you know, both sides of that equation where, you know, it matters more on the order taking and on the on the input side, and then the shipping can happen, you know, 24 or 48 hours later, and that’s not a big deal. Or vice versa. I can write the order on a post it note I need to get that post it note out to the warehouse so that that order that order gets out today and it needs to happen.

    Rich Fowler  14:42

    But if we’re talking healthcare, hospitals, nursing that’s that’s critical that that note can’t wait three days if somebody’s going to get medicine now. So that kind of backup has to happen immediately.

    Daryl Moll  14:54

    Yeah, and again, different different industry different different requirements. It’s all it’s all important. Have conversations

    Carolyn Norton  15:01

    that those parameters can help dictate how to best prepare and have an action plan so that if something happens, those industries have whatever it is that they need to get back on track, especially outlining timetables and turnaround.

    Rich Fowler  15:15

    How do we have those uncomfortable conversations? Because if I use the, if I use the example of the festival, and they tried to have some of those conversations early, and the volunteer IT guy that was taking care of their coat hangers, and duct tape said, Yeah, I got it covered. And that was the extent of the conversation and to their end, you know, they could not take orders at their only money making event of the year. So that was a problem. How do we have those conversations, any suggestions?

    Eric Robertson  15:43

    What you bring up there is kind of like a vendor. So it makes me think of vendor due diligence forms, something that’s become more and more prevalent. Because, you know, now we have a tax coming from your, your vendors. And you know, just because you might be doing something, right doesn’t mean that they’re doing something right, or their level of right isn’t the same level as yours. So you want to make sure that they’re doing everything in their power to protect themselves. And having one of those questionnaires which, you know, now there’s a lot of different, hey, here’s the standard, I want to make sure they’re doing XY and Z every time and having them answer those questions in a clear and concise way, can help put your mind at ease and maybe help with not knowing which questions to ask, because now you know, this is a third party that you’re reaching out to for help. And you’ve now been identified, like, here’s what I want to make sure they’re being able to do.

    Rich Fowler  16:34

    And does that cover us from a service provider that, hey, we tried to have this conversation, and we got you to fill out this and you didn’t take a recommendation? Or is there liability involved there?

    Eric Robertson  16:42

    Well, I think the liability is whoever is, you know, you have to still do your due diligence and make sure that what they’re saying is accurate, as best as you can ask for references or, you know, make sure what they’re telling you is true. Somebody could write anything on a piece of paper, and it’s still going to come back to bite you in the butt if it’s not done, right.

    Amy McKie  17:04

    And Eric is getting a copy of the company’s security policy, or like you said, filling up the vendor form, but it’s also I go back to it, ask them how much they want to lose, you know, how much business how much will it cost them? How much are they willing to absorb? Within a disaster? Money drives all it really does that mean? Okay? Are you know, if we start putting when we’re talking with clients, start putting stuff down going, Okay, do you realize it’s actually going to cost you, you know, $15 million a day, or $5 million a day or $100,000 a day, when you go down, you can’t ship out orders? Your trucks are at a standstill, you know, all of these different factors go into it that I think companies don’t think about, they think about, oh, people just can’t email out for a couple of hours? Or what does it cost you when your clients can, you know, call you and there’s a customer support issue, and they get pissed off, and they just pick up the phone and call another company? So I think there’s, it’s all those

    Carolyn Norton  18:04

    things. And that’s a good point. Amy, those kinds of questions are the kind of questions that should prompt where they prioritize their efforts, right. So where can they hone in on their investments? Rich, you were asking about different industries and what they require to be back online and asking those questions how much of a downtime they can they’re going to experience? And how much are they willing to wait or lose should help determine you know, where they need to focus their their planning efforts on so that they have those safety nets in place? Should something happened. But what happens when you’re also dealing with other factors? World factors, we talked about vendors, other resources that are outside of your organization, how does that factor into determining where they need to invest where an organization needs to put their time into planning and preparing for something that could occur?

    Rich Fowler  19:02

    So are you referring to something like the the everybody’s now working from home and their kids, their kids are playing on their iPhone? Oh, this this actually happened? Yeah, they’re, their kids are playing on their iPhone and something popped up and the kid clicked on the iPhone, and then things went sideways, things like that. Is that your reference?

    Carolyn Norton  19:21

    Yeah, I have a kid. I know, my laptop went sideways today, for whatever reason, and I need to work. Let me go grab my kids tablet, and do some work on it. Is that okay? Is that going to be an issue for an organization? I’m sure it is going to be okay.

    Eric Robertson  19:38

    So well, that’s, that’s where policies are important and protect and actually, you know, abiding by those policies. So bring your own device is a big one, you know, COVID really made working from anywhere a very important thing and how do you give that convenience while also protecting the stuff so, making sure you have a BYOD policy? You know, allowing In certain systems to be accessed from anywhere, or certain data to be downloaded to certain devices is important. So again, it goes back to that planning stage, which a lot of people don’t take, or a lot organizations don’t take the time to do. It’s understanding what systems are those business critical, or which ones can I have, you know, data pulled from, you know, what types of data do I want to be allowed to be synced to one of these personal devices that if they got lost, it would be okay. But, you know, hey, this is IP, and, you know, I don’t want this to be pulled on to my daughter’s iPad, who’s going in downloading Roblox and going into bad places, or whatever they’re doing on their, their, their devices, and it’s just having those policies and protections in place.

    Daryl Moll  20:43

    And I think, I think a big thing, too, you know, we’ve talked about the financial impact and different things like that. But I think the big thing, you know, that people need to understand or businesses and leaders need to understand is, you know, it’s, it goes back to an insurance policy, you know, you really need to look at how much again, ask the question, How much money are you willing to lose, and that’s not just, you know, some of that is immediate, Hey, I can’t, you know, I’m not getting emails, so I’m not getting this order. And I, you know, lost this client, you know, or not, you know, not just getting that order. But, you know, there’s, there’s the company’s brand, and there’s the company’s name that’s associated with that reputation. All of that stuff is, you know, if you don’t, you know, you may lose, you know, a million dollars in orders, if you’re down for two days from not doing that, that’s a million dollars in two days. But what portion of that million dollars that is was going to come back the next week, the week after the week after the week after went somewhere else because of what happened to you during this disaster, because you didn’t properly plan. And it’s an insurance policy to protect that it’s an insurance policy, you know, to properly planning and coming up with these decisions and making these decisions and how to protect yourself against this, you know, these situations are what’s protecting your brand. So you’re not only protecting yourself from the short term, monetary loss, but also the long term monetary loss of your of your brand and your name being

    Amy McKie  22:05

    tarnished.

    Rich Fowler  22:07

    That was going to be my question. And point is what, what is the long term to your brand, especially if you’re an IT consultancy? Or if you’re a computer based business, and you’re, you’re the one that gets compromised? And has the issues? Do you go out of business? Do you need to change your name, you know, this, this more than just the $2 You lose today, but you your customer confidence, which can’t be measured in dollars, your customer confidence goes away. And now that affects not only today, but everything you do going forward?

    Eric Robertson  22:40

    I think we really saw that was the solar winds attack. So solar winds, you know, we all know about that big compromise at this point, you know, they they took a segment of their products that they didn’t want to have solar winds connected to and rebranded. So now they’re enable, which is just an interesting way of kind of skirting the thing and saying, hey, you know, we’re going to distance ourselves from, you know, the name solar winds and go by a different name, just so that people don’t make it synonymous between the two.

    Amy McKie  23:10

    You have within there’s companies that I’m just asking a question here, there’s companies like, you know, big box, you know, stores that have been hit that, that they really act like they don’t care, then, you know, they’ve got the loyal followers, you know, how does that impact them? Or did it?

    Eric Robertson  23:28

    I think the, I think when we look at the ones that have responded to incidents the best, it’s the ones that have gotten ahead of the communication, and then let somebody else report on it, they’ve, they’ve kept the trust by being the ones to like, raise their hand and say, Hey, we messed up, this is what happened, here’s what we’re going to do to fix it. And we have this whole plan of attack that we’re going to do to make sure that doesn’t happen again.

    Carolyn Norton  23:52

    That’s a that’s an absolute big piece. And that that also is a factor in planning for, I think, rich, you mentioned it earlier, it’s not a matter of if it’s a matter of when, and and Darrell, you also said you know, you can plan and plan and plan but things can go awry. Having that, okay, if it happens, here’s what we’re going to do as an organization, both from a recoverability aspect, but how do we handle it if it has gone beyond us and affected our, our relationships outside of the organization? How do we make sure that we communicate what has happened and what we’re doing going forward to mitigate this happening again,

    Daryl Moll  24:31

    communication plan is, is again, one of those things that you need to have talked about and need to plan for. And it’s an honest communication plan, hey, this happened. Here’s what here’s how it happened. Here’s how we stopped it. And here’s what we’re doing to prevent it from happening in the future. And if you do that, and you and you’re, like Eric mentioned forthright about it, and you’re the one getting the communication out there. You know, everybody understands that, you know, stuffs gonna happen these days because there’s so many people trying to make stuff happen. So you know, it But be honest about it, and how are we going to overcome it? And what are your plans to do it? And you know, I think that minimizes the, you know, the splatter effect and how the negative effects that, you know, it can have on your business and your reputation.

    Amy McKie  25:13

    So you’re saying not if, but when it’s always

    Daryl Moll  25:16

    if not, always, when not, if sorry,

    Carolyn Norton  25:21

    these things evolve and change, and constantly adjust, there’s always a new way that they’re gonna try to get at you. Or like we mentioned before, there’s always Mother Nature, there’s always day to day issues, you know, anything is possible. So you just have to prepare yourself as best you can and hope for the best.

    Rich Fowler  25:41

    And there’s always that employee that wants to use the microwave, that’s, that’s we’ll use that going forward. But that does. Burrito, everybody needs to eat and was probably popcorn, you know, through they made the made the place smell bad in the process. But that does illustrate the point of as, as things change, and the ability to be flexible, it was Mike Tyson that said everybody’s got a plan to get punched in the face, that probably counts as being punched in the face. Is your does your plan stand up to the first the first re attack?

    Carolyn Norton  26:14

    That’s true, if you get if you get hit for whatever reason, once that, once all of that is gone away and settled up, you know, revisiting that plan. But I think ultimately planning is and being prepared is a couple of cycles, right? You, we talked about identifying where there is the most risk, what is most important to the organization? What are the external factors? What’s the human element, the operational elements? And how do you plan for that? And ideally, iterate off of that keep improving, keep revisiting because no organization standstill, right, they don’t stay the way they are, when you’re done planning. They’re constantly evolving and changing. So circling back, and, and just revisiting what you had on paper or your plan. And just making sure that it makes sense at its current state. And I think, Eric, you mentioned at least once a year, is that right revisiting that plan? Or is it Oh, yeah, at

    Eric Robertson  27:14

    least at least annual training. And it reminds me of one of my favorite things that quotes that I read once security is a thought process rather than an end goal, you can attain, you know, acknowledging that there is no castle where you can lock away your data and keep it safe, you know, just makes you rethink your production environment, your risk assessment. And it’s, it’s really powerful to realize that because it puts you on on an path to explore why things aren’t as secure as they should be? And how do you how do you make them more secure?

    Amy McKie  27:44

    So Eric, what can we tell clients? That would just be a couple of quick things? I mean, I know nothing’s quick, as far as security, but just to you know, what are some beginning if somebody has doesn’t even have a security policy in place? You know, what are the quick couple of quick things they could do?

    Eric Robertson  27:59

    You know, the big, the big buzz phrase right now is zero trust. And I think if people start to read more about it, and think about zero trust as their approach, because it kind of reinforces that idea that there’s no safe haven, they understand that there’s, you know, you can’t just put it away somewhere special, and it’ll be saved forever. And it’s to just always look at all the different signals. So usually, it you know, I think we talked about it multiple times, Donald brought it up rich, Amy, you’ve even mentioned, it’s about sitting down, and even identifying what you have, because you don’t know what you need to protect until you figure out what you have. And then once you figure out what you have, it’s figuring out, okay, what level of protection do I need on each of these? And what level of risk is acceptable? Because it always comes back to money. So how much am I willing to spend to protect these items? In order for my business to continue to run?

    Amy McKie  28:52

    I was curious. I mean, it was we’re, you know, as we do these interviews with clients, you know,

    Eric Robertson  28:58

    yeah, I think it’s really understanding their starting understanding their landscape. You know, I think everybody’s sort of, you know, MFA at this point, identity is usually that first gateway, and protecting the identity is probably the most important because everything is driven by identity. So getting rid of old accounts that aren’t used, turning MFA on all accounts blocking legacy authentication. You know, if you don’t let you know, one way that we tell a lot of customers to block is, if you don’t have somebody in a certain country, don’t allow connections from that country. Yes, they can get on VPN, but just just doing that alone, you can eliminate a lot of bad signals and actors just from saying, Hey, I have nobody in these countries. I don’t need to allow, you know, connections from those places. And that’s, that’s a big way to cut down fast.

    Amy McKie  29:48

    Yeah, on those issues. And then I would say, you know, looking at disaster recovery as well, Dr. as well. I mean, if they’ve got servers on site, and they are indeed on the East Coast or you know, Like me down here in Florida, we have a couple of you know, hurricanes that come through, even preparing for those.

    Eric Robertson  30:06

    That’s why SAS is so, so popular now take take away the the requirement of having to do a lot of the, you know, high availability from your internal team and pass that to the vendor. So, you know, it’s one less thing that you have to to be worried about, and let the vendor take care of that for you. So that’s why SAS is so popular, because it decreases that cost while you know, giving you that high availability experience.

    Daryl Moll  30:34

    So I think Amy, the biggest the biggest answer here is they really need to just start having conversations about what you know, asking the questions on a regular basis, you know, whether it’s, you know, from a technical standpoint, whether it’s from a business operational standpoint, whether it’s from a, you know, an HR person standpoint, they just need to start having these conversations, if they haven’t had the conversations ever before, or it’s been a long time, maybe having quarterly ones until they go annual on a on a recurring basis is better. But you know, until, until they have that on a regular frequency basis, and they’ve had these conversations, because the more you have the conversation, the more it’s going to evolve. And the more you’re going to, you know, step outside the boundaries of what your previous conversation was, and come up with a more well rounded, you know, solution to this problem. Identify those business risks,

    Amy McKie  31:23

    correct? Yeah. And I think I think we’re having more and more of those conversations, you know, especially today, you know, in the last year, a couple of years than we were, you know, five years ago?

    Daryl Moll  31:35

    Well, I mean, yeah, I think of all the companies that never would have imagined, I am ever going to let my employees work from home, no, they come into this office, they do everything in this office, that’s why I bought this place. And now all of a sudden, the government is telling him, you’re not allowed to have your people in there, and you need to keep doing business, you know, like, that would have never crossed a lot of people’s minds along, you know, you know, 510 years ago. So, you know, people are starting to have these conversations, because they’re realizing, hey, you know, what, you know, I kind of did have my head in the sand a little bit, and I need to really start planning for this, if I want to make sure that my organization and my company keeps moving forward and stays around.

    Eric Robertson  32:13

    And having a plan is the big part, if you don’t have a plan, you got to start from scratch each time, which is not fun. You rather have a plan that you can adapt to, rather than have no plan that you have to try to build on the fly. So having some sort of action plan with communication is just key.

    Carolyn Norton  32:33

    We talked about getting leadership to work on plans and look at aspects for the organization, but what about the actual employees themselves? How do we get them involved in the planning process, I get a feeling that they also have some nuggets of truth and information that can help inform protecting and, and planning for an event or in a disaster scenario. Yeah, I mean, that’s, that’s

    Daryl Moll  32:58

    a great point, Carolyn, because, you know, a lot of times, you know, hey, the, the, you know, the higher up, you get in the chain, and different things like that, they’re gonna have different meanings to hey, my business needs to do this to succeed, I need to do this, to keep it you know, to stay around and stuff like that. But they don’t really know what the daily activities are, that need to occur to make those numbers happen on a balance sheet or something along those lines. And, you know, you need you a part of that planning process should be you know, hey, we have these people, you know, at the high level that says, hey, I need to have this, that and the other thing happened to go forward to make my business succeed. And then you need to check in with the people that are doing the daily work and say, Okay, if I want to say this needs to happen, you know, I need to make sure that, you know, this, this criteria gets met, what happens on a daily basis to make sure what activities need to happen on a daily basis to make sure that that happens. And that, you know, you’re interviewing those people that do the daily work and to do the, you know, that are responsible for that information to be able to know what needs to be done. And

    Carolyn Norton  33:57

    I have to imagine what the boots on the ground folks, they may perceive threats that maybe leadership is not aware of, or not necessarily thinking about, right, there might be things that they’re exposed to that whether it’s small, medium, or large, or they’re threat perspectives that they can bring to the table that help close the gap on what the exposure is. Absolutely,

    Daryl Moll  34:20

    I mean, it’s, it’s rounding out that conversation to you know, hey, you know, somebody somebody can bring up and say, hey, you know, what, I you know, there’s a big threat if, you know, your local fast food place stops selling, you know, double hamburgers, you know, and that’s, that has a huge and you need to take that into account and say, Hey, that’s not really an issue. But they could bring come to the come to the table and say, hey, you know what, there’s a big threat because, you know, this situation is happening and it affects 80% of our, you know, office staff or 80% of our warehouse staff. They can bring different things to the table and it’s all a matter of bring it all in and then we can have a conversation and say, you know this matters. This doesn’t matter. And I never thought about this, it really has that effect on, you know, having all that information being presented, and then you can read through it and decide what’s good and what’s bad.

    Eric Robertson  35:11

    And I think an employee’s engagement level will, we’ll have them speak up more, the more they’re engaged and more sold into the company, the more they’re willing to raise their hand, make improvements, make suggestions, you know, if somebody makes a mistake, they’re more willing to, you know, let it be known if they if they’re not scared that, hey, this mistake is going to come back to bite me. Because a little mistake, it turned into something big and reiterating that that importance of a mistakes happen. But we’re here to help and you know, you’re not in trouble, just keep us in the know,

    Carolyn Norton  35:44

    I think it’ll give them even more of a if they feel like their feedback and insights are valued and taken into consideration. You know, they’ll do some of the work for the organization, bringing up ideas, opportunities, suggestions, threads, and they feel like they have a part in the, in the overall goals of the organization. I know, if I were, when I get asked these things, it makes me feel like I’m contributing. And I want to provide even more to help an organization, whatever tactic that they’re looking to take care of. So this is great, this is wonderful to understand, you know, why it’s important for organizations to take a step back, look at how their organization has prepared for a possible disaster, and look at areas of opportunity to hone in on priority, what those factors are, that is going to affect their business, whether it’s small, medium, or large. There’s always something that can pose a threat to an organization. And that gives them the insights and the information that they need to start planning and preparing for a possible disaster.

    Daryl Moll  36:57

    Yeah, I mean, Carolyn, in closing, I think the key point here is to make sure that you’re having regular conversations and planning for all the different iterations of what can happen. And as you have the regular conversations, just make sure you’re not having the same topics every time and make sure you’re trying to expand out whether that be bringing in different people from different business units, or different places of roles in the organization, or whether or not you’re having a different conversation and say, Okay, this, this time, we’re going to talk about what is our vendors look like? Next time, we’re going to talk about what does our customers look like the next time we’re going to talk about what was our physical operations plans look like, and making sure that you’re having these iterations that you’re walking through and having discussions on all the different facets of your organization, that regular conversation and that regular frequency is what’s key to, you know, developing a well rounded, you know, plan for what’s going to happen and what you need to do to make sure that things you know, don’t go bump in the night. And

    Rich Fowler  37:57

    I would totally agree with Darrell having the conversations is probably the most important. And the second most important would be having again, have that conversation again, and again, and again, until you you pick out and you find the things that are going to break and nobody punches you once less, they knock you out, they’re going to punch you again. So find the holes, plug the holes and look for the next hole. That would be that would be my closing thought, Amy.

    Amy McKie  38:23

    Yeah. And it’s it’s of what you guys said minutes really again, what is what are clients willing to risk? Whether it’s money, how much are they going to, you know, willing to lose, you know, impact on clients, impact on employees, you know, if you’re willing to say, okay, look, we can our business can be down for, you know, a week or two days or whatever, what’s the what’s the impact on the employees are gonna, you’re gonna work on, you know, 24 hours a day in order to make that up. So it’s really, you know, impact on money, impact on clients, impact on employees, and really taking all those those items into consideration.

    Eric Robertson  39:02

    Totally Amy, and I think if we take everything that everybody said, and we combined it all together, writing it down. So having those policies as much as people don’t like to create policies, it’s not fun. They’re needed. It gives you guidelines, having guides in what to do in case of a disaster, so that you’re not trying to write the book from scratch when something happens. It’s important, you need to just take the time, create the policies create the guidelines that you need. And that plans if you don’t have a plan, you’re just gonna flounder when you do eventually get hit.

    Carolyn Norton  39:39

    Assessing the disaster scenario and carefully executing your plans could be the difference between surviving a big disaster or getting wiped out by one. So what happens if you’re one of the lucky ones that survives an encounter with a big disaster? Join us on our next episode. When the dust clears, getting your organization back on track after a big disaster.

    Uncategorized

    You may also find these interesting

    Campfire 365 Podcast - Episode 4: Creating a Disaster Proof Organization

    Ready to take action?

    Talk to us about how Velosio can help you realize business value faster with end-to-end solutions and cloud services.

    "*" indicates required fields

    This field is for validation purposes and should be left unchanged.