Member Article

How to optimise your emergency IT strategy

Malcolm Tuck, Managing Director at Kaspersky Lab UK & Ireland, here gives his advice on how to optimise your emergency IT strategy

Does your company have a Plan B for its IT systems? How will you react to a successful hacker attack, stolen mobile devices, or a fire in your data centre? These questions can send most companies into a tailspin, yet in a global survey carried out by Kaspersky Lab, 60 percent of companies admitted that they either did not have an emergency strategy, or that theirs was incomplete. So what do companies need to do to address this?

Reactive IT security is a bad idea. If you have corporate information stolen, or an employee loses their smartphone containing important information, you consider your response and any damage limitation options only after the fact. Good security is preventative. It is, therefore, essential to have an emergency plan in place to cover such eventualities. Key steps to consider when creating this include:

Defining Your Requirements

Companies which don’t yet have an emergency strategy must first define their requirements. What needs to be protected and, more importantly, against what? Companies with mobile employees who carry sensitive information on their laptops, for example, must have a plan in place in case those laptops are lost or stolen. Similarly, although companies with all their data centres located in the UK are not particularly at risk for natural disasters like earthquakes, their strategies should cover flood and fire.

Businesses should therefore, start by making a list of all your IT assets, such as ERP and email systems. This includes assessing the importance for the operation of your company and then creating a list of threats. The best way to do this is to formulate specific scenarios. Say, for example, that a power cut disables your mail server. It’s important to consider all the aspects of this—including the length of time you can function without each system. In other words, how long can your mail server be down, or your ERP system unavailable? For example, for some companies it makes no difference if they can’t upload new website content for a day because their content management system is down.

For an online news site, on the other hand, this is a major problem.

Find Solutions

Once you’ve listed all your assets, identified the threats and formulated scenarios, it’s time to get down to the nitty-gritty and develop some solutions. Consider potential recovery measures, like using an uninterruptible power supply as a short-term solution during a power cut. These solutions should then be turned into a step-by-step concept. In detailing the processes, it’s also important to define roles for the people involved and determine how employees will be notified of an emergency.

Test the Scenarios

Any emergency plan should be tested regularly to see how well it will function in a genuine emergency. Don’t put too much pressure on yourself—no plan is perfect from the outset. Those responsible for the strategy will need to constantly revise it. Don’t be afraid to do this. No emergency plan is valid indefinitely. Instead, it must be regularly reviewed. How often this must be done is difficult to say: experts recommend looking over your emergency strategy once a quarter, but in practice annual or semi-annual reviews are the norm. Tip: If your IT strategy doesn’t change much, your emergency plan will not need revising as often.

This was posted in Bdaily's Members' News section by Kaspersky Lab .