Disaster Recovery And Contingency Planning… Again
It has been quite some time since I wrote about disaster recovery in Retail. September 2017, to be exact, while I was still living “off the grid” after Hurricane Irma blew through town.
It all came back into my head again this morning, after I received a very interesting email from a company named SecurityHQ. I really do have to confess that I am out of date on the latest in security operations (hopefully a briefing or two will help with that) and terms like XDR, MDR and EDR are just at the edge of my understanding, but there were some very clear truths in this email, ones that we likely should all ponder. Consider this:
A lot of organisations [SIC] do not have a dedicated security team. At most, they might have one or two dedicated individuals. For the majority, IT still runs the show, but these IT teams still don’t understand security. Which means they need to be told what to do. Very few organisations can afford to have two separate teams. A business must be at a certain scale to afford an IT team and a Security team simultaneously.
Most organisations, around 60% in fact, still don’t have a Security Operations Centre (SOC). And even those that claim to have a SOC are not fully functioning, as about 25% only operate during business hours. On top of that, an even smaller percentage are monitored by individuals 24/7, to handle alerts that are coming in. Automation 24/7 is no good if a real-life human cannot respond to the alerts accurately, and in rapid time.
This email was dear to my heart as it attacked the buzzword (acronym) bingo I listed above and one more, which is apparently now out of date in buzzword bingo-land, EPP or Endpoint Protection.
Dear to my heart or not, we have issues. Our stores are vulnerable, our headquarters are vulnerable, our distribution centers are vulnerable, and our remote employees are vulnerable. As the weakest link, remote home offices seem like they are the most likely point of entry. In fact, when you really think about it, at this point, everything is an end point in retail. There are just so many that it’s now a completely irrelevant term (full disclosure, I never liked it as a term, anyway). Assume that you are, regardless of your size, vulnerable.
All this begs a lot of questions: When was the last time you looked at your business recovery plan? How badly out of date is it? In my 2017 piece, I asked “Where are people going to work?” The answer has become clear: at home if their home still has power and/or hasn’t burned down (as I write this, partner Brian Kilcourse is keeping a close eye on a wildfire burning near his home in Grass Valley, CA).
Other questions that you really ought to ask yourselves:
- Do we still need a hot site and cold site, or is our “stuff” all up in the Cloud?
- How solid is your end point security? The term EPP may be out of date, but the need has only grown more stark
- Do we have a clear location analytics platform that lets us know precisely which facilities, stores and workers are at risk? And do we have alternatives?
- Do we have enough insurance in the event an entire full distribution center burns down? Inventory visibility being what it is (poor), can we justify to insurance companies what the cost and retail value of inventory in destroyed facilities really are?
- What is our business resumption plan? Do we just assume everyone will keep on going, while we “fix” the broken bits? What if all the bits are broken (pun intended)?
This is the bread and butter stuff that is often boring and drops to the bottom of corporate priority lists, when we’re rushing to figure out how to get product into our shoppers’ hands, figure out processes for new consumer wants like BOPIS, BOPAC and BORIS. Unfortunately, it can’t.
Back in the day, we established our priorities within one overarching umbrella. Priority #1 was always a legal issue. Priority #2 were business critical processes or bugs. Disaster recovery and security are part of priority #1.
What are you doing to support true business continuity and contingency planning? I’ve got the bug in my head now. Brian was even thinking this might be worth a benchmark. But first, ask yourself this: since the world changed, did your policies and procedures for business resumption change too? Or is it on a back burner.
Inquiring minds want to know, and the former CIO wants to issue the warning. Gotta do something, guys. What are you doing?