Protecting your technology: It’s more than meets the “I.T.”
If you focus on the headlines these days, it may seem that the world over, threats are becoming more frequent and severe. You might even believe Mother Nature and nefarious individuals are beginning to conspire against us, bringing data theft and record breaking storms to our doorstep on a seemingly weekly basis. But of course, we cannot approach life, and business for that matter, constantly looking over our shoulder.
However, data does show that weather-related events are causing more damage and loss over the past decade, and the trend isn’t slowing (1). Add to that, questions regarding the security of data long-term, and ongoing changes resulting from migration to cloud applications and storage.
These trends and concerns are pointed out not to scare you, but instead to reinforce the need for more than an annual cursory glance at your disaster recovery and business continuity strategy. The NCUA’s view of the threat disasters and business interruptions pose to credit unions is clear, as seen in the Letter to Credit Unions (Letter # 01-CU-21): “As primary financial institutions for millions of members, credit unions must ensure they can rapidly provide a minimally acceptable level of critical member services during a disaster” (2). The letter continues with the argument that, “Credit union’s contingency plans should consider a worst-case scenario. To be effective, the plans should assume that the credit union could not continue operating at its physical location, due to a natural disaster or some other unforeseen event, for an extended period” (2).
Fortunately, we live in an age where data replication, data security and cloud-based recovery tools are common and ubiquitous, especially in this industry that relies heavily on connectivity, documentation and data. However, the NCUA has recognized a deficiency, through both informal surveys and direct reports from recent regional disaster events, in which many Credit Unions are not sufficiently preparing for physical recovery of their offices, beyond the simple backup of data or dependence on shared branching. Therein lies the problem.
While data recovery is an essential step in a comprehensive disaster plan, it is a useless endeavor if data and applications housed offsite or in the cloud become inaccessible due to lack of connectivity, power and suitable workplace conditions. Under federal law, employees are entitled to a safe workplace, free of known health and safety hazards. While many credit unions might turn to a “work-from-home” strategy for some employees and shared branching for member-facing functions, how can member data integrity be guaranteed in that scenario, and what level of employee productivity and efficiency could you expect in long term situation at home?
Agility Recovery, a CUNA Strategic Services Preferred Provider, offers some important advice and expertise in this area, having assisted thousands of clients in recovering after disasters of all types for over 25 years. The lessons learned through these events, both large and small, always point to several key elements of a recovery: Communications Access, Office Space, Power and Computer Systems.
These four elements are the foundation of a safe, productive work environment, and are necessary for continuing operations of critical business functions at a credit union. As mentioned above, having access to backup data recovery is an excellent and critical step, but these other elements must be accessible in order to achieve that step in the first place!
Do you know where you would relocate your personnel and office operations should your primary branch location(s) become uninhabitable? And consider a scenario involving loss of power to your building for an extended period of time. What type and size generator would you need to restore power, and how would you connect it, maintain and refuel it regularly? What if your Internet and phone connectivity were down? Do you have the means to quickly restore these essential lines of communication to the extent that you can reconnect with your core processor and handle inbound and outbound telephone calls? These are important elements that can be discussed and planned for in advance, and implemented in a variety of scenarios. But, before those plans can be permanently put into place, you’ll need to test the effectiveness and ease of use. Facilitating test exercises for restoring communications connectivity is often one if the first tests conducted by organizations, and also generally exposes a number of falsehoods and incorrect assumptions along the way. However, a recovery test is usually conducted in “blue sky” scenarios, meaning there are few complications and hurdles to overcome that generally accompany a disaster situation. Therefore, during any test scenario you’ll want to account for the realities faced during a disaster: reduced staff, high absenteeism, lost contact information, limited connectivity and power, inconsistent information, and more.
Finally, when thinking of the health and welfare of your employees and members, providing replacement office space should be a top priority. The likelihood of a total loss of your branches may be remote, but there are a multitude of threats that could result in just that. You must have a plan in place to relocate personnel to a site that can accommodate your staff, equipment and members’ needs. Bear in mind that moving to another city, or even simply across your own town, could present massive complications to employees with families, children and pets. Additionally, if a regional event were to cause widespread damage to your area, families may be unwilling or unable to leave their homes due to repairs and reconstruction. It is best to consider local options, or mobile recovery options, where temporary branch office space can be brought in from outside the area.
Agility Recovery has developed a number of free educational resources for credit unions. The tools listed below will help you address many of the questions above, and assist you in developing well rounded recovery strategies. As the NCUA has pointed out, developing and testing these plans for a physical workplace recovery will help ensure your credit union isn’t in jeopardy of failing to diligently and competently serve your members’ interests, and maintain the security of their assets. It’s not just about data, and certainly isn’t limited to IT functions. It’s about protecting the day-to-day responsibility of serving your members in a safe environment, away from the chaos of disaster zones.
- Preparedness Evaluation Form: http://agil.me/assessprep
- Assessing the Risk to Your Organization: http://agil.me/assesstherisk
- The Complete Guide to Disaster Recovery Planning: http://agil.me/1B3qANs
- 8 Tips for Putting Your Disaster Plan in Action: http://agil.me/1TnmVAr
- A Crisis Communications Checklist: http://agil.me/1ALgL79