Business Continuity: Keeping Your Operation Running, No Matter What

What. Would. You. Do. If. It. All. Stopped?

Cybersecurity isn’t all about hackers.

It’s the buzzword, the catchy thing to talk about. It’s how the media likes to get their hooks in you. After all, mysterious cybercriminals in black hoodies furiously typing code into computers with six monitors is a far more interesting narrative than something as mundane as a power outage.

Protecting businesses against cybercrime is absolutely a core function of a Managed Services Provider (MSP) like us. But it’s not the whole picture.

When I say the words “business continuity,” you might have some idea what I’m talking about. Maybe you don’t, but I’m guessing you can figure it out from context clues.

Continuity. At the end of the day, it’s what cybersecurity is all about. It’s why we get out of bed in the morning, why we come to work here at Reality Bytes. It’s our bread and butter. Making sure your business continues running when something goes wrong.

Because it will go wrong eventually.

Threats to Continuity

It doesn’t take a hacker to bring a business to its knees. Here in Alberta, we don’t need to worry about earthquakes so much, but we do have severe weather, particularly in winter. Blizzards, ice storms, flooding due to wild temperature changes. I don’t know about you, but my front entryway has been seeing some of that. We absolutely get power outages, especially in a small town like Drumheller. If it’s not ice on the power lines, it’s someone driving into a power pole.

And of course, we’ve all encountered updates that break everything.

I use Arch Linux with Hyprland at home (by the way), so I’m definitely no stranger to updates breaking things. Usually, it’s something small and easy to fix: a few edits to my config files and popsicle stand = blown. But you’d better believe one of the first things I did after installing my operating system was set up snapshots, to roll back buggy updates and save my data. Not a business, but continuity nonetheless.

If you follow tech news at all, you’ve probably seen the articles that get posted every time a new Windows update breaks something. I managed a print shop for 10 years, and yes, nearly every update I installed messed with at least one of my printers. The best was when all of my printers just deleted themselves and I had to do a full reinstall of Windows to get them back. That was a super fun and productive way to spend three days when I was juggling several rush print orders all at once. (Please read that with every ounce of sarcasm you can muster.)

Disaster recovery is what we do after something happens, to recover your data and get things back into shipshape. Continuity is making sure your business doesn’t shut down completely while that’s happening.

I didn’t have a plan in place. I didn’t have backups or redundancies. I didn’t even have an IT team (actually, Reality Bytes saved my bacon, funnily enough). So, when something went wrong, all operations came lurching to a halt. We lost time. We lost business. During the reinstall of Windows, we almost lost all our files. Nearly a decade worth of designs, print templates, customer files—everything. All our data. It was a nightmare.

Please, learn from my mistakes.

Making a Game Plan

If you don’t already have a disaster response plan in place, it’s time to make one. In the past few years, we’ve seen the weather getting wilder, ^[1] AI-powered cyberattacks exploding in popularity, ^[2] and after a recent Windows update broke USB support (so, no mouse or keyboard) in recovery mode, ^[3] you definitely need a response plan.

Backups

The first thing to do is make sure you’ve got backups. They are the absolute foundation of business continuity, but they’re meaningless if done wrong.

How do you do it right? Why, with the 3-2-1 backup rule, of course!

• 3 copies of your data
  One copy on your computer (the data you actively use) and two backups.
• 2 different storage media
  Like an external hard drive, a server, or even the cloud.
  
• 1 copy offsite
  Stored away from your business location, such as another office (if you have multiple offices), or even in the cloud.

Without secure backups, there’s almost no way to guarantee your business can stay up and running if something happens to your data. But if you do have backups, a copy can be restored to your local computers right away, so your business can continue like normal (or close to it) while the situation is being dealt with. If a client’s server goes down, we can even spin up a virtual server for them until theirs can be repaired or replaced.

Minimizing downtime is the name of the game.

In a previous blog, we wrote about how solopreneurs or home enthusiasts might set up quick 3-2-1 backups today using built-in Windows tools. It’s not perfect, and should only be a temporary measure for businesses, but it will give you basic backups until you can do better.

Once you’re ready to do better, let’s talk. Ensuring our clients have protected, tested, and reliable backups is something we pride ourselves on at Reality Bytes.

Know Your Role

In a crisis situation, it doesn’t help if everyone is running around like headless chickens. That’s a surefire way to make sure nothing gets done. Part of your disaster recovery plan should be clearly defined roles for each employee.

Who’s calling the shots? Who’s briefing the staff? Who’s running damage control with clients and customers? Who’s working on the fix? And perhaps most important of all, who’s making the coffee?

These are all things that need to be considered and made clear to all staff. It may seem obvious in your head right now, but is it obvious to everyone? Practise if you have to, but make sure everyone knows what they need to do when something goes wrong.

And if you work with an IT partner or Managed Services Provider like us, please fill us in on the plan as well, so we know who to talk to and how best to move things forward. Working smoothly with your team is our specialty, and ensuring clear lines of communication makes you look heller good to your boss. Just saying.

Proactive > Reactive

Having a solid backup and response plan is crucial, but it’s a reactive measure. What does that mean? Well, it means you’re reacting to a situation after it happens.

At Reality Bytes, we believe in taking a more proactive approach. This means that good continuity doesn’t just start and end with backups and response plans. It starts before your backup and response is ever needed.

Of course, I’m talking about cybersecurity.

That’s a whole bag of snakes on its own, too much for this blog, so I’ll narrow it down to just a few key concepts. We have plenty of other blogs about the various aspects of cybersecurity, so I encourage you to check those out to learn more!

Proactive Monitoring

The sooner a threat can be found and neutralized, the better. In the cybersecurity world, this is called the Mean Time to Detect, or MTTD, and it measures how long it takes to find a threat in your systems. A long MTTD means someone could be sitting in your network, collecting all your data and looking at everything you do, sometimes for months. The average is over 200 days. ^[4] Let that sink in. Uncomfy yet? Yeah, me too.

A lot of businesses treat cybersecurity as an expense, rather than an investment. Because of this, they end up with less-than-adequate tools and under-active IT partners. These businesses are more likely to face threats to their continuity, because a cheaper, reactive approach fails to catch problems before they get out of hand.

With a more proactive approach, known as Endpoint Detection and Response (EDR), we constantly watch our clients’ networks, catching and eliminating threats before they amount to anything.

Access Control

Conditional access should be your first line of defence against cybercriminals. If you don’t want to go read the blog I wrote about conditional access (how dare you), here’s the short version.

Unlike traditional multifactor authentication (MFA), which sends a code to grant access to an account, conditional access goes a step further by asking why a user is logging in. More than that, it’s the whole who, what, when, where, why, and how. Anyone else feel like they’re back in grade school? If anything looks suspicious at all, the system will block access.

Following the principle of least privilege is also crucial for securing your systems and data. I touch on this in my blog about conditional access, but the gist is that each employee should only be given the access and permissions they need to do their job. No more. That way, if someone is compromised, it limits the damage an intruder can do.

Zero Trust

I feel like this whole section has just become a plug for my conditional access blog.

Zero Trust is a concept I first learned about in The X-Files, but it’s very much a core principle of good cybersecurity. It means changing the narrative from “default allow” to “default deny.” No one is trusted by default. Every sign in is validated, every request for access scrutinized, every email questioned. Without a Zero Trust mentality, it’s laughably easy for hackers to get in.

Educating yourself and your staff is critical for cultivating good cybersecurity hygiene. Clients with our MSP Standard package get access to an invaluable eTraining platform, which covers everything from how to spot phishing attacks to Microsoft 365 tutorials and beyond. We help integrate this platform into their existing policies and onboarding processes. Learning has never felt so seamless.

Final Thoughts

There’s so much more I could say about business continuity. Trust me, I’m a novelist; I can write forever. But I think I’ve covered some of the most important concepts here.

• Use 3-2-1 backups
• Make a disaster response plan
• Harden your cybersecurity with tools like conditional access and EDR
• Educate your team

Disasters happen, and we can’t always expect the unexpected. The most important thing you can do right now as a business owner is take steps to ensure your operations don’t stop when you hit a speed bump. And if you need help with that, we’re just a quick phone call or email away.

With a free cybersecurity consult, we can assess your systems and prescribe actionable solutions you can build a game plan around.

Don’t let your business be a cautionary tale, like I was. And don’t just survive out there. Thrive.

Let’s change the world together.

Further Reading

1. Record-setting wild weather: Canada’s top 10 weather stories of 2023 - Canada.ca
2. Global businesses face escalating AI risk, as 87% hit by AI cyberattacks - SoSafe
3. Windows update breaks USB support in recovery mode | Malwarebytes
4. What Is MTTD (Mean Time to Detect) in Cybersecurity