Working from Home and Business Continuity
The recent Coronavirus (COVID-19) outbreak is challenging many organisation’s Business Continuity Planning (BCP) arrangements as they have often been built around the assumption that employees can attend a business recovery site en masse, or that not all offices would be affected at the same time. Whilst other events such as the snows in 2010-2011 and “The Beast from the East” in 2018 have had wider disruption, the effects of these events have passed fairly rapidly and most companies simply accepted a 2 to 3 day temporary shutdown and haven’t then changed their BCP accordingly.
With COVID-19 there is a strong chance that businesses will have to temporarily close their offices for several weeks rather than a couple of days and if this is the case then your BCP must answer the following questions:
- Can all of our employees work from home, regardless of role? Bear in mind that as a lot of BCP assumes a temporary interruption, your current plan may only cover key roles for a short period of time. If COVID-19 warrants a shutdown of two or three weeks then support and full-time office based roles such as main reception and administrative workers will also be required to work from home.
- Do all employees have access to a device that allows working from home, but that doesn’t expose your company to data loss or breach? For example, expecting your employees to email documents containing sensitive data to their private mailboxes, or expecting them to work on these documents on their own devices that may ultimately end up being given away or recycled insecurely, is a major risk to your organisation. Similarly, allowing these uncontrolled devices to be connected into your network remotely also generates a major risk. Trust me when I say that you really don’t want to be dealing with a virus or malware outbreak at the same time as you are invoking BCP and your IT team is already overstretched.
- Do you have a comms plan or way of reaching all of your employees quickly so that you can share information with them? If they all have secure access to company email from their mobile device then this may suffice, but you may also need the ability to be able to broadcast text messages to them or carry out an online all-staff briefing.
- Do all employees have somewhere at home that they can work from? Younger employees may be in shared flats or other housing, and couples and families may only have one desk/table and device available to them. This can present challenges if they and other members of their households all have to work remotely at the same time.
- Does your current telephony system rely on people being physically located within your company premises? If so, can a divert be arranged to individual’s mobile phones quickly and is all the information ready to hand that would be required to set that up?
- Do you rely on paper records? Hopefully not, but in some cases such a Private Client Law etc, you may need access to documents such as wills, or power of attorney instructions that go back several decades. Even in extremis, can you access these files or do you have a prepared process for dealing with a prolonged lack of access to them?
- Do you have sufficient connectivity and bandwidth? If your solution involves virtual private network (VPN) connections then without sophisticated bandwidth controls, certain usage may deprive other users from even getting basic connectivity to your internal systems. With a remote desktop solution then, the performance should simply degrade in a relatively graceful manner, but can still leave some users frustrated by the apparent performance. This requires capacity planning and remediation prior to an event – not during one.
Business Continuity Planning is a business exercise, driven by business needs and supported by IT. It should never be left entirely to your IT team to design and implement on their own. In the case of COVID-19, your systems will almost certainly remain running, meaning that there is no Disaster Recovery (DR) element, but the reality is that most companies have strong DR arrangements and barely adequate Business Continuity plans. The way to remedy this and protect your company is to immediately:
- Read your current Business Continuity Plan now and examine if it is fit to cover closing your offices for 4-6 weeks and allowing everyone necessary to work from home. A good plan should be short and readable. Step by step, user instructions of how to connect and access systems should not be in the plan itself, but should be available in a location that is referenced in the plan so that employees can find them as needed. Also ensure that the plan clearly explains who employees are to go to if they experience challenges and who on the management team is responsible for invoking, ending and managing business continuity events.
- Walk through your plan with your management team and department heads as soon as you can to ensure that it covers their needs and that they understand how the business will operate in a BCP scenario that lasts for multiple weeks. Identify any issues that need further planning or are particularly challenging and accept that you may have to retain a skeleton staff onsite to deal with these issues, particularly if your company has a mail or shipping department that is critical.
- Send your Business Continuity Plan to all staff now – even if it is not a 100% fit for the entire company, but be honest about any of the gaps that you already know about and that people may just have to live with.
- Have a specific communications plan and contact list for everyone in the company.
- For users who need access to IT, ask them now if they have a suitable device and somewhere to work from if they are asked to work from home for a prolonged period of time. Ask them to consider the impact of other members of their household also being at home and working at the same time. Identify anyone who will have issues and try to find a solution or workaround for those issues. Consider the impact that childcare issues may create if schools and nurseries are closed.
- Make sure that all users who have company mobile phones and laptops have all of the installed applications that they need and know how to use them and connect in remotely as required. Similarly, make sure that these devices are taken home every night at the moment. During the 2018 weather disruption we were shocked at the number of users we witnessed who didn’t take these essential devices home despite the fact that it was obvious that they were going to be needed.
- If you’ve identified a major shortfall in laptops or phones then you need to remedy that now as we are currently seeing long lead times caused by supply chain disruption coupled with a sudden spike in demand.
- Ensure that you have carried out either testing (send everyone home for the day) or capacity planning of your current connectivity. Bear in mind that if you have to invoke company wide BCP it is then too late to find out that you have insufficient bandwidth or that specific key applications won’t work over such links.
- Talk to your current telephony provider and plan how you will divert and manage calls during an event. In some cases you will have the ability to use a softphone which is an application for your laptop or mobile device that acts exactly as your desk phone does, but again you need to check that your employees know how to login and use this functionality.
- Consider whether you might need other supporting IT. For example, if your current VPN or remote access solution is not going to be sufficient we can rapidly deploy a temporary, pay per use, secure virtual desktop in as little as 3-5 days depending on your current environment. This can be accessed from almost any employees current PC or Mac, and even tablets without exposing your organisation to data leakage or virus issues.
Finally, we are all hoping that widespread and prolonged disruption is not going to be caused by this current outbreak, but by preparing for it we are all also getting our companies in better shape for dealing with the next major Winter disruption or similar, so this is never going to be wasted effort.
Charles Scott, Technical Director and incident veteran, Quorum Network Resources Ltd
AWARDS & RECOGNITION