Business Continuity: Disaster Recovery & Mitigation

Featured Article

CYBERSECURITY, FRAUD, & THE PEO OPERATION

BY TOM DEEN

Not long ago, disaster-related events were synonymous with severe weather and geographic power/network failures caused by a misguided backhoe. In the last 12 months, however, we’ve experienced first-hand the chaos a pandemic and cybercriminals can wreak on our operational capabilities, quickly changing how we think about our mission-critical systems’ resiliency. Surviving a large-scale service interruption is no longer something we can just worry about late at night, hoping it will never happen. We are obligated to invest our time and resources to plan for an eventual disaster.

The average cost of an IT system outage depends on several factors—some relevant to typical PEO operations, some not so much. The financial impacts vary when you consider your revenue streams, the duration of the outage, the number of customers impacted, and even the time of day. According to various studies, the average cost of system downtime ranges from a few thousand dollars per hour to a few thousand dollars per minute, depending on the type of business, the type of outage, and/or the impacted system(s). In the PEO industry, the estimate is probably closer to a few thousand dollars per hour. Still, to our hard-working employees and clients who rely on us for their paychecks, family health benefits, etc., any interruption will be traumatic, leading to a loss of confidence and, eventually, the loss of clients.

DISASTER RECOVERY PLANNING

There are different schools of thought about where to begin disaster recovery (DR) planning, but most schools agree you should start with a business impact analysis (BIA). Going through the BIA process will help everyone get their heads wrapped around the breadth and depth of the critical systems that must be addressed. Most PEOs likely do not have a skilled DR/business continuity (BC) expert on staff to guide them through the process. However, even if you do, consider engaging a partner who specializes in DR consulting. The consultant should have a repeatable process and common-sense approach to take you through the steps from start to finish and make recommendations based on objective data and facts, not subjective fear and conjecture, which will help keep you grounded in reality and focused on the objective. Before you decide to engage a DR consulting firm or take the planning on yourself, you must have executive sponsorship out of the gate. Once you start seeing the data, you’ll realize that to protect your clients and your business, material financial investments will be needed. It’s also important to set the expectation that DR planning is not solely the responsibility of IT or just another IT project, but rather, is an enterprise initiative and requires high levels of engagement from subject matter experts and stakeholders across the business.

One of the key inputs needed to complete your DR plan is an asset inventory. You can expect the planning team to reference it countless times throughout the process. In addition to your physical systems, the inventory should include critical software applications, databases, and Software as a Service (SaaS) providers. You can use the inventory to centrally locate and maintain crucial information about your maintenance contract terms, key support contact information, and service level agreements. Several asset inventory tools are available on the market, but if you don’t have one, you can start by just building one in a spreadsheet.

With an asset inventory and the findings from your BIA, your organization can define the recovery time objectives (RTOs) and the recovery point objectives (RPOs) for your critical systems and data. The RTO is the amount of time and a service level within which systems must be restored to avoid a negative impact to your business, while the RPO establishes the maximum acceptable amount of data (measured in time) that can be lost after a disaster or failure occurs. Defining these two objectives is necessary for IT to determine the frequency of data back-ups, when and where systems need to be redundant, and measures needed to secure your sensitive data. Understanding your RTO and RPO will help ensure you do not over- or under-architect your DR solutions, keeping your investments congruent with your acceptable risk level.

TESTING THE PLAN

Testing your DR plan—through table-top (meetings to discuss a simulated emergency) or fail-over exercises (a system ready to run your mission-critical programs when a disaster occurs)—will provide many benefits that will help refine your plan while training those involved in the recovery effort. This will help minimize the chaos inherent during an actual event. When planning to implement a new system, include its DR needs during the planning phase to ensure it’s covered and the costs can be included; it can be expensive and time-consuming to go back and address after the system is in use.

Finally, most PEOs rely on multiple third-party providers for their core business systems. In the words of our 40th president, “Trust but verify.” Review provider system and organization controls (SOC) audit reports to ensure they are followed and management addresses and remediates any exceptions. Ensure you understand what measures and investments they’re making to their infrastructure to protect your data and operations and how well they manage their third-party service providers, who ensure the availability of your systems and the protection of your and your client’s data.

TOM DEEN

Chief Information Officer

Landrum

Pensacola, Florida

 

Read in NAPEO’s PEO Insider June/July 2021 issue on page 34.