Disaster recovery testing scenarios too often consist of a random technical outage that focuses on the IT department, some managers/developers, and no one else. The recent events of the COVID-19 pandemic may encourage organizations to shift their tests to the human aspects of disaster recovery.
The use of remote access technology has been steadily gaining popularity and serves as an excellent solution to many of the challenges an organization may face during a disaster. However, some business roles require a human presence to function properly.
Short-Staffed Disaster Planning
A few years ago, I was working with a company that had a significant number of employees who were fans of Mexico in the FIFA World Cup. When Mexico successfully made it to the Round of 16, management started worrying that production staff might “call in sick” on the days that Mexico was playing. This situation resulted in a fascinating topic for disaster recovery plan testing:
“What if Mexico makes it to the quarterfinals of the 2018 World Cup?”
The steps taken were both preventative and proactive, including:
- Rotating staff for breaks during the game itself,
- Providing a projector playing the game and piping the audio over the PA system,
- Altering the production schedule to facilitate a “low workflow” day, and
- Contacting temp agencies to acquire additional help on dates that Mexico may play.
This approach maintained the physical security of the facility by assuring some staff was present in production areas at all times.
Unfortunately for Mexico, they failed to make it to the quarterfinals. Fortunately for the company, they now had a course of action that could reduce the impact on production when a large amount of staff is unavailable to work. Who knows—maybe they could require this plan in 2022, should Mexico succeed in making the World Cup again. Here are some additional considerations to keep in mind when reviewing your disaster recovery plans surrounding the availability of staff on site.
Isolated Areas
Organizations often have areas of their facility that few people ever go to, such as storage areas, unused office space, and utility closets. Many times organizations will leverage additional security controls to monitor these areas instead. CCTV, motion alarms, and locking doors help secure isolated areas from unauthorized entry.
If you are short-staffed, there may be new areas that have no human presence and may not have the same security controls as the normal areas. These newly isolated areas may be subject to unauthorized activities, such as spying, tampering, or theft.
Business continuity planners will want to identify areas that may become isolated with a reduction in staff presence. Once that is understood, they should determine what controls they can put in place to help reduce the risk of unauthorized activity in those areas.
Reception Areas
Consider the following:
- What does your organization do when the receptionist calls in sick?
- Do you have a backup on staff?
- Is there a “ring bell for service” sign on the counter or use an optical sensor connected to a bell for someone nearby to hear?
- Do you lock the front door, restricting visitor access to even the lobby?
Disasters may significantly affect the availability of staff and may even jeopardize the functionality of your backup plans. Without staff assisting visitors and monitoring public areas, unauthorized activity, both intentional and accidental, may occur.
Review your procedures for when no one is available to support areas non-employees can access and confirm there is a process in place for securing those areas when unattended.
Scheduled Security Controls
If your facility unexpectedly closes during the workweek, are you sure the alarms will set or remain set when no one is around? Many alarm and door systems automatically arm or disable access on a set schedule, such as 7:00 a.m. to 6:00 p.m. Your facility may not have adequate security controls during regular business hours when human presence is ordinarily high.
Review the schedules powering your security controls to make sure they are functioning as intended during unexpected facility closures.
Conclusion
Avoid security control failures by establishing operating procedures for low-staff situations and allocating resources to the plan. Additionally, ask yourself if those reserves may also fall victim to the same disaster events that they were put in place to mitigate.
Incorporate all of the major departments within the organization in disaster recovery planning and testing. This involvement allows an organization to examine a variety of different aspects of a disaster threat and solutions and not just the technical ones.
Finally, you may want to keep an eye on your local sports teams in case any could be going to international tournaments or championships in the near future.