How Do You Maintain Business Continuity When Your Business Is Part of a Crime Scene?

Police crime scene tape close up
In April 2015, Baltimore, MD erupted in chaos as protesters stormed the streets following the death of 25-year-old Freddie Gray. Rioters showed no scruples about damaging physical property, and a Small Business Administration survey later estimated the damages at $9 million.

But while many businesses weren’t equipped to handle the disruption, one local service provider was prepared. Rather than shutting its doors while waiting for the rioting to subside, the business simply relocated its operations to a building it owned outside of the hot zone. The building was already equipped with tables and chairs, and the business worked with a third-party business continuity and disaster recovery (BC/DR) vendor to have office equipment shipped in within 24 hours.

What would you do if your business experienced an interruption due to a civil unrest, a terrorist event, workplace violence or other kind of event that might make your own organization or city a crime scene? Follow the lead of the Baltimore service provider and take these precautions: 

  • Have physical space ready. It could be a building you own, a previously contracted third-party building or a mobile workspace.
  • Make sure you have access to backup equipment, whether it’s your own inventory stored off-site or equipment that you’ve precontracted from a BC/DR provider.
  • Make a plan of action and test it. Creating a plan of action and testing it helps your employees know what to do in the heat of the moment and helps you fine-tune the plan.

Unfortunately, you won’t receive prior notice when a crime occurs on your doorstep. But with some advance planning, you can relocate your operations and protect your business. 

To learn more about integrating workspace recovery and IT disaster recovery to maintain business continuity, read this post.

Three Unexpected Opportunities for Business Continuity ROI

ROI concept
“What’s the ROI on that?” is one of the most popular questions management asks when evaluating business programs and projects. When it comes to business continuity programs, the answer is often “Well, there’s not really any ROI unless you experience a disaster. It’s like insurance.”

Because of this perceived lack of immediate value, budgets often get diverted away from business continuity to other projects that produce more tangible results. In fact, 49 percent of businesses don’t even have a comprehensive business continuity and disaster recovery (BC/DR) plan, leaving their entire company at risk because of the lack of an obvious ROI.

But what you may not realize is that business continuity programs do produce ROI — and you don’t even have to experience a disaster to reap the benefits.

Identifying new opportunities begins with the business impact analysis (BIA), when you assess and prioritize critical business processes, employee roles and technology. As you take a closer look at the inner workings of your business, you’re likely to discover new opportunities for cost savings or even revenue generation. If you work with a consultant who can provide an objective BC/DR assessment, we can almost guarantee you’ll find areas for improvement within your company.

Here are just a few ways you could realize ROI from your business continuity program.

Phase out Outdated Processes


Do you have manual processes that can be automated? In an IDC Technology Spotlight, 33 percent of respondents said their workflows involve manually extracting content from paper documents. By automating outdated processes like these, you can have employees spend that time focusing on other activities that advance the business.

Shorten Approval and Revenue Cycles


Are there too many unnecessary people involved in approval processes, thus slowing down project and revenue cycles? During the BIA process, you’re forced to identify critical processes, as well as the people and resources that perform those processes. What many businesses realize during the BIA is that certain processes have unnecessary touchpoints. Simplifying these processes will make business continuity more efficient and cost-effective. On a day-to-day basis, you also have the potential to identify ways to shorten your approval times and revenue cycles.

Decrease Vendor Investments


How many vendors do you work with? In an Institute of Internal Auditors Research Foundation (IIARF) survey, 42 percent of respondents said they rely extensively on third-party providers. Of those who use third parties, 90 percent said they used technology vendors. In some cases, you can consolidate the products and services you receive and cut down on the number of vendors you work with. By bundling products, you can reduce the money spent and increase the value provided from those services. You would also decrease organizational risk, as the more vendors you work with, the more you open yourself up to security issues such as third-party data breaches.

As you can see, having a BC/DR plan in place isn’t just about being prepared for a disaster. An effective plan can help you make your processes more efficient, improve data security and save you money.

For more insight into the ROI of business continuity, check out the resources for the Business Continuity Institute’s Business Continuity Awareness Week 2016

[Webinar Recap] How to Get the C-Suite to Prioritize Cybersecurity

Webinar slide
One of the most important pieces of a successful breach response is senior executive involvement. Yet research by Ponemon Institute shows that only 45 percent of executives believe they’re accountable for the incident reporting process. In fact, they view breaches as part of the cost of doing business.

Convincing the C-suite to prioritize cybersecurity can sometimes feel like an uphill battle, which is why we spoke on that topic during our recent webinar with the Disaster Recovery Journal. During the session, Rentsys Senior Manager Brandon Tanner and Director of Network Services Scott Frieszell offered their top three tips for getting the C-suite on board with cybersecurity initiatives:

  1. Don’t start at the top.
  2. Emphasize the benefits to stakeholders in each department.
  3. Provide a picture of the total impact.
 To hear more, check out the webinar recording here

Four Ways to Keep Your ePHI From Becoming a Statistic

Doctor using a computer
Medical Provider Struck by Hackers!

Insurance Giant Suffers Massive Data Breach!

Millions of Patients Have Data Stolen!

It seems like there are new headlines about data breaches in the healthcare industry every month — if not more frequently. In the last few years, electronic protected health information (ePHI) has become the primary target for hackers, and it's easy to see why.

According to a recent report by Reuters, ePHI fetches 10 to 20 times more than credit card data on the black market. That's why organizations that handle healthcare data are prime targets for data breaches and theft. In fact, 28.5 percent of the entire U.S. population was affected by just two — Anthem and Premera — healthcare data breaches that were discovered in 2015.

Starting to feel a little overwhelmed? Don't worry. Here are five things you can do to keep your ePHI safe from prying eyes.

Encrypt Everything


In 2013, two laptops were stolen from a secure office at a hospital in California. The laptops contained ePHI such as financial information, health conditions and demographic information. Unfortunately, the data wasn't encrypted, so the hospital had to notify 729,000 individuals that their ePHI had been compromised. The hospital implemented policies and procedures to reduce risks to the patients' ePHI, but the damage was already done. Had the laptops been encrypted, the hospital could have protected the information.

A recent article by Health Data Management points out that it's easy to encrypt everything, since encryption tools are embedded in current operating systems and come with nearly every device. (If a device doesn't have built-in encryption functionality, that's a sign that it's outdated and shouldn't be used to handle ePHI in the first place. We talk about that more below.) Yes, encrypting all your data costs time and money, but it's a drop in the bucket when you compare it to the cost of recovering from a breach.

Know Who You're Working With


While keeping ePHI out of the hands of outside thieves is hard enough, you also need to be able to trust your employees and your vendor's employees with the sensitive information. The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) maintains a "wall of shame" website listing major healthcare data breaches. Of the 1,472 breaches on the website, 309 (21 percent) involved a business associate. These associates were responsible for exposing 32.8 million records.

You should thoroughly vet your employees and vendors who have access to your ePHI to make sure they're not susceptible to using the information for personal gain. Routine audits can catch employees who are putting their noses where they don't belong.

Stop Using Outdated Devices


Encrypting ePHI and auditing employees' system usage can go a long way toward better controlling patient data, but the ability to do those things can be hampered by outdated technology. The healthcare industry is traditionally slow to adopt new technologies, and old communications methods and technology (such as pagers) are costing hospitals $8.3 billion per year.

Obsolete, poorly secured technology leads to vulnerabilities in your network. In fact, even one outdated system connected to the network could provide hackers with a back door. To monitor for threats, use a firewall service that includes intrusion detection and prevention, port scanning and protocol inspection, and perimeter anti-virus/malware blocking.

Don't Count on Obscurity


When healthcare giants like Anthem and Premera make headlines with massive data breaches, you might think you can get away with less-than-cutting-edge ePHI security by being a smaller provider. After all, hackers are only interested in big scores, right? Wrong. ePHI from a small physician's practice is just as valuable as ePHI from an insurance giant. According to a recent Health Data Management article, smaller providers represent a tantalizing target for hackers for one key reason: They're easy targets.

A lack of awareness about what the hackers are capable of and concerns about cost have kept many small healthcare providers from being properly equipped to handle sophisticated cyber attacks. Regardless of the size of your practice or company, you should always be aware of the threat of cyber attacks and keep your company prepared to fend off hackers. The cost of keeping your patients' ePHI secure pales in comparison to the consequences both you and your patients could face after a data breach.

To find out more about how to keep your data safe, read our post "Five Ways to Thwart a Cybersecurity Nightmare."

Q&A: Brandon Tanner on the Hybrid Cloud

Brandon Tanner
We recently sponsored a Disaster Recovery Journal (DRJ) webinar, during which Brandon Tanner, our senior manager, discussed the evolution of hybrid cloud disaster recovery as a service (DRaaS) and the challenges addressed during its development. (If you weren’t able to attend the webinar, you can listen to it here.) During the Q&A session at the end of the webinar, attendees wanted to know more about how hybrid cloud DRaaS fits into their work environment. We've highlighted a few of their questions below.

Q: How does a managed service in the cloud differ from one our IT team manages, and who is responsible for what?
A: It varies depending on who the managed service provider (MSP) is, but if the MSP offers a hybrid solution, they typically handle both environments. So, for example, instead of your IT team handling a particular on-site infrastructure and solution, the MSP handles both the on-site and off-site component, whether it's a public or private space.

That service provider is tied to service level agreements that give you remediation both for local and off-site solutions, so it's a seamless end-to-end solution. With an in-house solution, you're on the hook for managing it yourself.

Q: What specific workloads are best suited for the hybrid cloud?
A: It varies depending on your business. For example, data analytics and seasonal demands are some of the workloads the public cloud does a good job of.

Dedicated workloads specific to the organization may have certain sets of data, parameters, types of software or uses associated with them. These workloads might need to be managed locally to ensure connectivity, minimize bandwidth requirements and keep costs down. It depends on how an application is built and how users access systems and data. So you have to understand what apps people are accessing and what speed those apps require. You also need to know whether or not they need to run independently if, for instance, the outside network is unavailable.

Q: What are your strategies for providing DRaaS to customers who have a mixed environment of VMs and physical servers?
A: The solution needs to address how you handle both physical and virtual environments and how they fit into your data management strategy, whether it's data replication or recovery. You may have hardware that's replicated to other hardware, and you may have your virtual environment that's replicated to a virtual environment. Or you may have an on-site solution that's backing up both physical data and virtual environments locally. Your recovery strategy then becomes a matter of asking yourself, "Do I need to dropship equipment in, do I need to keep spares on-site, or do I want to replicate that data off-site, where there's spare hardware that can be used?"

In our experience, from a recovery standpoint, we take physical infrastructure and recover it into a virtual environment, and oftentimes, once we've done that, the client stays in the virtual environment. The only exception is when the client uses equipment with a specific use. We've also seen a lot of testing that has moved the physical world into a virtual world. But you can't virtualize everything, so you have to account for that hardware component as part of your solution, both in a private infrastructure and in a public cloud infrastructure.  

Q: What are some of the gotchas to be aware of with hybrid cloud and DRaaS offerings?
A: Number one is connectivity and communications, both WAN and LAN. You could say it costs you a penny a gig to store things up in the cloud. But you still have to be able to access it. Connectivity could be a major gotcha, depending on the architecture of your solution. If you put everything up in a public cloud, and you're running the users in the private cloud, all the data has to move back from that cloud environment. You're moving a lot of data back and forth, so architecture related to your applications and systems is critical.

The other thing is cost containment. With these hybrid models, it's easy for a private cloud provider to give you a fixed cost or a model with some variability. If you have a hybrid model with stuff in the public cloud and you need to recover something or need help with an issue, a lot of those costs are a la carte. They're advertised as storage costs, cost of server instances, those kinds of things. That all comes with the hybrid cloud solution, so you need to make sure that either you or your provider has the knowledge to account for some of those additional variable costs.

For more cloud Q&As, check out this post

[INFOGRAPHIC] The Sick State of Healthcare Data Breaches

Data breaches in the healthcare sector have become an epidemic. In the next five years, the industry could lose as much as $305 billion in lifetime patient revenue due to cyber attacks.

To learn more about the sick state of healthcare data breaches, check out this infographic by LightCyber.

The Sick State of Health Care Data Breaches

Want to learn how to prepare for a cybersecurity breach? Read our post "Five Ways to Thwart a Cybersecurity Nightmare."

DRaaS Can Unlock Revenue Potential for Resellers

Restaurant cloche with cloud computing symbolIf you’re a reseller and haven’t added disaster recovery as a service (DRaaS) to your portfolio, you could be missing out on vast revenue potential. Here are two reasons why.

Fewer Businesses With DR Plans Means More Opportunities for You


Surprisingly, 49 percent of businesses have yet to implement a comprehensive business continuity and disaster recovery (BC/DR) plan. While this doesn’t bode well for those organizations, it means resellers have a wide-open door for successfully selling DRaaS services.

For companies that are just getting started with DR — and even for those who already have a DR plan in place — DRaaS solutions are an easy in. The solutions offer easy implementation, access to vendor expertise, fully managed IT infrastructure and the ability to meet recovery time objectives of as little as less than two hours. Gone are the days of having to build out a redundant environment in-house. More companies are realizing this fact, and the market is expected to grow 739 percent during the span of 2015 to 2020. Take advantage of this momentum early on.   

Businesses Are Prioritizing Strategic Objectives in IT Spending


According to research by IDG Research Services, most organizations aren’t pouring money into maintaining or improving the value of legacy systems anymore. Instead, they’re investing in technology that can help the business meet key objectives. These objectives include improving the customer experience, managing costs, increasing operational efficiency and mitigating risk.

When it comes to mitigating risk, security and BC/DR projects are two of the top technology initiatives currently underway. As an IT reseller, you’ll experience the most success when your solution portfolio aligns with these business drivers. Because DRaaS has the ability to reduce downtime, enable more efficient DR testing, adhere to compliance requirements and more, organizations will find that it’s a good fit for their strategic objectives.

Realizing these benefits, we recently added a DRaaS solution to our reseller program. To learn more, read this press release and visit our Partners page.