Digital risk management strategy used to be a luxury reserved for huge corporations, but in today’s business climate, even small businesses need to understand digital risks and set up a plan to protect themselves.
“Today’s society is completely based on digital recordkeeping and digital media,” says Pervez P. Delawalla, CEO of net2EZ Managed Data Centers, Inc. “If companies don’t have strategies in place to insure their digital lives, they are just playing with fire.”
Smart Business spoke with Delawalla about how to develop a sound digital risk management strategy and how to ensure it will work when you need it.
What are some examples of major digital risks, and how can these risks affect businesses?
One of the principal types of risk comes from those once-in-a-lifetime events, like the terrorist attacks of 9/11. Many companies were impacted by those attacks, and not just from a personal standpoint. Getting their businesses back up and running was very difficult, and companies that didn’t have digital strategies in place for data backup were at a complete loss.
Then, you have the standard risks faced by businesses on a daily basis. Data is lost through negligence, or even through unforeseeable events beyond one’s control, like flooding or fire. In California, the major player in this category is earthquakes. To mitigate that risk, a West Coast company can have servers located on the East Coast, so in the event of a catastrophic earthquake, their data and it’s high availability would be safeguarded.
Digital risk management or risk mitigation solutions used to be cost prohibitive for small businesses — but not anymore.
How can businesses protect themselves from digital risks?
There are a couple of ways that businesses can insulate themselves from these risks. The first step is looking at where their digital life exists, so to speak, for both their company and their personal data. That will determine what type of risk exposure they have. For example, if a company decides to keep its servers on the premises, it would have its physical and digital location present in the same place. If something happens to that building, everything goes with it.
Usually, the company’s head of information technology would be responsible for recommending a disaster recovery location just for the data, which would be located away from the office space.
The best course of action is to employ the services of a disaster recovery company with the ability to provide highly redundant locations so data can be protected in the event that the physical location goes offline.
What should be covered in a digital risk management strategy? How does it interface with overall risk management strategy?
One of the issues that needs to be covered is the geographic separation between your primary location and your disaster recovery location. You don’t want your digital disaster recovery location just a couple blocks down the street from your physical location, because if there is a large-scale event, like a natural disaster of some sort, you are likely to lose both.
Another is the ‘cut over test.’ This is where both systems are run in parallel to make sure that if you needed to cut over to the disaster recovery location that it would function in precisely the same way the primary location does. It’s like doing a fire safety drill. The frequency of the drill is determined by the company’s industry.
From that point, you start looking at the exact goal for the business in question. If the company is in an industry where going offline for a few days does not pose any real risk to business, that company would require a different strategy than a financial trading firm for whom a few minutes offline would be detrimental.
The strategy should be based upon and built around the business type. For example, a trading firm would want a disaster recovery location that is a few hundred miles from its physical location, and would ideally conduct a monthly or weekly full cut over test.
What should businesses look for in a digital risk management and insurance company or policy?
The stability of the company is important, as is its knowledge base, but the facility itself is the most important part. Look at where the servers are housed; confirm that the facility is SAS 70 certified. That designation means that independent auditors have certified the company’s policies and procedures.
Also, check how redundant the facility’s backup system is. Does it have at least one standby generator to back up the primary generators that provide power? Look into the integration and configuration of the cooling systems, as well.
Those are all integral parts to ensuring the entire facility works in unison. You may be spending a lot of money on disaster recovery, but if one of those systems is offline, your solution could still fail when you need it the most. It’s like installing smoke detectors throughout your house, but not testing them; you are taking an unnecessary and dangerous risk.
How can businesses ensure their digital risk management strategy is working?
The key is running those drills. Systems change all the time, and a company’s digital systems will never remain the same, particularly given the pace of the society we have now. Updates are constant, whether from the software tech side or the hardware tech side, so it is very important to run those drills on a frequent basis in accordance with your type of industry.
Also, look at your checklist and conduct audits. Make sure you have selected a provider that is SAS 70 certified and has good systems, and remember that just because everything checks out doesn’t mean that you shouldn’t go over that checklist and run those drills again next year.
Pervez P. Delawalla is CEO of net2EZ Managed Data Centers, Inc. Reach him at (310) 426-6701 or [email protected].
Insights Risk Management & Insurance Services is brought to you by Millennium Corporate Solutions