As with most anything these days, owning a business is not a static venture. It’s a dynamic endeavor that is constantly growing and evolving, following an ebb and flow that can be both rewarding and frustrating.
While most business owners would say they have come to appreciate the good times and learn from the hard times, if there’s anything the past few years have shown us, it’s that the hard times can be difficult to recover from. Pandemic aside, businesses’ reliance on technology and the internet have left them vulnerable in ways they have never been before—and ways that can potentially invite disruptive events that change everything.
Of course, technology and the internet are not the only potential sources of difficulties for business owners. There are, unfortunately, a number of hard-to-recover-from incidents that can befall a company—all of which underscore the reality that that owning a business is not for the weak-at-heart.
But accepting that there will be ownership and leadership challenges is the first step in combating whatever may come.
“The first step in recovering from a disruptive event is to plan in advance for it to happen and document what needs to be done, rather than try to handle everything on the fly,” says Bob Puphal, CIO, The Lerepco IT Group. “On the technology side, the plan needs to address who has the lead for mitigating the damage, isolating unaffected systems, prioritizing what systems need to be recovered first, and maintaining a forensic image of affected systems and logs for later analysis.”
From the non-technology side, Puphal adds a point of contact for communication is imperative—ideally someone outside the already-swamped IT department.
While it may feel like it’s difficult to plan for the unexpected, incident response plans provide a guide that can make things a little easier when the going gets tough, says James Nickel, senior IT lead, PCH Technology.
“The last thing you want … when you realize something has happened is not have a playbook to tell you what to do next,” he says. “Typically, incident response plans start by notifying the most appropriate person to cutoff whatever is occurring. Then these plans will typically follow-up with any expected reporting procedures and remediation plans.”
An incident response plan includes five stages—preparation, detection and analysis, containment and eradication, recovery and restoration, and post-incident review. These plans should be practiced and considered before the incident occurs, just like a fire drill, says New Jersey Office of Homeland Security and Preparedness Acting Deputy Director/New Jersey Cybersecurity and Communications Integration Cell Director Michael Geraghty.
While a plan may make life easier, there are still surprises that can take some time to work through. Last summer, for example, a widespread internet outage caused several major websites to shut down, including Amazon, Delta, Capital One and Costco.
According to a report, the outage lasted approximately an hour and was caused by a software configuration update. While 60 minutes may not seem that long in the grand scheme of things, when it comes to business success, that hour can make or break a deal.
“Today, businesses of all types depend on reliable internet service to perform their everyday tasks,” says Dan Dailey, USA Phones vice president of sales and marketing. “If your company has VoIP phone service, your internet stability is essential, but can never be taken for granted.
“A severe internet outage can take hours or days to recover,” he continues. “This can render your business with diminished operational capabilities until service is restored.”
Dailey says internet backup services are available to combat total loss of service and seamlessly keep the business running until primary service is restored. While a secondary system does not replace the main system, it does act as a full backup during interruption of service. “This feature offers peace of mind, knowing that your business will never miss a call or be unable to conduct a financial transaction again,” he says.
In the event a business disruption does occur, Nickel adds that it is important to assess what happened during the event, and learn from any missteps that may have occurred along the way.
“An after-actions report can be completed to understand what happened and what needs to be done to ensure these kinds of events don’t occur again,” he says. “It’s not enough to generate and review that report. Investments and changes must be made.”
Included in the investments may be additional insurance coverage, to ensure all aspects of the company are safeguarded. Working with a qualified agent can help ensure you have the specific coverage you need, especially if there is something that isn’t covered under a standard policy, says Christine O’Brien, Insurance Council of New Jersey president. To be covered by a cyberattack, for example, there is a specific provision that should be purchased as an addendum or rider to the main insurance policy.
“Meeting with an agent face-to-face to make sure they have everything they need is really the best way to go,” she notes.
If there is significant damage following the event and client trust has been compromised, it’s important to remain transparent and open about the incident, says Puphal.
“The event may entail a painful or possibly even expensive recovery, but these are risks and costs that were generally understood and accepted,” he says. “In our experience, a single event, handled professionally and with open communication, isn’t going to destroy that trust in the first place.”
Business ownership is difficult enough without having to consider all that could unexpectedly take place. But having an outline of what to do should something occur is better than nothing at all, and there is help available to get the plan underway.
“There are a lot of resources that businesses can avail themselves of to help develop incident response plans,” Geraghty says. “They include the NJCCIC [New Jersey Cybersecurity and Communications Integration Cell], the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA) and the Small Business Association, among others. As the old adage goes—preparation is the key to success.”
Click here to subscribe to the free digital editions of South Jersey Biz.
To read the digital edition of South Jersey Biz, click here.
Published (and copyrighted) in South Jersey Biz, Volume 12, Issue 7 (July 2022).
For more info on South Jersey Biz, click here.
To subscribe to South Jersey Biz, click here.
To advertise in South Jersey Biz, click here.
