Two Thoughts From Pennsylvania

September 11th, 2008

I learned a great deal from my participation in the “Building a Disaster-Resilient Small Business” workshop series of the Pennsylvania Small Business Development Center’s Environmental Management Assistance Program. The series consisted of three, three hour-workshops hosted by the Small Business Development Centers of Penn State University at State College, Bucknell University at Lewisburg and Duquesne University in Cranberry Township. T. David Filson and I facilitated each of the three workshops. Mr. Filson coordinates the emergency preparedness and response communications within the Penn State Cooperative Extension. Two issues, in particular, came up during the discussion that I want to share with you. The first concerns fire safety. Dave Filson spoke of how he had participated in group safety training with the local fire department in which each person had to demonstrate that he could put out a fire using the fire extinguisher. The fire fighter who taught the program would carefully start a fire in a controlled setting, giving the chance to learn in a safe environment.

The second issue that arose concerned the unique needs of union workplaces and work rules as set out in collective bargaining contracts. For those small businesses that work with unionized employees, you need to have clarity about what their work responsibilities will be, within the framework of their contract, during a disaster recovery operation. This is particularly important as the union work rules may limit the flexibility of the response to disaster-related needs that you cannot always anticipate in advance.

I thought I would post these comments so that workshop participants in other parts of the country could have the benefit of our discussions. I very much look forward to returning to Pennsylvania. I had wanted to visit a bit, but driving the entire width of Pennsylvania on the turnpike left me little time!

Tags:
Posted in Community | No Comments »

Critical Computer Systems Held Hostage

September 11th, 2008

A recent incident that crippled the City of San Francisco teaches a lesson for small businesses

Recently, a network administrator employed by the City of San Francisco locked down the City’s computer network. By keeping a single password secret, Terry Childs (no relation to me!) denied access to IT administrators, thereby crippling important municipal functions, such as the City’s payroll and law enforcement records. After spending several days in jail and meeting in secret with San Francisco Mayor Gavin Newsom, he gave up the password and power has been restored. Subsequent investigation revealed that Mr. Childs was a disgruntled employee with a criminal record; he had been arrested for aggravated robbery 25 years ago in Kansas.

As we had advised in the first edition of our book,  “A good network administrator builds his or her reputation on trust that has been earned throughout their careers. But even with the best service administrator in your service, you must still protect against the risk of internal sabotage. These measures are not difficult to implement and should be welcomed by your network administrator as being in the best interest of the organization.” How can your small business avoid San Francisco’s experience of being held hostage by a disgruntled network administrator?

1.    Apply basic auditing methods. There are simple auditing methods that you can apply and review periodically, such as identifying who accessed which files, who generated which external network traffic and who sent a large number of e-mails or attachments to which addressee. You should, of course, inform your staff that activities on the IT network are monitored and the results of these activities are not matched with personal information unless there is a compelling reason to do so. Ask staff to refrain from storing personal information on company computers. These guidelines should be formalized in company policy.

2.    Automate independent backups. It is critical to back up your business data and certainly your network administrator needs to have access to the backups in the event it becomes necessary to retrieve data in the course of ordinary business or emergency. But always have one backup mirrored on a site to which the administrator does not have access. There are tools that can do this automatically at designated times during the day. This mitigates your risk of sabotage. If the City of San Francisco had such a system in place, the Mayor would not have been compelled to visit a saboteur in his jail cell.

3.    Outsource your e-mail service to a third-party provider. I always advise small businesses to outsource their e-mail service to a third-party provider, as it is generally not cost-effective for them to manage these services in-house. This approach offers an additional benefit: it makes the e-mail system independent of internal systems staff, both reducing their work burdens and the opportunities for internal sabotage.

4.    Do not use any built-in “Administrator” accounts, but instead give two users administrative rights on the system. This way, each week those two people can independently monitor and audit suspicious activities on your network and system administrator tasks can be traced to their user identifications.

One of the key messages of Prepare for the Worst, Plan for the Best: Disaster Preparedness and Recovery for Small Businesses (Wiley, second edition, 2008) is that by preparing for the everyday disaster, you automatically build resilience for the more serious threat. No one wants to think about internal sabotage; it is deeply upsetting to imagine that your trust could be betrayed in such a manner. Thankfully, few of us will have to deal with this possibility. But what if San Francisco’s IT administrator had suffered an accident or a medical emergency (a statistically more likely outcome than the perpetration of sabotage)? The City’s IT systems would still be brought to a stand-still, without the solution of a jailhouse visit by the Mayor to retrieve the password. Restricting access to a single individual, no matter how apparently trustworthy, is not a good policy. Let your small business learn from the experience of San Francisco.

Tags: ,
Posted in IT Systems, Sabotage | No Comments »

Welcome To My Blog, Pertinent Perils!

September 5th, 2008
Blogging on the run

Blogging on the run

Welcome to my new blog! This blog is the product of entrepreneurial inspiration! I am an entrepreneur and, on 9-11-01, my small business office was located in “Zone 1” of the World Trade Center. On that fateful morning, I was in the WTC when the planes struck the first tower. I safely exited the building and placed a cell phone call to my office and then to a friend who was on his way in from Brooklyn to meet me. I tried to reach him to advise him to turn around and go home, and, as it was not safe to be about, I did the same.

My home was located in the residential community in the shadow of the World Trade Center. I was in my apartment when the towers fell, in part, on my building. Then, together with my neighbor and his dog, I was evacuated by police boat across the Hudson River to New Jersey where I remained, homeless, for several months. I was allowed to return home once during this time to retrieve some clothing and other personal belongings. Mine was the only residential neighborhood evacuated, closed and placed under the control of the National Guard. Civil authorities allowed my office building to re-open on September 18, 2001, one week to the day later. This was largely because of the symbolic importance attached to re-opening Wall Street and the New York Stock Exchange. Had we been located a block in either direction, our re-opening would have been further delayed. Even so, we were without essential services for some time, such as electricity, land line telephone, gas, water, mail delivery and pedestrian access. I had to file insurance claims, deal with disaster relief agencies and programs and put into effect an environmental remediation of my office to remove the soot and ash.

I soon realized my experience was very unusual. Few small businesses in Lower Manhattan were prepared to work through such a major disruption. Ours was a statistical outlier in terms of preparedness. This is an accident of two unusual professional backgrounds. Prior to starting the business, I lived in Zurich, Switzerland where I was a senior executive of the world’s largest reinsurance company. Reinsurance companies are the ultimate providers of risk capital and so invest considerable effort in advising their corporate clients in respect of disaster preparedness, business continuity and risk management strategies. This background was of enormous help to me in responding to the consequences of what happened on 9-11.

I was doubly fortunate to have Stefan Dietrich as my business IT guru. Stefan has a doctorate in engineering and computer science and completed his post-doctoral training in computer science at Cornell University. He had contributed to the disaster recovery operations (and future business continuity planning) of Deutsche Bank in London following the bomb attack on Bishopsgate. He had me all set up with appropriate data backup, application access, an appropriate communications plan – you name it!

Few small businesses had the experience that would lead to our insight and so, after providing pro bono help to my fellow Lower Manhattan small business owners to aid their recovery efforts, we decided to write a book to share our expertise more widely and on a proactive basis. Not long after 9-11, I wrote a proposal for a book on the topic of small business disaster preparedness and recovery and one week later, that proposal was accepted. In 2002, John Wiley & Sons Inc. published Contingency Planning and Disaster Recovery: a Small Business Guide.

With weather-related and other disasters in the news, our topic continues to be timely and this summer Wiley published the second edition of our book, with 40% new material, under the title Prepare for the Worst, Plan for the Best: Disaster Preparedness and Recovery for Small Businesses. There has been particularly strong interest in the small business community for information about insurance for disaster exposures; hence, the title of my blog is “Pertinent Perils” which is reinsurance-speak for “relevant risks”.

I hope that with this blog and website we can build a community among small business owners to share best practices for disaster preparedness and recovery. With the events of 9-11, Hurricane Katrina and other major disasters, it seemed that no national learning was taking place. I am reminded of the Drew Barrymore movie 50 First Dates in which the leading lady suffers acute deficits in short-term memory such that every date she has with Adam Sandler requires that they start their relationship all over again. It is an amusing plot for an in-flight movie, but not very funny in real life. Learning the same lessons over and over again is unnecessarily costly, both in human and financial terms.

One of the challenges of entrepreneurship, which is also the one that I find the most rewarding, is that we have to become a Jill-of-all-trades. In the large corporate environment, roles and responsibilities are better defined in functional departments. When I worked in the reinsurance industry, for example, I never had to think about building a website or doing a p.r. campaign with the news media. Now I do and I see it as an opportunity to connect with others and to learn from them.

And I hope we will learn about the best as well as the worst of disaster practices. The new title of the second edition was intended to capture the lesson that disaster planning not only protects your small business against the downside, but it offers immediate, tangible benefits to your business even if disaster never strikes. I invite you to contribute to this blog and share what you can with the small business community.

Tags: ,
Posted in Welcome | No Comments »

Newer Entries »