With the coronavirus spreading globally, industry experts are warning IT leaders to confirm their business recovery and pandemic preparedness plans are updated in case large numbers of employees have to work remotely or are too ill to work at all.
And if they don’t have plans they’d better start making them today.
“This is not a wait and see,” said Rob Smith, a Gartner research director for endpoint security based in London said in an interview. “Any organization could have a forced shutdown tomorrow. This is the 2020 nightmare.”
Smith and Roberta Witty, a Gartner vice-president in the security and risk management program, said plans and infrastructure need to be dusted off and tested now before the organization faces a crisis.
For example, Yahoo Finance reported that last Thursday Amazon asked all staff members whose devices are equipped to login via a virtual private network (VPN) for at least 10 minutes to see its infrastructure could handle a heavy simultaneous load. Bloomberg News reports that JPMorgan Chase asked thousands of its U.S. consumer bank workforce to do the same.
In Washington state, where coronavirus has caused 10 deaths, Amazon, Microsoft, Google and Facebook are asking staff at their Seattle area offices to work from home. Twitter and Texas-based job board provider Indeed have told staff to work from home. Apple has followed suit.
It’s not only a matter of making sure there’s enough bandwidth. A Gartner customer told Smith on Friday his firm has that, and that the problem is the VPN gateway is too old to handle the traffic. “So they have to drop a ton of money very quickly to update the hardware.”
Better to test than to be caught unaware, and Smith also said he knows of a global bank that had to tell 23,000 staff to stay home due to coronavirus, also known formally as COVID-19. “They had to scrub a whole building”
Asked if the bank was prepared Smith replied, “I think they’re still figuring it out.”
Disaster recovery is not business continuity
The good news is that knowing the situation a number of tech companies have started offering temporary deals on cloud-based VPNs, collaboration and video conferencing solutions. Organizations that don’t need connectivity back to a data centre because they’re working through the cloud can best take advantage of cloud solutions, said Smith.
Here’s a few tips to quickly get running:
A) You have a plan of some sort. Is it up to date?
“A pandemic preparedness plan is different from a traditional recovery plan,” Witty pointed out. A business recovery plan may assume some staff can work remotely. A pandemic plan assumes staff are too ill to work from home.
Still, there are some parallels. A business recovery plan or impact analysis has to consider what people, data, business processes and projects are crucial to the company. That sets the stage for determining how the organization can continue if vital staff are missing.
While many organizations have business recovery plans, Witty couldn’t estimate how many have a pandemic plan. “Anybody who does have a pandemic plan, it’s probably a few years old because the last time we had to go through this was 2009 with H1N1.” A lot of that content may be unusable, she said. Staff have changed, as well as roles, business processes, facilities change and the crisis management team.
The plan will have to consider whether main business processes can be supported with staff working from home, and if those people are ready now with VPNs, collaboration and video conferencing solutions if necessary. Staff already using remote access have no problem. Others may have to be helped in setting up their home computers. That could cause an immediate strain on help desk support staff.
This is also the time, Witty said, to find out if your infrastructure — including gateways, firewalls and internet provider — can handle the extra bandwidth or if extra capacity has to be purchased.
Finally, question the organization’s other main providers — application providers, SaaS providers, cloud service providers and ask how will they continue supply if there’s a lot of absenteeism in their firms.
One big problem, Smith said, is an organization may have the bandwidth but it can’t scale. “Imagine you’re a company and have 100 people who work from home,” he said. “Everybody these days has superfast bandwidth (from home), so they have 100 mbps. That’s 10 gigabits if everyone was using full bandwidth. So it’s real easy to use the entire corporation’s bandwidth just by a handful of people accessing the VPN.” So the CIO may need to throttle the traffic through the VPN gateway.
Remember, he adds, some staff may need more bandwidth than others.
B) You don’t have a plan
Start drafting one quickly. Even if you can’t write a formal and thorough plan at least start thinking about who needs to have remote access and how it can be quickly given to them.
In this largely cloud-based mid-size and small companies have an advantage, said Smith. Microsoft Office 365, for example, comes with Skype. Sign up for the Premium version to get Teams for collaboration. G-Suite users can set up Groups if they haven’t already.
Enterprises with on-premise versions of Office can still get Teams or Slack, Smith said, although users need to be integrated with Active Directory.
Another possibility is desktop-as-a-service (remote desktop) through Amazon Workspaces, VMware Horizon, Citrix or others.
VPNs are only needed if staff have to connect to the corporate network to access on-premise databases. Smith notes that Windows 10 comes with a VPN, although it has to be configured by the end-user and the data cente must have a VPN server.
For any remote access solution, Smith added, identity and access management are vital.
Again, Smith noted that any solutions staff need to add to their home computers will at least temporarily come with increased work for help desk because of the wide variety of home PCs and Macs.
Finally, CIOs have to deal with the possibility that IT staff may be unable to work due to illness. Ensuring that current staff are cross-trained for each other’s jobs may help.
(This article has been corrected from the original. The virus crisis in 2009 was H1N1.)