Creating an Online Business Continuity Plan (October 5, 2008)
Play IntroIn this article, I’ll talk about how to write an online business continuity plan. This is a plan which helps your business continue to function securely online despite routine changes– such as hard drive failures, employees coming and going, service outages…or not-so-routine events such as your web designer denouncing technology and joining a monastery! These plans can really help you when there is a problem…and can also prevent potential problems. First, let’s talk about the types of issues a plan like this addresses.
Account Overload
Many businesses have a lot of online accounts. Can you remember all of yours off the top of your head? Perhaps you have a web hosting account, an E-Commerce shopping cart account, a PayPal business account, multiple E-mail accounts, a customer billing website, an Amazon Associates account, Google accounts for mail and web marketing, a list serv (for sending out emails to customers), group accounts for collaborating with colleagues, and many more. With so many accounts it can be hard to remember what each one is for, what the logins are and who has access to each one. I call this “Account Overload!”
Account Security
Whether you have an online business or a non-profit organization with volunteers, people will come and go— and it can be hard to track who still has access to the accounts. Some accounts may need to be accessed by more than one person. And, all of them probably contain data which is critical to your business. To me, it’s just good business practice to limit access to accounts to the people who need that access, and to have a policy for maintaining account security when there is employee turnover.
Backups and Outages
Sometimes hard drives quit, companies go out of business and other Unexpected Stuff happens. I’ve seen professional corporations with well-trained staff lose data permanently because it wasn’t backed up properly. I think that it makes sense to backup important online business information yourself, on a regular basis—even if your web hosting company says it is doing backups for example. Also, when there are service outages it really helps to have technical support numbers readily available so you know who to call for help.
My Recommendations
Here are some basic recommendations I’ll suggest for you to consider. You may need something more, or less complicated than this. But, this should get you thinking about what you need:
- Back ‘em Up—This is really important and often overlooked– If you do only one thing from this article, this is it! I’ve personally had a hard drive fail (mine sounded like little BB’s jumping around). I had a recent good backup and there was little disruption to my business. A backup drive and software is less than $100. Be sure to configure the backup software correctly, and also check the backups occasionally to make sure they are working properly. Unfortunately, I used the default settings when I set up the backup software for my Significant Other. And then her hard drive crashed. And then we found out the default settings weren’t backing up her Desktop folder. I restored everything else but that folder’s files were gone. Ouch! In the backup plan, I’d suggest describing what needs to be backed up, how to backup each account, how often backups are done, where they are stored and who is doing them. Plus any passwords needed if the backups are protected or encrypted.
- List ‘em Out—List all the accounts, their web addresses, what each is for, their logins and passwords, and who has access to them.
- Account Use Policies/How-To’s—Describe any stuff that is important to know about when using each account, including simple auditing controls. For example, perhaps you are a non-profit organization with a PayPal donations account. It might be a good idea to have the treasurer plus a board member logging in and reviewing donations compared to what is actually going into the bank account, once a month.
- Change Passwords—go through all accounts, review them, and change all the passwords once a year or as needed. For example if a board member with access to financial accounts resigns, it’s probably a good idea to change the passwords for financial accounts that person had access to.
- Principle of Least Access—This means that only people who actually need access to logins and passwords should have them. For example, once I’ve set up an E-Commerce system for a customer, she can change the password and I don’t need to know it anymore!
- Keep the Plan Secure—E-mail isn’t secure so I wouldn’t pass the plan around that way. I suggest that you keep the plan printed out but not on your computer, stored in a secure location such as a locked drawer or safe. If the motherboard (or hard drive, or other critical component) fails on your computer, storing the plan there isn’t going to help you much! However, I recognize that it’s convenient to have the plan available on your computer. If you do decide to store it there, I recommend that it be password-protected and encrypted (and in addition to the securely-stored hard copy). By the way, I actually did have a computer in which the motherboard failed, so I can tell you these things can and actually do happen.
- Follow the Plan—The plan doesn’t do anything by itself. For it to work, it needs to be kept updated, be distributed to those who need it, and people actually need to follow it! This sounds obvious….but I recommend checking in with people informally to make sure they are actually following it. Hint: it helps to set up online reminders for to-do items in your plan. It also helps to set up backups to run automatically (as long as you check to make sure they’re working occasionally).
This might sound like a lot, but it doesn’t need to be an overwhelming undertaking. You can do it in pieces if you want. If you would like help creating an online business continuity plan, I’d be happy to be of service. We can put one together that meets your organization’s specific needs, and is something practical that you can deal with.