You may have heard of Terry Childs. He was a system administrator for the city of San Francisco who, in 2008, was arrested for refusing to divulge passwords that only he had. A long series of legal maneuvering followed, leading to Childs’s imprisonment.
Whether you’ve heard of him or not, the Terry Childs case is an interesting and compelling argument for multiple levels of responsibility when it comes to security. When it comes down to it, the same is true for disaster recovery.
With your business’s security, there are definitely some compelling reasons to restrict the number of people who have access to sensitive information. With your disaster recovery plan, there are not. The simple truth is that the more people in your company who are aware of the plan and know what their role is in that plan, the more smoothly things will go when the disaster comes.
This infographic prepared by CareerBuilder claims that 60% of employers believe that should a disaster strike, their employees would know what to do. I wonder what the result would be if we asked the employees themselves. Do you think your employees (or your clients and their employees) know what to do when there’s a disaster, or are you the only one who knows what’s going on?
Of course, even in a disaster recovery plan, there are some security issues that need to be controlled, but again, you need to have a plan that assumes that everything is going to go wrong. John Motazedi, who’s the CEO of StorageCraft partner SNC Squared, says it like this:
What if you lose your bookkeeper? Does anyone else have the bank codes and passwords? What if you lose your admin? Who else has the extra key to the P.O. box? Who knows about billing and receipts, and where they are stored? What happens if your senior engineer dies, and he’s the only one who knows all the software codes and passwords? Insure your key people and “back up” their knowledge and processes.
(We did a case study with SNC Squared recently. They got hit by a huge tornado and handled it masterfully.)
Similarly, if your backups are encrypted, who has the passwords? You don’t want to be prepared for a disaster only to be foiled by perfect, waiting backup images that you simply can’t access.
Your plan probably deals with data and applications, but it needs to account for people and processes as well. In the same way that you store your backups locally and offsite to make sure you’re covered regardless of the type of disaster, you need multiple points of protection for the more material parts of your plan as well.
This article originally appeared on our guest blog spot on MSPMentor.