Business Continuity Planning – Preparing for Coronavirus (COVID-19) and Home Working

March 13th, 2020
Business Continuity Planning – Preparing for Coronavirus (COVID-19) and Home Working

Script-Stationers-Blog-Banner

The World Health Organisation is saying; the world is in "uncharted territory" with the Coronavirus outbreak. 

On the 12th March The Prime Minister, Boris Johnson, stated it was "the worst public health crisis for a generation" Going on to state it was important to get the timing right for stricter measures” 

This follows Boris’s prior statement on the 3rd of March that up to a fifth of UK workers 'could be off sick at the same time'

In response, we have looked at the possibility of staff not being able to get into the office. Delving deeper, we also looked further into the possible impact should a member(s) of our team be unable to work due to sickness. 

We use dynamic risk assessments in developing and changing situations, basing change as the constant with ongoing reviews in place. Our risk register is used to build a risk profile and score measuring the likelihood, the impact, and the severity with mitigation plans in place.

Following the COVID-19 outbreak, we have implemented new policies, procedures and updated our business continuity plan (BCP) to mitigate the risks this presents. Our policies are designed to protect our people, secure our technology with best endeavours to continue to support our customers. We may never need to execute our Business Continuity Plan, but it's always good to know you're ready. Through our preparations hopefully, you can look at your business preparations too.

We offer our customers assistance in designing, developing and maintaining a business continuity plan (BCP). A BCP is a plan of action should the worst happen. It documents the next action steps, of the who, what, and how you can respond should you suffer any disruption to the business. We've seen it all from technology disruptions such as Cyber Attack, a data breach, to hardware or software failure, and the impact to your business should you suffer an act of God such as a flood or storm, or find the office ablaze suffering a fire. Not to mention a theft or what would happen if an employee went rogue. Or as in this instance, a major health outbreak that is now a pandemic.

Office-based activities have been covered in this article. For manufacturing-based businesses, you will also need to consider precautions to include production and admin activities.

Preparation Overview Checklist

We have looked at the following during our preparation with our core focus being security first and continuity throughout:

  • Systems: Does everyone who needs access have access should they not be able to get in the office?
  • Connectivity & Remote Working: Do we have the required connectivity and bandwidth to handle remote working?
  • Devices & People: Do all staff who need to access from home have a secure computer they can work from?
  • Phones: Can staff connect to the office phone system from anywhere, or divert calls?
  • Communication Plans: Is there a key contact list in place that is up to date, so your team know who to call?
  • Supply Chain: Is your supply chain ready, including 3rd party vendors which cover your hardware, software that you run on.

Systems - Checklist

Firstly for us to understand how we will continue to work; we need to look at what systems we have in place.

What we've done to prepare

Looking over the mission-critical systems that we use day in and day out covering;

  • Email - Customer Support & Comms
  • Support Application - Customer Support & Comms
  • Ticketing Management System – For Customer Support
  • Telephones - For Customer Support & 3rd Party Support
  • Remote Management Tools
  • File Storage
  • Vendors Systems
  • Documentation Systems
  • Finance and Accountancy Systems
  • Customer Management Systems (CRM)
  • Website
  • Backup And Disaster Recovery

In line with our cyber-security policy, we won't go into detail of these systems.

Next, we looked at how we access those services, by design Think Cloud’s systems are fully cloud-based. Meaning we can access them from anywhere, anytime and in any location. However, some services are locked down to only be accessible from our IP address, see below in the Remote Access or for some VPN and Connectivity Section.

What we suggest you do to prepare

Look at all the departments across your business. Asking each department head to think about the systems they use every day. Then build out a list, looking at how and where you access those systems and also where your data is hosted. For example:

System How do we access it ?
Email Office 365 - Cloud-Based
Finance Sage 50 Installed on Accounts PC, Data on Server
Files Some in MS Teams mainly on Server
Line of Business Application Installed on each PC, Data on Server
Customer Management System Hubspot - Cloud-Based
Phones VoIP Platform - Cloud-Based
Print/Scan Printers located in the office. Relocate Printer or Purchase 2nd Printer/Scanner for remote working.

Once you have done this, you need to consider what would be available if you didn't have access to your offices. In the example above the company already has remote access to their Email & CRM as they are both Cloud-based, but some discussion is required around the finance line of business application and file system.

File Systems

Your next step is to highlight what are the most important files or folders for your organisation to have access to. For example; accounts information, client information, marketing assets, company letterheads to contract templates etc. Dig deep and think about what each department needs to function day to day. Once completed, you'll be able to ensure that these files are available to all those that need them. 

There are many ways to do this, in the example above we can see that they are using Office 365, one of the additional benefits of this service is Microsoft Teams, within Teams you can create a Team for each department. Then upload the files they will need. You can ensure that the data is safe and secure, with only the right users being given access to the information they are meant to have.

File Backup

When you store data, you need to consider how it's backed up? You may think that by moving everything to Office 365, that it is backed up, but that's not the case. While Microsoft, certainly has you covered when it comes to any outages on their part, they don't cover loss of data due to deletion be it accidental, or malicious.

Microsoft Cloud Services operate on 'The Shared Responsibility Model'.

In Summary:

  • Microsoft protects its infrastructure of the Cloud.
  • End clients are required to protect data within Microsoft's Cloud

This extract is taken directly from Microsoft's SLA:

"We strive to keep the services up and running; however, all online services suffer occasional disruptions and outages, and Microsoft is not liable for any disruption or loss you may suffer as result. In the event of an outage, you may not be able to retrieve Your Content or Data that you have stored."

So in the same way its recommended that you backup your office servers, you must be backing up your cloud services files and data too.

What about USB drives I hear you say? 

USB drives get lost, and if you have any more than a single person requiring access to the data, it is impossible, as others won't have access to the data, so they are a problem. If you must use a USB drive and the data is just for you, always ensure you are encrypting the USB drive keeping it secure. Windows 10 Bitlocker allows you to do this. Using Bitlocker To Go, BitLocker, drives can be encrypted. Then using BitLocker To Go on another machine these can be opened with a password or smart card using Bitlocker Control Panel.

On-Premise Systems

By "On-Premise" we mean the system runs and is hosted from a server or workstation within the organisation. Typically a mainframe server but in smaller businesses, Sage may be installed on a single machine ie the accounts PC. Generally, these are not usually accessible outside of the office network. We will cover this later on what you can do in this situation see our Connectivity and Remote Working section below.

Connectivity & Remote Working

If you're not able to access your services in the Cloud as you run on-premise applications and services, you need to consider remote tools or VPN connections.

Remote access tools allow users to access their office PC's or laptop from another device, even their iPad, securely. This solution allows you to access your office PC as if you were sat within your office. We recommend all machines used to access your network meet our recommended minimum PC & Laptop Specification listed below. 

Recommended Minimum PC & Laptop Specification 

Component  Minimum Specification
Processor Intel i5
Memory (RAM) 8GB
Storage 256 SSD
Operating System Windows 10 Pro - For Business
Patch Management Microsoft & 3rd Party Security Patch Mgt
IT Help Desk Tools Remote Support & Helpdesk Support Application
Remote Access Tools Think Support Agent Tools

VPN's create a secure link between your connection (for example, your home) and your office. It works as if you are connected to your office network when you are not in the building and allows access to files on your server to some light applications from a remote location. Some heavier client-based applications like Sage require a remote desktop connection. With this solution, we would use a VPN to create a secure link to the network and then logon to a designated Remote Desktop Server which has the application software installed. This allows multiple* users to connect to a single server to access the software. 

(*Please note additional software licenses may be required).

Public & Home PC’s / Devices 

We do not recommend the use of home or public Laptops & PC’s. The sad truth is most public and home computers are not as secure as their business counterpart.

A compromised home PC that is allowed to remotely access their employer’s systems can serve as a gateway for cyber-criminals to attack company networks, either directly or through malware payloads. SMBs must have policies in place to limit such access and protect themselves from criminal intrusions.

 Example of risks presented are:

  1. Multiple family members may be using the same PC and it is hard to control the websites they visit. For example, many websites sporting free games are conduits for malware and viruses.
  2. Many home PCs do not have strong anti-virus and anti-malware programs and most are not kept up-to-date.
  3. Keyloggers or malware may be present and compromise your network.
  4. Many home users have old outdated and End Of Life Systems ie Windows 7 which no longer receive security updates and will be more vulnerable to cyber-attack.
  5. Strong passwords are the first line of defence against unauthorised access. Many home machines either have very weak passwords or no passwords at all!

With remote screen sharing solutions that limit many of these risks with 2FA, there is still and one time sessions;

File sharing example of risks to add to the examples listed above.

  1. Potential breach or infected file being transferred from an unmanaged device
  2. Files being left on personal/ public device.  
  3. Risk user not logging out of a session.

Think Cloud Inc Ltd strongly advise against the use of home and public devices given the risks presented above. Any public or home devices used are at one's own risk. 

So how have we've prepared

All of Think Cloud’s Systems are in the Cloud. Security is a priority to us so to meet our own high standards and Cyber Essentials Plus. All Cloud systems have Multi-Factor Authentication (MFA) and where possible secured with a physical USB Security Key. Additionally, some systems are locked down by our public IP address meaning we can only access these systems via our office or a secure link into our office.

How we suggest you prepare

If you are fully Cloud-based, fully on-board with Office 365 & Teams or Google G Suite you can simply take your device home, connect to the internet and continue working.

Alternatively, the easiest way to access your data if you are on a server-based environment is either via Remote Access Software. Allowing you to control the PC and all its software and resources remotely, or via VPN where you would take your laptop/PC home and connect to your office firewall securely giving you file access.

Considerations

Two key considerations to think about;

Firstly, Not all firewalls support VPN's. Often you need additional licences from your firewall vendor to provide this feature. Typically 2-5 are included by default; this may be sufficient as not all staff may require VPN access. If however, you require all staff to have access, licencing and set up will need to be reviewed.

Secondly, traffic from your VPN will be carried over your internet connection. A key factor of internet connections are the important stats of your upload and download speeds. Traffic over a VPN will require a much larger bandwidth both up and down, but importantly upload. This presents a problem if you are running over a basic connection or maybe in a location where you are capped by your location, i.e. a rural area.

With leased lines, they often carry a guarantee of bandwidth, which is not the case with FTTC (e.g. KC Lightstream) or ADSL connections. We advise you to check with your Internet Service Provider to ensure that your current bandwidth is sufficient. You should also consider if all staff need access to the VPN, it may be only key staff that require access.

We have provided a fictional example below which shows if we moved all the critical files to Teams, meaning only Sophia and George need VPN access. Their laptops need to be configured (more on devices below).

System How do we access? Who needs access? Actions
Email Office 365 - Laptop, Webmail or Mobile Everyone Check users have credentials and MFA
Finance Sage – Accounts PC & Server Sophia & George Access via Remote Access Software.

Provision remote laptop and check meets minimum specification.

Files Some in MS Teams but mainly on Server Everyone Setup Teams and Move Key Documents
Customer Management System Hubspot – Cloud-Based Sales and Management Teams All OK

People & Devices

Systems aside, now we need to check which of your team are going to work remotely out of the office, and what device are they going to use? Some users may be able to work from their iPad or Phone, but the question to answer ‘will this be good enough for the business and the user?’ Laptop users will be able to use their company laptops remotely (see VPN above). The next question raised is ‘what about users who don't have access to a company laptop and use a desktop PC?’

How we've prepared

All key members of staff use laptops and our systems are all Cloud-based. All our systems are secure and meet Cyber Essential Plus Standards. This allows our staff to work from anywhere with an internet connection.

Resources you may find useful

  1. Gov.uk The best place to find government services and information
  2. Coronavirus (COVID-19): UK government response
  3. Coronavirus (COVID-19) action plan

How do I protect myself?

The best thing is regular and thorough hand washing, preferably with soap and water.

Coronavirus spreads when an infected person coughs small droplets - packed with the virus - into the air. These can be breathed in, or cause an infection if you touch a surface they have landed on then your eyes, nose or mouth.

So, coughing and sneezing into tissues, not touching your face with unwashed hands, and avoiding close contact with infected people are important for limiting the spread.

Face masks do not provide effective protection, according to medical experts.

What are the coronavirus symptoms?

Coronavirus infects the lungs. The symptoms start with a fever followed by a dry cough, which can lead to breathing problems.

It takes five days on average to start showing the symptoms, scientists have said, but some people will get symptoms much later than this.

The incubation period lasts up to 14 days, the World Health Organization (WHO) says. But some researchers say it may be up to 24 days.

Cover For Staff

In the unlikely event that all our staff are unable to support our clients due to illness, self-isolation or for any other reason, we have a backup through an external 3rd party help-desk provider that we have already engaged with for continuity of service if required. Our provider will be able to continue supporting our clients with the necessary knowledge and documentation, having access to our systems as if they were our staff.

How we suggest you prepare

Refer to your list of staff and create a list of devices that they will use in a continuity situation.

User Recommend Device Access Required Actions
Sophia Company Laptop VPN for Sage, Email,
Hubspot sales, Teams
(Sales, Finance, Management)
Set up VPN Remote Access Login. Check Laptop meets recommended minimum specification.Configure profile
George Company Laptop VPN for Sage, Email, Hubspot,
Teams (Sales, Finance)
Set up VPN Remote Access Login. Check Laptop meets the recommended minimum specification. Configure profile
Sue PC in office, Company iPad Email, Teams
(Management)
Happy to use iPad for email and docs.
Tim Chrome Device/iPad Email, Teams, Hubspot
(Sales)
No action
Raj Chrome Device/iPad Email, Teams, Hubspot
(Marketing)
No Action
James PC and Surface Pro Email, Teams
(Management)
Will use Surface
Paul Only Office PC Email,Hubspot, Teams
(Sales, Finance, Management)
Order additional spare laptop inline with  minimum.Set up VPN Remote Access Login. Configure profile
Sue PC in office, Company iPad Just email Setup iPad

Make a list of actions that are needed to ensure all key staff will be able to continue working and that they have the right equipment to do so.

The problem with allowing users to use any device to connect to company systems (for instance, their home PC), is that you have no control over those devices. A home PC could have been used by anyone to access illegal streaming sites, and have dormant malware embedded on the device, such that when a user connects to company resources, this malware may cause potential issues, either through usernames and passwords being stolen, or viruses transmitted.

Who are the key people in your business? What would you do without them? You may be able to survive without one of the sales guys but what about fee earners, customer services, admin or technical staff? Should you engage with a temp agency, or locum service now, so that you know who's best to speak to when you need cover at short notice?

Phones

How we've prepared

We use a Cloud-based phone system; therefore, we have a few options, we can access our desk phones at a different location, but more than likely our staff will log in to the softphone applications via their mobiles, or laptops, meaning there will be no difference to inbound or outbound support calls or enquiries coming into the business.

How we suggest you prepare

Speak with your communications provider; if you're a small business, you may be able to continue by diverting your local number to your mobile. However, if you're using an on-premise phone system, it will need to be a bigger discussion.

Will you be able to divert extensions to mobile numbers? What impact does this have to your phone bills? Often when calls are diverted, the phone system will take the call and forward on with an outgoing call that will last as long as the call before disconnecting. This could be costly if you have a lot of extensions requiring diversion. Your comms provider may be able to install an add-on to give you softphone functionality or divert your DDI numbers at source; there are many options available.

If you're looking for a modern phone system that is flexible and affordable, give us a call, and we can recommend a suitable solution.

Communication Plan

A great tool in any Business Continuity Plan is a communication plan. What do you need to do to tell everyone not to come to the office? Are phone lists on everyone's desk, but what about if the office is inaccessible? In the days of WhatsApp and iMessage it's pretty easy to inform all staff of situations in smaller businesses, but if you're a larger company can you contact everyone, all at once?

You should also have a list of key contacts both in the business and out, this should include your insurance company, IT providers, HR consultants, external payroll and possibly others.

Supply Chain

How we've prepared

One way our business will definitely be impacted is through our supply chain. China is the world's largest manufacturer of technology from mobile phones, computers, and televisions. The outbreak started in Wuhan which is home to factories that build everything from solid-state hard drives to fibre-optic cables. Many vendor's products are not made in China, but the components which go into them certainly are.

Previously this happened during events such as the SARS virus of 2002-2004 & the Tsunamis that hit in 2012. This meant the affected factories were unable to meet demands resulting in shortages and price increases.

We are already witnessing shortages in the supply chain and increased prices, which we are currently managing through relationships with our distribution partners and our vendors.

We are continuing to monitor the situation ensuring we're delivering projects as quickly and as effectively as possible. Hardware aside, we have discussed and continue to monitor all our external 3rd party service providers to ensure their business continuity plans are in place.

How we suggest you prepare

Are there projects that you are considering that require hardware? A new server or thinking of going fully Cloud, with Office 365 Or Google GSuite? Have you been thinking of rolling out laptops rather than PCs? Are you still using Windows 7 machines that need to upgrade to Windows 10? Or A Major networking refresh?

If so you should discuss with your partner to ensure that any planned project, dependent on hardware or software, will be able to be delivered on time. We are seeing many customers bringing projects forward.

Secondly, speak to your external providers, a great example is when you use an external payroll provider. If so, what would happen if they were unavailable and their systems were down? What plans do they have in the event their staff are unavailable? Your team may be fine, but they'll get very upset if they're not paid on time because your payroll can't be run! So ensuring you have all your a plan in place will really go a long way to help.

So Finally

We do hope you'll never have to use your Business Continuity Plan, whether its Coronavirus or any other disruption to your business. Having a plan means that you are ready, your productivity won't suffer, and most importantly, you won't lose customer trust.

As our final reminder

  • Systems: Does everyone who needs access have access should they not be able to get in the office?
  • Connectivity & Remote Working: Do we have the required connectivity and bandwidth to handle remote working?
  • Devices & People: Do all staff who need to access from home have a secure computer they can work from?
  • Phones: Can staff connect to the office phone system from anywhere, or divert calls?
  • Communication Plans: Is there a key contact list in place that is up to date, so your team know who to call?
  • Supply Chain: Is your supply chain ready, including 3rd party vendors which cover your hardware, software that you run on.

We hope you've found this article helpful, if you'd like to discuss any part of it, please contact one of our team directly, or our Chief Operations Officer our Dean Bulfeild and or Scott Clark our CTO & Director. Both have been locked away working on our plans at Think Cloud. Reach out to discuss how you can ensure you won't have any issues.

Remember, just ask we have a simple business continuity plan ready and available for you to download.

Think Cloud Risk

We have considered the risk to Think Cloud and have scored this a low to moderate risk-taking into account the following considerations to-date:

We continue to monitor the situation updating our dynamic risk assessments which help us to make informed decisions as the situation develops.

Resources you may find useful

  1. Gov.uk The best place to find government services and information
  2. Coronavirus (COVID-19): UK government response
  3. Coronavirus (COVID-19) action plan
  4. COVID-19: track coronavirus cases (Desktop)
  5. COVID-19: track coronavirus cases (Mobile)
  6. World Population Prospects (2019 Revision) - United Nations population estimates and projections.
  7. Historical Estimates of World Population

Leon McQuade

Leon McQuade

Co-Founding Director

Leave a comment!

All fields marked with an asterisk* are required.