Tags: crisis management, elevated access privilege, iPhone, key staff, Microsoft OneNote, MobileNoter, network admission control, online meetings, Sharepoint, skype, smart phone
So, how was the office when you arrived at work on last Monday morning? Quiet? Like all good disasters, the eruption of Eyjafjallajökull in Iceland was the first of a cascading series of events. The eruption occurred at a time when, unseasonably the prevailing winds across the UK were from the North West (typically at this time of year, our weather comes from the South West), carrying the ash cloud over Northern Europe. In truth the authorities had no choice to close airspace until the picture became clearer. But, you know all this. The key thing, is it happened on the final weekend of the schools’ Easter holidays, leaving thousands of families stranded. Up to 100,000 Britons were caught up in the chaos, so chances are, at least some of your staff didn’t show up on Monday morning and some of them may not be back yet. It’s always inconvenient when staff are absent, but what if they’re key workers? While we’re prepared (at least to some degree) to cope with major disruptions to our IT infrastructure, or even our physical premises, there’s an increasing awareness that people also affect business continuity. When disaster strikes, the first priority is to stop events spiralling out of control and developing into a crisis. In his book “Managing the Human Factor in Information Security“, David Lacey describes how the most sophisticated organisations have standing crisis management teams and conduct regular exercises for those team, anticipating a wide range of situations, however improbable, and planning the business response to protect reputation and customer confidence. A little over a year ago, we were listening in horror to apocalyptic forecasts of the impending Swine Flu pandemic. Mercifully, that didn’t happen to anything like the level feared. But hopefully, the planning you did then (you did make plans, didn’t you?) will have helped you this week. As we emerge from the recession, staffing levels have been pared to the bone; plus, we know that many families barely cope with childcare provisions, particularly during school holidays. So, it’s prudent to assume that loss of key workers is to be a recurring problem.
To prepare your business, you need to be able to answer the following questions:
- Do you know who your key workers are?
- Do you know where they are at the moment?
- What critical activities are they handling in the short-term?
- What information do they need to keep those activities moving?
- Can they access it remotely if necessary?
- If a key worker becomes unavailable, who could deputise?
- Do those deputies know what the priority actions are?
- Can they reach the necessary information?
One important thing you could do, which is specific to the recent problem, is to provide assistance to key staff when they’re travelling, either on business or for pleasure. Until last year, I worked for a very large global software vendor. When I booked a trip through the corporate travel booking system, my itinerary and contact details were automatically passed to a partner organisation. I carried a card with telephone numbers for a 24 hour emergency contact centre and, if needed, the partner could arrange direct assistance including evacuation if needed. Once you understand the “who” and the “what”, you can turn your attention to the “where” and the “how” by preparing mitigation strategies:
- Equip your key staff to work off the premises — many of your key workers may already be equipped with laptops and smart phones, to fulfil their day-to-day responsibilities. Do they need to be given additional equipment? 3G dongles or modems? Would it be wise to provide more key staff with laptops and smart phones?
- Make sure your key staff are set up to work from home — As well as providing the necessary equipment, you need to be sure that home workers have adequate facilities. The UK’s Chartered Institute of Personnel and Development offers advice on managing home workers.
- Make sure your key staff have access to audio/video conferencing and online meeting facilities — Providing access to an audio conference bridge is easy to set up. You can relay the bridge details by mobile phone or email as needed. Where staff need to use this facility with customers or partners, they’ll need their own bridge account with your supplier. There are a range of online meeting systems, such as Microsoft Live Meeting, Citrix Goto Meeting or Cisco Webex. Many organisations ban the use of Skype on corporate networks, but in an emergency, it’s simple to use and many people already have access from their home PCs.
- Rethink your admission control for personal devices — Organisations are understandably reluctant to let staff use personal devices (PCs, smart phones) to access the corporate network. But, in an emergency, this could be the only way to reconnect key workers, who can’t make it into the office. Consider whether you can pre-approve home PCs for some key staff (Do they have up-to-date anti-virus/spyware? Is Windows Update turned on?) and relax network admission controls to allow their use in an emergency (you don’t use admission controls? We really need to talk!)
- Decide how you’ll cope with the additional connections through your VPN gateways and firewalls — The likelihood is that your contingency plans will mean a large increase in the number of staff access the corporate network from outside. It’s wise to hold discussions with the vendors of your perimeter security solutions beforehand, to decide how any licence “overdraft” can be handled.
- Make sure that deputies can access all the data they need in the absence of key staff — This is a procedural issue, to provide elevated access privileges to those staff who will deputise for missing key workers. The procedures for requesting and approving elevated privilege, and for “break glass” access in a fast-developing emergency can be built into your identity and access management systems, but that’s a subject for another post on another day.
- Consider how you can arrange for collaboration on key project information — I’ve written before in this blog about how you can organise information in Microsoft OneNote and synchronise it between an office PC and a laptop. I’ve also written about how this synchronisation can be extended to the iPhone. In the corporate environment, collaboration using OneNote notebooks can be managed through the (increasingly ubiquitous) Sharepoint portal. Using a combination like this, the key information needed for critical activities is shared between all the members of your team and can be accessed almost wherever they are. For now, the solution for iPhone is limited to read-only, but even that is due to be rectified very shortly.
One final thought — like all contingency plans, you need to test your arrangements. There are bound to be things you’ve forgotten and you’ll only find out what they are when you do it. Online tech news website Silicon.Com arranges periodic “Work at Home” days, where all the editorial staff stay out of the office and they try to run the business day as normal. It’s an excellent way to find out what works and what needs tweaking.
Tags: Add new tag, DocScanner, iPhone, Microsoft OneNote, MobileNoter, smart phone, SMS
As I continue to develop the information management strategy that I first laid out in my very first blog post, it’s becoming clear that the two applications at the heart of this strategy (and pretty much always open on my desktop) are Outlook and OneNote. Of course, as I’ve often pointed out, when I’m on the move, I don’t have the backup of a sophisticated unified messaging infrastructure sitting behind Outlook; rather, I need to do the best I can to synchronise between those two critical applications back at base and my iPhone. I was reading a blog post recently from the MobileNoter developers, which was looking for opinions on additional features that might be useful in this great little app. On offer were:
Improving control of the iPhone camera from within the MobileNoter app;
Adding the ability to import SMS messages into (presumably) Quick Notes.
I do use the camera on my iPhone, mainly to capture hardcopy documents and the contents of flip charts and white boards. I use an iPhone app (Document Scanner) to do this, and it gives me all the capabilities I need to correct the perspective, adjust the image properties and so on. It even provides OCR to to capture the text. The result can be saved as a jpeg or multi-page pdf. The jpeg can of course be attached to a Quick Note, while either format can be emailed back to the office PC. So, do I need more camera facilities within MobileNoter? Probably not.
The second option is more interesting. In the early 1990’s, I was working as Head of IT at a UK defence contractor. One of my priorities was to migrate our (for that time) fairly large population of mobile phone users from analogue car phones onto the new digital GSM service. One of the first things we discovered on our new phones was the message displayed on the screen to notify the arrival of voicemail. This was the first use of the Short Message Service (SMS). SMS began its life in 1992, utilising unused bandwidth in the out-of-band signalling system used to control traffic. This meant that these messages could be carried at virtually no cost – indeed, when we started, SMS was a free service, but you had to explicitly ask for it to be enabled for your phone – provided the messages were limited to 160 characters (to fit in with the existing control message formats). At the start (around 1993 for us), our Motorola 5200 flip phones could only receive SMS messages, not transmit them. However, we found that we could generate messages to these phones, by establishing a telnet connection to Vodafone’s SMS Service Centre in Newbury (over a 2400baud dial-up modem – yes, really!) and typing the message. We built on that by writing an extension for Microsoft Outlook in Visual Basic, to allow our users to select a colleague by name (we used a simple file of names and phone numbers, not the Global Address Book) and then type and send their message. The VB program then dialled the SMSC and sent the message. Not very elegant, but it worked! For the first time, a secretary in the office could send messages to the manager in their car – our first tentative steps towards mobile messaging.
Of course, SMS developed rapidly – much to the amazement of the GSM operators, who thought it was likely to remain an interesting engineering trick, with little practical application. Once all digital mobile phones had the ability to both send and receive text messages (Nokia were first to achieve this across their product range, by the end on 1993), SMS was quickly adopted by younger users, not least because of the very low cost. According to Wikipedia, the average cost of sending an SMS message is US$0.11, while the cost to the network operator is virtually zero. By 2008, 4.1 trillion messages were sent world-wide. For business users, the attraction was the ability to send a message to virtually any mobile from anywhere.
Although SMS was not the only text based messaging service available, it was not really until earlier this decade that a viable alternative became available with the arrival of the BlackBerry in 2002. I didn’t get my hands on a BlackBerry until around 2006, but when I did, it certainly changed my dependence upon text messages. The simplicity of sending “proper” emails wherever I was made that the obvious choice and I only sent text mesages when I knew that the recipent was out of the office and didn’t have a smart phone.
More recently, since I became self-employed, my usage pattern has changed again, because:
- I’ve changed to using the iPhone, where the simple intuitive screen layout and threaded messages make it a far more powerful tool and
- Data roaming charges for the iPhone when I’m travelling are prohibitive, while SMS charges are still modest.
So, a quick scan through the SMS messages currently on my iPhone shows countless pieces of information (URLs, contact details, addresses …) that I’ve manually transcribed into OneNote notebooks. So, no doubt in my mind – the facility to import text messages into MobileNoter will be yet another step towards converging those two critical applications.
Tags: backup, CA, cloud, iPhone, Microsoft OneNote, MobileNoter, smart phone
10 years ago, I was interviewed for a position within the newly formed eTrust security practice at Computer Associates (now CA). The Consulting Director who interviewed me asked how much I knew about the eTrust product set. I reeled off the list of products (I know how to research!) and explained which of them I had firsthand experience with. I concluded by saying “Oh, and we use Arcserve for all our backups.” The consulting director pointed out that Arcserve (CA had recently acquired Cheyenne) is a storage product, not a security product. My response “It is where I come from!” I got the job anyway.
The point of this anecdote is that security is based on that well-known triad Confidentiality-Integrity-Availability. In fact, Dorothy Denning makes a compelling argument for expressing both confidentiality and integrity in terms of availability. So, of course backup and recovery – the first line of defence for availability – are part of security.
More recently, as I was setting up Identigrate UK, my desktop PC suffered a catastrophic failure. Things rapidly deteriorated until I couldn’t even start the machine in SAFE mode. However, as a long-time paranoid security specialist (even paranoids have real enemies, right?) I had set up regular backups to an external eSATA drive (stored in a fire and water proof safe). I had also set up to backup critical documents (business plan, budget spreadsheets …) as they changed, using BT’s Digital Vault service. Finally, the PC manufacturer had had the good sense to configure a recovery disk, based on the excellent Norton Ghost. So, after half a day of hard work, my PC was restored, all applications re-installed and virtually all data recovered. It reminded me of a (somewhat cynical) definition of backup as “something you start doing immediately after your first hard disk failure”.
On 10 October, after a week of escalating outages, T-Mobile was forced to announce to it’s Sidekick users that their data had been lost and that recovery was extremely unlikely. For those that (like me) haven’t come across the Sidekick before, it’s a smart phone, manufactured by Danger Inc. Microsoft acquired Danger Inc in February of this year. The important thing is that the Sidekick doesn’t store data (contacts, calendars, to do lists, photos) locally, but rather stores it “in the cloud” or more accurately on Danger’s servers.
It’s still not clear what actually happened, but there’s speculation about a bodged SAN upgrade. However it happened, how can you possibly run any enterprise IT setup and not have fully functioning – and tested – backup and recovery processes?
Now, I use an iPhone, so could the same disaster befall me? Well, no. My iPhone stores most of its data locally on the device. When I connect the iPhone to my PC, it makes a backup on the PC (which is then backed up to the external disk). I do use cloud services with my iPhone – MobileNoter, Google Calendar and so forth – but these are just synchronising data between my iPhone and my desktop/laptop. So, the cloud data is not the only copy.
I suppose the moral of this story is that people are carrying ever more sophisticated computing devices in their pocket and they’re using them in conjunction with ever more complex cloud services. For many people, this is all new and bewildering, but that’s going to change. As Larry Dignan comments on his blog, “As we rely on the cloud more there will become a day when everyone will have some basic knowledge of IT management. Rest assured, Sidekick customers will know you’re supposed to back up your servers better. Gmail customers may learn a bit about scalability. And TD Bank customers certainly know that you can’t merge systems without a fallback plan if things go awry.”