Every business needs to have a proper business continuity plan in place. This includes making sure there is redundancy and continuity with the IT team. If there is no other lesson to be learned form 2020 its this, you have to be able to run your business under any unfortunate circumstance. This means you need a proper Transition plan for IT and Cyber Security teams.
No business, regardless of size, should allow all of the keys to the kingdom to reside with one person on the IT team. This is the number one mistake we see in working with organizations on their continuity planning. The second major mistake we see is when a business turns over all control of their infrastructure to a third party like a Managed Service Provider (MSP) or outside consultant.
Having a strong IT team in place, either internal or external, is an essential role inside every organization. Without a strong IT team in place 2020 would have been a mess for any organization, and possibly fatal for some. However, a business still needs to make sure it is always in control and not dependent on any single employee. Relying on a single employee who holds all of the keys to the IT kingdom is putting your business and clients at great risk for disruption in the event you have an emergency. You are doing everyone a disservice. Yet, it happens all the time. In organizations of all sizes.
On the second point, there is nothing wrong with having a third party handle you IT needs, in fact having specialists run parts of the business that are not part of your core competency is a key to success. A great rule of thump in business is hire out for things you do not know about to get the best result (payroll, tax, audit, HR, security, or IT). But that does not mean give up total control. You need to be able to hire, fire, cancel, and replace contractors at any time. It is ultimately up to the business to control its own destiny.
We are helping a client right now unwind themselves from an outsourced IT provider and it is a mess. The switch involves a lot of timing, password changes, uninstalling applications, terminating a contract, and more. There needs to be a continuity plan in place so this can happen in a quick and efficient manner so the business does not miss a beat.
A proper IT continuity plan should include detailed instructions on who does what, where the details are stored, and how to get access if needed. But before we get to the specifics and what a company needs to control, let's cover a few reasons why a continuity plan may be necessary.
Employee Termination - An employee needs to be fired suddenly or they quit for greener pastures.
Vendor Termination - A situation arrises that forces you to terminate an IT vendor, they go out of business, or they suffer a data breach with your data.
Death - Not a popular one to discuss but a reality none the less.
Accident - The IT contact is out of commission for a period of time during recovery.
Merger/Acquisition - It is possible there could be a sudden transition of power.
Incarceration - Hey, it has been known to happen and you probably won’t be the one phone call.
As a person responsible for the continuity of a business, either as an owner or a key manager, you need to have access to the right keys. Here is a list of things to have documented in your continuity plan
List of Vendors - A proper list of vendors will include their names, contact information, account numbers if applicable, what services or products they provide, and a copy of any contract.
List of All Software and Applications Used Company Wide - This could be a long list, but it matters. Knowing what software is used, its purpose, contact information, and all specific details is critical. These details are most likely not in the budget and could take a long time to recreate, especially the tools IT uses.
Master Password List - If you are not using an enterprise password manager, you should be. This is a vault that can store access information to all applicable services, hardware, software, and websites that are critical to run the business. This password vault can be shared with a group of key personnel although will usually only be used by a few people.
Network Diagram - Although this can be recreated, it is much better for this to exist before you need it. You don’t need to include every computer and printer on the network. But it should be detailed with every switch, server, access point, firewall, router, any other appliances, cloud devices, cloud applications, and their role.
Backup Information - Always know where the backups are stored and who can assist with restoring them. This way if anything odd happens and you have to restore data as you lost an IT person you have a plan. Hey, it happens.
Lastly, here are a couple rules of thumbs for controlling how to ensure your business continues to run in the event of an emergency.
All vendors contracts and accounts should be established on a company level and not an individual level. It is okay for you to have a single person negotiate the deal. But when the time comes to set them up as a vendor make sure it is at a company level through accounting or purchasing and never direct to a person without ownership of the outcomes. And when applicable make the contact tie to a generic email address and not a persons. Accounting@, Purchasing@, info@, etc.
Always grant access to vendors. This means when you hire an outside firm to assist with your IT and security needs you are granting them access to your stuff while you hold the master key. Never ask them to control that master key. This is how every major company does it. Remember the rule, grant them access, not the other way around.
No matter where you are today in getting your IT transition and continuity plan in place there is no time like now to get it started or updated. No shame in this game, just start the process to get control of it and set a deadline to get it done soon. Make sure to keep it updated and never let it get stale. Manage your risk for a successful business.