Business continuity with Office 365
Thousands of organisations, big and small, have turned to Microsoft’s Office 365 to streamline the way they work and do business.
We’ve covered in previous blogs about the transformative effect that Office 365 can have, enabling teams to collaborate and create in ways that haven’t been possible before.
Office 365 can open up a world of opportunities for your organisation and change the way you work forever.
However, although digital transformation through the adoption of cloud technology can bring about a wide array of benefits, it also brings a new set of risks.
For many ICT professionals, migrating to Microsoft 365 and adopting its cloud-based Office 365 productivity suite, provides the opportunity to evolve the way your organisation works.
To succeed with Office 365, business resilience is crucial.
Unplanned downtime has been a fact of life for ICT departments for many years. Even as technology has evolved, it remains a constant issue.
However, even as your infrastructure moves to the cloud, outages can be hard to avoid, difficult to predict and have a significant impact.
While most outages are brief, isolated and can be resolved quickly without causing major disruption, some can be more sustained and cause your operations to grind to a halt while they are sorted.
This can greatly impact your day-to-day operations, resulting in lost productivity and reduced customer service.
Unfortunately, you can’t control when Office 365 goes down or rely on its in-built security options to totally prevent a cyber threat from becoming a breach and causing operational disruption.
So, the answer is to build resilience within your organisation by developing an overall business continuity plan.
The difference between business continuity and ICT continuity
It’s important to note that business continuity and ICT continuity are different things.
ICT continuity covers your efforts to make your ICT resilient to failures it encounters, so it can continue to deliver its service.
Business continuity is about allowing the business to continue when a significant event disrupts normal service provision. It could be that some ICT function fails, but equally could be a flood, fire or building collapse, or even if key members of staff fall ill and cannot perform their duties.
Business continuity plans must be targeted. For example, the plan to be enacted if Office 365 is inaccessible will be different to the plan enacted if the roof falls in on your main meeting room.
However, in some instances, a particular risk in your business continuity plan may be mitigated or minimised through the use of an ICT solution. For example, while flooding might prevent a team from working from their usual base, an ICT delivered remote working solution might be used as the mitigation in the business continuity plan.
Developing a business continuity plan
Although it’s hard to predict with any certainty every possible scenario, the idea behind a business continuity plan is to try and expect the unexpected, so that if it ever happens, you have a plan in place to deal with it.
While business continuity needs will vary from organisation to organisation, there are some necessary foundations you need to get in place to build your plan on.
Understand what services you deliver and who to
The first step is to understand the services that you provide as an organisation to your customers, staff and other stakeholders. These are the items that you need to cover in your business continuity plan.
For each such service you need to identify how many users there are, who those users are, what the service delivers and how, and what the service is dependent upon.
Identify the failure scenarios
The second step is to identify the potential scenarios that may disrupt these services, including the cause and impact from each scenario.
You’ll want stakeholders from every team or department to contribute here, as they will know their day-to-day roles, and the potential issues they may face, better than anybody.
Identifying the time-sensitive and business-critical processes and functions that can disrupt or hurt your organisation if they are interrupted is an excellent place to start. Some of the areas of your organisation to consider include your:
Environment – what would happen if there was a flood or fire at your main premises, or the building became inaccessible?
People – Who are the key individuals within your business that you need to maintain business as usual? What would happen if they became ill or unable to work?
ICT Provision – What ICT elements does the service rely upon? Is the service wholly based on a user edge device (laptop) or does it have a cloud or server-based component?
Connectivity – Are you reliant on a cloud or on-premise ICT environment to power your business? What would happen if your broadband went down?
Suppliers – Who supplies all your business-critical hardware and software? What would happen if they suddenly went bust?
Understand the impact
Once you have identified all possible scenarios that could interrupt your business continuity, the next stage is to consider the potential outage impacts. For example, if you lost connectivity for a day and couldn’t fulfil any orders, or if a fire meant you had to completely shut your site, what would the cost, reputation, people, compliance, legal, and regulatory implications be?
Once you have defined the potential risks, it’s time to consider the potential costs that these
disruptions might cause, and also the relative likelihood of specific threats occurring. Once these have been defined, you should also determine your organisation’s risk appetite and willingness to spend time, money and resources mitigating these risks.
Mitigate the risk
It is important that you should determine both the cost and the benefit of avoiding each scenario, so you can work out what your priorities should be and where best you can allocate time and resources to mitigate the risk.
An outage can result in a big financial hit to your organisation, resulting in lost or delayed sales and income, the expense of putting things right and any regulatory fines, contractual penalties or lost custom.
The cost of avoiding this in the first place through business continuity planning could be a small fraction of the impact costs.
With a robust business continuity plan, you can keep downtime to a minimum and minimise the impact and disruption that an outage can cause.
But it’s not just the financial cost you need to consider. An outage can also create reputational damage and customer dissatisfaction and delay introducing new products, services or business strategies.
Accept the residual risks
No matter what mitigation you put in place, no service can ever be 100% protected against all potential risks. After all, your mitigations are put in place there will still be some residual risk in your business continuity plan. It is important that your organisation service owners understand and accept these residual risks.
A business continuity plan can be the difference between minimal downtime and inconvenience and disaster.
The key point to stress here is that your business continuity plan clarifies all decision-makers the risks they are taking by choosing not to fund the mitigations, and if they do fund them, they understand, accept, and own all outstanding risks.
Know how to recover/restore
Once things are resolved, it’s also important to you have a plan in place to transition back to normal operations smoothly once Office 365 is back up and running and the incident has been resolved.
Securing Office 365 business continuity – a practical example
A successful Office 365 deployment requires a business continuity plan to ensure your
employees stay connected and productive while Office 365 is down.
While Office 365’s infrastructure comes with an adequate degree of in-built protection, your users can often be your weakest link.
Let’s take a look at a practical example, based on a typical workplace issue, to illustrate how the above methodology can be used to create a continuity plan for this scenario.
Let’s say you have a single internet connection that fails, causing your email service to go down.
The impact is that your staff cannot send or receive emails, either internally or externally.
An important email needing urgent action may be missed, which could, for example, be about a child protection issue or a financial issue.
While the cost implications may vary from business to business, the risks are that staff cannot complete their work, vulnerable children may be put at risk, or so too might sensitive financial data or even cash.
In this scenario, the mitigations would be to identify urgent communications that use email, build alternative paths, and document them.
Ensure that staff and key partners are alerted to failure and implement ICT solutions to reduce the email outage risk.
You might also decide to install an additional internet feed and allow users to access email from home.
The residual risk is that although you have put measures in place it is still possible for email to go down, so staff may still be impacted as you investigate the problem further and find a solution.
You shouldn’t just stop at planning for an email outage caused by a connectivity issue though, you should go on to consider all possible scenarios, such as authentication failures, SMTP issues, DNS failures, power failures, security breaches and illness.
As your ICT partner, we can help your organisation better understand the risks that an ICT outage could cause and help you develop a robust business continuity strategy to mitigate them. To find out how we can help, give us a call on 01332 322588.