A Model for Business Resilience

Aviate Navigate Communicate

The recent global systems outage, caused by CrowdStrike’s failed update, exposes a key flaw in how we view business resilience. When asked how we make our businesses resilient to failures, human acts or errors, disasters, and other disruptions, we tend to focus on the technologies and services we put in place to prevent/protect and restore/recover.

Business Resilience 

We define Business Resilience as your ability to get and keep your business up and running (even if it is running at a degraded level) until you can fully restore and recover.

Given the impact of the CrowdStrike failure on the airline industry, here is an aviation-themed model you can use as a guide.

Aviate

When an emergency happens in flight, the pilot’s first focus is to aviate – to ensure the plane keeps flying. If you can’t keep the plane in the air, your direction of travel does not really matter. 

The same is true for your business. If you cannot keep your business running at a minimally viable level, you can run out of time and/or money before you are able to restore and recover.

Navigate

Once the pilot knows that the plane will continue to fly, they can assess their current location and take the necessary direction and steps they need to land safely.

Once you know that you can continue to operate, even if only at a base level, you can step back and map out the potentially complex steps needed to restore, recover, and return to normal operations. You can then navigate the technical, operational, customer service, legal, and other processes needed for your safe landing.

Communicate

Once the pilot can safely navigate to a landing, they have the time and focus to communicate. Although, pilots do communicate during the aviate and navigate phases, they limit communications to only information air traffic control, ground operations, emergency responders, and others need in order to assist with the situation. Additional details and analysis come later.

The same is true for you and your business. While you are aviating and navigating, you will want and need to share necessary information with those who need it. These communications need to be “to the point” and focused. You will have the time and focus to share more detailed information as you approach, or after you make, your safe landing. You will have the time needed for review, analysis, and planning after your return to normal operations.

Call to Action:

If you are unsure or lack confidence in your business’s resilience to disruptions, we can help. Contact us or schedule time with one of our Cloud Advisors

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

Resilience, the CrowdStrike Failure, and the Real Impact on Your Business

Resilience

We have not written or posted much about the CrowdStrike failure. CrowdStrike is designed and priced for large enterprises. We offer endpoint protection, detection, and response services that are better designed for the small and midsize organizations we serve. In large part, the CrowdStrike failure has not directly impacted our clients and other smaller businesses.

However, the CrowdStrike failure has, and will, indirectly impact you and your business.

Technical Impacts

The biggest technical impact will be the role of automatic updates. The CrowdStrike failure was due to a programming error in a software update that was sent and applied automatically. Customers did not have the ability to limit or test the update prior to deployment.

Going forward, expect vendors to rethink how and when they use automatic updates. What for expectations that you, the customer, should test and approve changes. This shift will transfer more of the responsibility from vendors to your IT team. If you do not have the resources to test and verify updates, you will be taking on more of the responsibility should issues arise.

If you have an IT provider or managed service provider, you may need to negotiate this additional work into your contracts.

Business Impact

The most significant impact of the CrowdStrike failure is on our understanding of “Resilience.” When we talk about endpoint protection services like CrowdStrike, backup/recovery solutions, advanced threat protections, encryption, and other services, we are talking about tools that help our businesses become and remain resilient to cyber attacks, improper user activity, disasters, and other disruptions. 

These technical solutions provide some of the “Prevent & Protect” and “Restore and Recover” components of our Security CPR model and services. With the CrowdStrike failure, a tool intended to improve resilience exposed a weakness in our resilience: what happens when your solution becomes the problem?

Our understanding of resilience needs to change. We must move away from thinking about resilience as a function of IT. Resilience is a business-level function that encompasses all aspects of your organization.

Anecdotally, we learned that during the CrowdStrike failure: 

  • Airlines in Hong Kong wrote out boarding passes by hand and kept lists in notebooks to track manifests and seating assignments.
  • Lacking computers to centrally monitor infants and non-operational security doors in a California Hospital maternity ward, nurses were held over and stationed at each infant’s bedside, and security guards were tasked with guarding doors.
  • A small distributor wrote labels, bills of lading, and customs documents by hand for thousands of shipments.

The Big Question

Answer the following question for your business:

  • Can you run your business, even if it is in a degraded mode, without one or more of your key systems? If so, for how long?

Your answer is key to understanding how resilient your business is to disruption, the potential operational and business impact of a disruption, and your ability to recover and survive.

Call to Action:

If you are unsure or lack confidence in your business’s resilience to disruptions, we can help. Contact us or schedule time with one of our Cloud Advisors

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

7 IT Blind Spots Small Businesses Miss the Most

IT Blind Spots

Your small business depends on your IT services to run effectively and efficiently. Even so, like many small business leaders, you likely have one or more “IT Blind Spots”. The blind spots are not “all or nothing.” They evolve from decisions about what IT services are needed, wanted, and worthy of spending on at a particular point in time. Over time, internal and external factors change. If we do not take a fresh look, our IT services will not keep up. 

While not intentional, these blind spots create unnecessary risks and expenses. Here are the seven (7) blind spots we see the most.

1Security and Privacy

As small business owners and leaders, we understand the need for security – especially in today’s environment. We wonder, however, how much security is enough and what we should prioritize. We see small businesses with antivirus protection on their computers, strong passwords, and basic backup/recovery. While these services were the benchmark for basic security, they are now insufficient.

Check your IT blind spots for other core security services, including multi- or two-factor authentication (MFA/2FA), advanced threat protection (ATP) for email, advanced endpoint protection and response, encryption, and immutable backup/recovery services.

If you do not have these in place, your security is likely insufficient to protect your business.

2Duplicate Services

It has never been easier to sign up for new services. With a few clicks, payment information, and a quick setup, your new, cloud-based application or service is up and running. The convenience is great when you need something specific or a new solution. The low barrier to entry, however, makes it easier to sign up for apps and services that duplicate others you already have in place.

Check your IT blind spots for these duplicate services. We most often see companies paying for Zoom or GoTo, even though they have Microsoft Teams or Google Meet for online meetings and presentations. Some spend on Slack and other tools instead of using Teams or Google Chat services that are already in place. Rather than managing permissions to share files from Microsoft 365 or Google Workspace, small businesses often spend more on Dropbox and other services. While these are the most common duplicate services, we often see others across a wide range of apps and functions.

3Shadow IT

We used to define Shadow IT as any IT service in use without proper vetting or authorization. Today, we expand the definition to include consumer-grade hardware, software, and services. Team members using unauthorized IT services typically create security risks, increase costs, reduce control of company information, violate information privacy rules, and put data at risk. While less costly up-front, consumer-grade equipment, software, and services typically lack the security and integration needed for business use.

Check your IT blind spots and survey your environment for Shadow IT. Team members often go rogue for personal preference, convenience, or because they do not understand how to use features and functions already in place.

4Latent Apps and Services

When was the last time you looked to see if you were paying for IT services that you no longer use or need? With the low barrier to entry for cloud services, we often see companies that have signed up for an app or service, only to later decide that it is not the right solution or to see usage decline over time. Without a set process for on/off-boarding IT services, these often remain idle, incurring monthly or annual fees.

Check your IT blind spots for applications and services. Review company and staff personal credit cards for recurring payments. Scan Microsoft 365 and Google Workspace accounts for apps and services with federated logins.

5Business Continuity

While almost all small businesses like yours have backup/recovery in place for most of their systems and data, most still lack a business continuity solution. Even without a big disaster, the loss of a single, key system can be crippling.

Check your IT blind spots for business resilience. Can you run your business without your IT systems and services? For how long? Which systems and services can you live without for a short period of time and which are critical to your business? The answer to these questions dictates the types and extent of business continuity services you need. Focus on what you need to reasonably run your business while you make repairs and complete larger recovery efforts.

6Cyber Insurance

Most small businesses know that they should have cyber insurance in place, and many do. Too often, however, we see small businesses signing on to policies with inadequate or inappropriate coverage. We also see many businesses overpaying for cyber insurance to cover risks that could easily be reduced with incremental security services.

Check your IT blind spots for appropriate cyber insurance coverage and rates. If your policy was not purchased through a specialized agent or broker, an independent review may be worthwhile. If you do not yet have a policy, check out our resources and ask about our cyber insurance readiness assessment.

7Utilization

Multiple services tell us that most small businesses use about 15% of the capabilities in their Microsoft 365 or Google Workspace services. Your investment in Microsoft 365 or Google Workspace includes a rich set of features and functions – major and minor – that help your team collaborate and work more efficiently, individually and as a team.

Check your IT blind spots to understand how well your team is using the tools available to them. A little bit of education, training, and guidance can boost productivity within Microsoft 365 and Google Workspace by up to 60%.

Call to Action:

If you suspect, or just wonder, what is in your IT blind spot, we can help. We can help you check your blind spots and assess what, if any, changes are necessary or recommended. Once decided, we can help you plan and execute those changes. Contact us or schedule time with one of our Cloud Advisors

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.