As unrest continues to escalate in Egypt and thousands of Canadians scramble to flee the country, many business operators might be wondering how their companies should prepare if such a situation were to occur in their overseas locations.
The countrywide Internet blackout Egypt is experiencing may resonate with a lot of Canadian small and medium sized businesses especially as more and more companies adopt cloud-based applications services.
The business impact of situations in potential global hotspots come into focus if you take into account that a growing number of Canadian tech start-ups are eyeing expansion into global markets – among the most lucrative of which include Middle East countries and China. Authorities in these countries have shown some form of strong-arm censorship tactics on mobile or Internet traffic.
The experts we talked to provide some advice on how to make sure your business can survive an Egypt-style Internet shutdown and how you can keep your workers safe as well.
Companies that have adopted cloud computing technologies should consider alternate Internet and media providers, according to Roberta Fox, senior partner for Fox Group Telecom Consulting.
The Mt. Albert, Ont.-based Fox Group is itself poised to shift to a cloud-based system. “We will be moving to a cloud co-location environment — moving our VoIP (Voice over IP) system application servers and multiple hosted applications to one company and combining them together, so these questions are very relevant,” said Fox.
Fox Group uses three different Internet providers. The company uses Bell for DSL and 3G wireless, Xplornet for satellite wireless and Telus for evolution data optimized.
She also encourages businesses to have a backup IP communication networks with services over the public switched telephone network (PSTN).
Choose reliable business-grade Internet service rather than the “cheapest services” for remote telework support and have backup choices ready, Fox said. “For example if your home office is hooked up to Rogers, choose the best wired cable Internet plan, then perhaps have 3G wireless sticks or a smart hub for alternate Internet access.”
“It is important that you have high quality Internet access across multiple technologies,” said Fox.
PSTN dial up can be used as a last resort if you do not have multiple providers, she said.
If your business relies on online payments make sure that your systems are set up to accept more than one or two online payment providers. The use of alternate ISPs and payment services was best demonstrated recently by the online whistle blower site Wikileaks. This story tells how they did it: What SMBs can learn from WikiLeaks’ resilient network.
Another option is to have an alternative location ready even before disaster strikes. This was the action taken by Microsoft with its Egypt operation. To find out more about Redmond’s solutions read: Microsoft shifts some work out of Egypt
Replicating and backing up data
So what can businesses take home from how some protesters in Egypt were able to circumvent the government Internet and mobile shutdown?
According to David Senf, director of the infrastructure solutions group at IDC Canada, the number one lesson of Egyptian president Hosni Mubarak’s crackdown is the importance of a disaster recovery (DR) plan. “What Egypt teaches us is the importance of replicating and backing up data and applications if you use virtual environments such as VDI (virtual desktop infrastructure).”
“Egyptian firms conducting business elsewhere can carry on, with some difficulty for sure, if they have a cloud DR plan,” said Senf.
On the flipside, another thing we businesses can take home from the situation in Egypt is to realize that you can’t totally lock down data.
In the case of Egypt, even with local ISPs and wireless telecom networks ordered to cease operations, government oppositionists were able to communicate with each other through traditional landline phones and dial-up Internet. Images of the riots also found their way abroad via fax machines.
“From a data loss prevention perspective we learned that it is impossible for a nation or any individual firm to stop data from leaking,” said Senf. But still, “You can stop most of it from being leaked.”
“In security, close to 100 per cent accuracy is all that we can hope to achieve,” he added.
Despite this, a large majority of firms in Canada turn a blind eye to data risks. Only 15 per cent of Canadian firms believe that they are highly likely or likely to lose or have data stolen in the next 12 months, according to Senf.
A recent survey by anti-virus software company Symantec Corp. reports that as much as 50 per cent of SMBs worldwide do not have any disaster preparedness (DP) plan.
DR plan pointers
In mapping out a DR plan, businesses need not look at public cloud as a de facto model.
Public cloud or external cloud refers to cloud computing in the traditional sense in that resources are provisioned on a self-service basis over the Internet through Web applications and Web services.
A private cloud or internal cloud emulates cloud computing but are operated on private networks. These products have the ability to host applications or virtual machines in a company’s own set of host machines.
Related story – Is your private cloud defensive or responsive?
Senf said a DR plan should establish which applications and data should receive priority during a crisis. Then it should be decided who gets access to what and when.
According to IDC the incidents that Canadian firms typically plan for are:
- IT system failure
- Security breach
- Power outage
“Terrorism, pandemic, earthquake and weather rate much lower as drivers to DR planning in Canada,” Senf said.
James McCloskey, senior research analyst for Info-Tech Research Group in London, Ont., says companies need to formulate their DR plans well before a disaster strikes.
Firms “need to ensure that they have robust business continuity plans (not just DR plans) that incorporate the capabilities and limitations of their cloud provider’s offerings,” he said.
For instance, facilities should not rely on a single source of cloud service and should also be able to receive service from geographically separate providers. “If the cloud service provider is located in or operated from a less politically stable area of the world, this can elevate the risk to availability,” said McCloskey.
There’s a potential that a new regime in Egypt might decide to “nationalize” services and businesses or acquire copies of information assets of some companies, the analyst says. “Making sure that data is backed up and encrypted are two main considerations.”
To ensure continued communications, businesses might also consider planning for satellite communication capabilities. “Of course one would not like to run normal operations over such a costly and limited communication system, but a sat phone with data uplink capabilities could be the last method available to maintain communications when normal Internet and phone systems are interrupted,” said McCloskey.
Other less costly alternatives could include low-tech devices such as dial-up ISPs, fax machines, landline phones or Ham radio sets.
Internet kill switch
Although the Internet was effectively shut down in Egypt, in a disaster recovery (DR) situation, the cloud “remains the best bet” according to Senf, of IDC Canada.
There has been some debate in the U.S. Congress over the installation of some sort of an Internet “kill switch” but it is unlikely to be carried out, Senf said. “A nice benefit to operating a business in North America is the number of ingress/egress points for international communications available to us.”
Even if a “kill-switch” were legislated, he said, it would prove difficult to implement because of the large number of ISPs and mobile network providers.
One possible reason the Canadian government might take a drastic measure similar to the one taken in Egypt would be to protect our critical infrastructure from attacks such as hackers using a Stuxnet-like worm – and not to thwart a protest, said Senf.
Related story – Stuxnet will impact Canadian business competitiveness
No matter what DR preparations you make for your businesses equipment, your primary concern should be safeguarding your most valuable assets – the company’s employees, said McCloskey.
“Companies operating in less stable regions should consider the steps to protect both ‘nationals’ and ‘ex-pats’,” he said.
Many organizations, he said, take advantage of services provided by organizations like Travel Security Services Ltd. . The company provides up-to-date threat analysis information for areas in which they operate or areas where travel is planned or underway. The company also has tracking systems that consolidate travel data from multiple sources to give uses a single global view of where their workers are and their scheduled trips. The system also provides a way to communicate with workers via phone, email or SMS.
Companies should also provide general guidance or training to overseas employees regarding expectations and advice on dealing with local authorities or diplomatic representatives whether under normal circumstances or extraordinary ones. Lists of people to contact, the equipment to carry this out, and set procedures for establishing contact are some of the items that need to be considered. Such emergency drills and procedures should be regularly revisited to make sure they are up-to-date and that workers are fully aware of them and are able to carry them out when the need arises.
“Of course, as situations develop, that general guidance can and should be supplemented with specific, threat-driven guidance… in the event of widespread protests, stay in a safe area, don’t go to the office and touch base with HQ for additional information,” said McCloskey.