By: Christopher Stark, President & CEO, Cetrom
If 2020 has taught CPA firms anything it is this: Anything can happen, anytime, and your IT staff and infrastructure need to be prepared for the worst, always. Creating a business continuity plan, refining it over time and being able to apply new learnings to rapid deployment are all critical to keeping operations running during a crisis.
Rightfully so, the business world has been laser-focused on adjusting and responding to the pandemic. And most public health experts agree COVID-19 won’t be the last pandemic coming our way. So, yes, COVID-19 is top of mind, to say the least.
But a health crisis isn’t the only unexpected event that can potentially threaten your CPA firm’s ability to do business and protect its sensitive client data. Hurricanes, fires, tornadoes, power outages, floods, break-ins and cyberattacks can come out of nowhere as well.
At Cetrom, we’re a happy and optimistic group, but we also understand from experience that planning carefully for the worst possible IT scenario is the only way to survive it when — not if — it occurs.
Let’s take a look at some practical tips for creating an effective Business Continuity Plan (BCP) that includes an effective IT Disaster Recovery Plan (DR).
First, Let’s Define Business Continuity and Disaster Recovery Plans
It’s always important to remember that your CPA firm will not be able to stop a crisis from occurring; in most cases, a natural disaster event, power outage and even some cyberattacks cannot be prevented. A BCP is for the aftermath — it is your organization’s and team’s roadmap for how to respond when disaster strikes in order to minimize the damage and make a return to normal operations as quickly as possible following the crisis event.
A solid BCP will cover all aspects of your organization from human resources and IT to finance and external partners. A Disaster Recovery Plan (DR) is only one component, albeit a very important component, of a BCP.
Businesses are destroyed by a crisis not because of the initial event itself, but rather in their failure to recover quickly enough. In the IT world, extended outages and downtimes are killers; for CPA firms in tax season, not having a strong BCP that includes an IT DR plan in place could literally be the end of your firm.
We’d like to think that nearly all CPA firms now have some type of BCP and DR plan in place after the upheaval caused by the pandemic. So, some good has come from COVID-19, as more CPA firms now have plans in place for the next unexpected disaster.
The key question for these firms is this, however: Are they committed to constantly revising and updating their BCP and DR plan? Has their firm assessed what it learned from COVID-19 and found a way to integrate these learnings into their BCP and DR plans?
Everyone has been moving at the speed of light to survive, but it’s important to remember to reflect, assess and make needed changes to your plans to make them more effective than ever before.
Assess How Your IT Infrastructure and Team Performed During COVID-19
This is not a time to be walking on eggshells and dancing around how your CPA firm’s IT infrastructure held up or how well your team responded to the pandemic crisis. It is time to be fair, honest and practical about what your firm did well, what it did adequately, and where it failed. Ask these questions to assess overall performance:
§ How long did it take your firm to adjust to 100% remote work?
§ Have staff productivity levels changed during the pandemic?
§ Has data security remained strong even while interacting with more vulnerable home networks and the use of more personal devices?
§ Have your clients been receiving the same level of service and performance during the pandemic?
§ What IT needs, challenges and requests for equipment were expressed by staff members?
§ Did planned backups occur or were they disrupted?
There are scores of important questions to ask when reflecting on your firm’s response to a crisis. In essence, those CPA firms that can respond to a crisis in real-time while also assessing and planning for future disasters will be in the best position to refine their BCP and IT DR plan to meet future threats.
Ultimately, BCP and IT DR plans are about mitigating all different kinds of risk. In order to mitigate as much risk as possible, your firm needs to actively and unendingly be in risk assessment mode. COVID-19 likely exacerbated risks you already were aware of and probably unearthed new risks that you’d never even considered. Again, react, assess and then integrate what you learned and are learning during the pandemic into your BCP and DR plan. BCP and IT DR planning is not a “set it and forget it” exercise; it is a never-ending process of continual improvement that keeps CPA firms prepared for the unexpected. The minute these plans become stagnant is when your risk is highest.
Consistent Training, Practice and Processes Are Critical
BCP and IT DR planning is really about being proactive to prepare for the worst-case scenario. The first step is simply accepting that a disaster or crisis is coming sooner or later. Once you and your IT team accept this reality, committing to continually improving the plans and constantly educating staff about the disaster response and recovery plan is a no-brainer investment of time and treasure.
Once you’ve made this commitment, there are several tried and true best practices that still need to be followed:
§ Have a dedicated disaster response and recovery team comprised of staff members from IT and all other departments
§ Develop, document, and communicate the new, adjusted, and improved plan to all employees when key revisions have been made
§ Create standing reevaluation periods where the plan can be adjusted, updated, and improved
o Be sure to revise the communications plan along with the DR action plan; this is particularly important with staff working remotely. A better, improved DR action plan won’t mean much if the lines of communication to enact it break down
§ Practice, practice, practice. Run mock attacks and breaches periodically to test your team
Backups and Redundancy Make DR Possible
Having a comprehensive BCP and an agile, rapidly deployable DR plan is essential. However, a great plan won’t mean all that much without a masterful backup and redundancy network that ultimately is what the DR plan is designed to utilize to get your firm back on its feet as fast as possible. In other words, your team could execute your DR plan flawlessly and still fail to save your firm if your data is not backed up and cannot be recovered from another source.
Your CPA firm must have a regimented, sophisticated, and repeatable backup process for your data
Multiple backups need to be conducted daily
You need to use various methods to back up your data to create redundancies; these could include cloud backups, hard drive backups, or other methods
The key is that these backups must live outside of your network and some should live beyond your physical office space to mitigate the risk of natural disasters, fires, or break-ins
Ideally, your CPA firm should store data and backups in geographically dispersed, disaster-proof, and highly secured locations offsite. For example, Cetrom clients have their data securely stored in our two cloud data centers in Virginia and Colorado that are geographically dispersed for automatic failover protection and remote backups ensuring their data is protected. Both facilities are SSAE 16 compliant (formerly the SAS70 standard) and SOC 2 compliant for top-tier security measures. Having multiple backups, stored at different locations and completely separate from the network, reduces the risk of data loss and is critical to getting your firm’s IT back up and running quickly post-disaster.
Always plan for the worst and hope for the best.
Once your CPA firm accepts that disaster striking is an inevitability, then it can adopt a new mindset that actively and unendingly assesses risk, adjusts to new learnings, and builds a powerful BCP and IT DR plan that its staff is well versed in and ready to deploy at the drop of a hat.