Plan to lose your plan.

My wife dropping her iPhone in the pool this week taught us two things. First, she learned how cold 64-degree water is as she had to get in to retrieve the phone. Second, regardless of what Apple claims, iPhones are not waterproof. To be fair, I suspect it was the salt more than the water that shorted out the device. Regardless, dropping your phone in a 64-degree saltwater swimming pool is going to result in negative consequences for both you and the device.

This event also reinforced another concept that needs to be stressed when discussing crisis and security incident planning. Data stored on digital media, and in the cloud, is worthless if you can't access it. The loss of the phone created significant complications for my wife since she couldn't complete the two-factor authentication process required to access many of her work systems and data. We save data to cloud storage systems for safety, security, and redundancy, but it's all for naught if you can't access any of it.

This brings up a bigger issue when considering Disaster Recovery and Business Continuity plans for your business. They are worthless if you don't have a copy when a disaster strikes.

Rule 1: Have a plan.

Rule 2: Be able to read the plan when you need it.

Print out hard copies of your plans and store them in a safe place. You might have the most well-planned and practiced recovery plan but it's worthless when encrypted by ransomware. You might have a brilliant continuity plan but it's equally as worthless if the server it was saved to is destroyed by a fire.

Save copies of the plan to two USB drives and print out two paper copies of the plan. Save one set to a hard safe on-location. Save the other at a secure off-site location. Email a copy to yourself while you're at it.

And Rule 3 for good measure: Every once in a while read the plan! Don't just tuck it away and never look at it again, or until the business is smoldering. Make it a policy point and dedicated practice that the plan gets reviewed at least once per year. Better yet, run a tabletop exercise to practice it. The best-designed plan is worthless if it isn't functional for your organization.

Keep a copy of your plan in your back pocket and your iPhones dry!

#risk #infosec #cybersecurity