What do these MSPs have in common: One died unexpectedly in his 30s, one was arrested, and one had an offshore employee cause a client’s HIPAA breach.
Answer: Their businesses didn’t survive, hurting their lifestyle, families, employees, and customers.
What do these MSPs have in common: One had a senior engineer die, one had their building blown down by a tornado, and one suffered a stroke and went through months of recovery.
Answer: Their businesses survived.
What was the difference between extinction and survival? It wasn’t luck.
The survivors each had a comprehensive business continuity plan that went far beyond recovering their servers after a cyber incident.
Here’s Why You Need to Ask the Hard Questions Now
Consider this situation: One MSP business failed after the owner died because he was the only signer on the company bank account. The company had money in the bank and customer payments were coming in and being deposited. But vendors and employees could not be paid because no one could sign checks. His will was disputed and money could not be disbursed for months, causing the business to fail.
If the owner had planned for business continuity and had estate planning in place, he would have had a second check signer on his account or a limited Power of Attorney in place allowing a trusted relative, or his lawyer or accountant, to sign checks.
Have you ever counted the people who rely on your company and who would be hurt if your business didn’t survive a disaster or disruption? Your family and their heirs. Your employees and their families. The customers you serve and their families. Your community. And so on. Hundreds or even thousands of people.
They are why you need to ask the hard questions you don’t want to think about.
- What will happen to your business and all the people who rely on it if you or one of your senior technical staff members suddenly died or became severely disabled?
An MSP that had considered the loss of key employees in his plan was able to shave about two weeks off replacing a senior engineer who was killed in an accident. The life insurance policy he had on the employee was split 50/50 with the employee’s family. As a result, the recruiting and onboarding costs were paid for.
- What if your RMM or PSA tool is compromised and offline for days? How will you support your clients?
An MSP that had considered the loss of their online systems had air-gapped drives with downloaded runbooks and spreadsheets containing their client contact info and network configs.
- What if your HR/Payroll system is compromised and offline for days? How will you pay your employees?
An MSP had worked out a plan with its payroll service to manually pay its employees based on the previous payment period. Then they would make necessary adjustments when the system came back online.
What Is A Comprehensive Business Continuity Plan?
Most of the time when I ask an MSP about their business continuity plan, they tell me that their servers are in the cloud and backed up by (fill in the name) product that will allow them to quickly recover from an attack. That’s an incident response plan, not a business continuity plan.
Sometimes the MSP just smirks and points to their head, where their plan resides. They haven’t shared it with anyone else. They don’t ever anticipate that they may be the cause of the interruption or consider the amount of stress they will face during a crisis that will prevent them from thinking clearly and making smart decisions.
Some MSPs have a written plan, but it is usually a template with the phone numbers of their staff and some meaningless verbiage about recovery time objectives (RTOs) and recovery point objectives (RPOs). These are meaningless because they have never been tested to see if users can perform all the company’s critical customer support, HR, and financial functions while working from the cloud recovery environment.
The average downtime from a ransomware attack is 22 days even though there are great backup and recovery systems that can recover systems in hours. RTOs hardly ever consider the fact that a network that has been attacked is a crime scene and that cyber insurance companies, law enforcement, and attorneys are afraid of damaging evidence or risking litigation. They prevent a quick recovery. How will you and your clients function for 22 days without technology?
The Disaster Recovery Institute publishes the 10-step international standard for business continuity planning. The sixth step is writing the plan, meaning that anyone who just takes a template and starts entering data has skipped the first five critical steps.
A comprehensive business continuity plan requires the documentation of:
- Every critical business task
- The resources—people, technology, and facilities—each task depends on
- The management strategies and priorities for recoveries
- The alternatives for when a resource isn’t available
Test Your Business Continuity Plan Like a Jenga Game
You are familiar with Jenga, the game where you pull out wooden blocks until the tower collapses. Building a good business continuity plan requires putting in all the resources—the blocks—and then taking each away to identify what you must do when an incident occurs. That becomes your plan.
It’s important to recognize that business continuity plans are never 100% accurate because each disaster is different. If your plan covers 80% of your response, it is much easier to deal with just 20% of the problems when you are stressed by a disaster and not thinking clearly.
An untested plan is just words on paper. You can’t rely on the morning backup status email that says a server mounted to be sure users can perform their critical functions from the recovery environment. You must regularly test the ability for workers to perform their critical functions from the restoration environment.
Those are all the reasons you should create and test a plan for your MSP business.
Add a New Revenue Source for Your MSP Business
Once you’ve got your own plan in place for your business, you can offer business continuity planning as a service to help your clients beyond your IT services.
You can earn large profits, develop stickier client relationships, and get information about your clients that they would never share if you were just their IT vendor. That will help you tailor your services better and justify your fees.
I turned my MSP company into a business continuity company, even using “business continuity” in our name. Beyond our IT services, we created comprehensive plans for many small businesses. We also created the plan for a multibillion-dollar credit union that they used to survive a major hurricane. We created their pandemic plan in 2011 that they used in 2020 when COVID hit.
Want to learn more? There are business continuity and cyber resilience training and certifications available through the Disaster Recovery Institute. You can also get free MSP Business Continuity Guide from Semel Consulting.
Don’t wait. Every day you put this off is another day of preventable risks that can hurt all the people who depend on you. You don’t want that to be your legacy.
