Things to think about:

• Never think "it couldn't happen to me". It happened to us so it could just as easily happen to you!
  
  
• Do not make yourself part of the disaster, e.g. by entering the premises and trying to rescue your property. Wait for the fire service.
  
  
• If you are a small firm and you have an alarm callout at night, you should have as policy that a minimum of two people should attend. If you have any suspicion that anything may endanger you, do not get involved: call the professionals and wait in a safe place.
  
  
• Always have a tertiary backup strategy, one backup kept on-site, one at another site and one somewhere else. As an example, FBTechies Office Manager takes the previous night's backup home at night and there is a daily clone onto a laptop that is taken home each night by Didi as well as another machine on-site which contains a data clone. Monthly backup tapes are stored at Pete's house.
  
  
• Have a fire-proof room (e.g. vault), preferably in a separate building in which archive paper files, important (current) files and backup tapes should be stored.
  
  
• Maintain an up-to-date Fixed Asset register - a record of capital items such as computers and furniture. An Excel spreadsheet is great for this purpose. You should have different categories (headings) depending on how your insurance policy is laid out. For example, FBTechies insurance policy has two contents sections, each with different amounts of cover: one is just called "contents" (covering furniture, etc) and the other is called "equipment/machinery" (covering computers, etc). Also included on the register should be motor vehicles (although under a different insurance policy, it is convenient to have all assets entered on one spreadsheet). Since the register will (in this example) be a spreadsheet kept on the server, it will be included in the backup.
  
  
• The fixed asset register should, under each category of fixed asset, contain an entry for each asset on a separate line which should include information under the following headings: "asset description" (if PCs, record also specs such as CPU, memory, hard drives, manufacturer, IDE and other internal devices, etc). Other headings are: "supplier", "purchase date", "cost" (net of VAT), "serial number" and "location" (e.g. on-site: lab, on-site: office, partner's home, etc).
  
  
• If you purchase extra memory for a PC, or some add-on to a PC for example, don't forget to add this to the fixed asset register beneath the entry for the PC to which it relates. Otherwise the entry on the spreadsheet for a PC may not accurately reflect the total value that should be claimed in the event that it is destroyed.
  
  
• Keep two paper copies of the fixed asset register, to each of which should be annexed a set of photocopies (preferably colour) of the purchase invoices pertaining to each of the items on the register. Each document set can, for example, be stored in a folder. One copy should be kept on-site and the other copy off-site in a secure location. This means that if one copy is destroyed, you still have the other. The insurers will ask for copy invoices to support any claim you make and having copy invoices already to hand in this way will save you having to trawl through, potentially, years worth of accounts files (which may anyway have been destroyed by the disaster). Didi estimated that had we not had a good and up-to-date fixed asset register to hand with copy invoices, that it would have taken over a week to locate, collate and document all the information the insurers required. A business can hardly afford that time on top of the time consumed just by managing the disaster itself. Thus, FBTechies fixed asset register, whilst somewhat onerous to maintain, proved it was worth its weight in gold after the fire - not just in time-saving, but also that we were able to submit the full claim to the insurers in about two days and get a payout sooner!
  
  
• Keep both the on- and off-site copies and invoices of the fixed asset register updated to reflect new purchases/disposals.
  
  
• Don't send the insurance company your copy of the fixed asset register and copy invoices or any other documents. You should prepare a new set of photocopies to send to the insurers (thus retaining at least one copy (say, if the other was destroyed) should that copy become mislaid or there is a query.
  
  
• If one of the copies of the fixed asset register and supporting invoices, or any of the other important documents mentioned below was destroyed in the disaster, make sure to immediately make new copies and store these in a separate location (making sure you don't let existing policies slip in the event of a disaster).
  
  
• Photocopy (preferably in colour) important documents (e.g. insurance policies, motor policies, leases, etc.,) and keep the copy at a secure off-site location and remember to keep this updated and shred redundant copies (e.g. last year's insurance policy - the main copy of this will be on-site and probably archived, so the photocopy is now redundant because it is superceded by the photocopy of the current year insurance policy, for example).
  
  
• Regularly review your office insurance cover to ensure adequate cover is maintained. If you maintain a good fixed asset register in the ways described above, this can also be used to obtain a figure for the insurance cover you require. You should also have regular property revaluations to ensure the sum your property is insured for (should this be relevant) is adequate.
  
  
• The sum insured for Loss of Business cover should match the previous year's total turnover of the business, or the current year's estimated turnover if this is likely to be more. If you do not declare your full turnover, the insurer will deduct from your claim the percentage they estimate as being undercovered (and they will also do this for contents too) so don't scrimp on insurance premiums.
  
  
• Make sure to have up-to-date monthly accounts that are readily accessible. The insurance company may ask for copies of these as proof to support your Loss of Business claim if you make one. Or they may simply ask for these as part of fraud prevention tactics (to see if you, for example, were heading towards bankruptcy before the disaster). Insurance companies tend to view claimants as guilty until this is proven otherwise (insurance fraud sadly being common). So, the more documents and evidence of your good intentions, honesty, good business practice and policy that you can provide - and promptly - to the loss adjuster (who are usually specialists from a separate company that sub-contracts to the insurance company themselves), the more swiftly you will get your claim paid, and the less general hassle you will have.
  
  
• Even if the fire service say it is not necessary, ask for police attendance. Pete and Didi were told by the fire service that it wasn't necessary to involve the police. However, the insurance company were not at all happy that the police weren't involved and asked that they be. However, upon contacting the police (a few weeks after the fire) of course they were not interested in coming out for an incident that had happened so long ago. So always call the police and ask them to attend as soon as there is an incident, and get an incident/crime reference number.
  
  
• Ask the fire service to leave as much in-situ as they can. In our case, the fire service removed various equipment and other charred remains from the office and dumped them on the pavement outside the restaurant downstairs. Not only did this make us unpopular with the restaurant (because of all the mess!) but it made us unpopular with the fire forensic investigators who require everything is kept where it was. Also, the fire service don't consider the risks of, for example, a computer being dumped outside and what might be contained on its hard drive... Being in the security business, Pete and Didi supervised the removal operation carefully, removing and securing anything that could cause a security breach. However, had they realised how irritated the forensic people would be that all this stuff was removed - or even just moved outside the server room in the case of some equipment - they would have requested the fire service to leave it in place and would have thus avoided a bit of difficulty with the insurers!
  
  
• Don't let existing policies slip during the aftermath of a disaster. It is all too easy to forget to replace a secondary copy of important documents (e.g. fixed asset register), in the event that one copy was destroyed in the disaster. Or, it is all too easy to let backup policy slip, and perhaps forget to have a plan in place as to where the new secondary location should be for storing backup tapes (in the event that the secondary location is now in use as the office, and the primary location is destroyed).
  
  
• Have an escape plan. Do you fancy being trapped upstairs if there was a fire or you hear someone breaking-in? Large companies have dedicated escapes (as in fire escapes) - you shouldn't view your live/s as less important than large companies do! Therefore you should ensure that every upstairs bedroom/office has a way to escape outside to safety. For example, a dedicated ladder can be stored in a wardrobe and deployed if needed via attaching it to permanent and deeply fixed eye screws (that should have already been installed below a window sill) allowing potential victims to climb down to safety. I have also heard stories of people using such ladders to escape, having heard noises of a break-in downstairs. The perpetrators of such break-ins may carry weapons; if you get out as quickly and quietly as possible and go to a neighbours to phone the police you can avoid being hurt. And, being able to notify the police so soon into a burglary may a) catch the thiefs "red handed" before they move onto their next victim - who may not have your security measures in place, and, b) catch them before they get the chance to steal your property. So whilst ladders may cost a bit of money, they can save lives and property! A search on Google using keywords "Fire Ladders" brings up loads of results. Do make sure to carefully measure the distance between the window to the ground for each ladder you want to purchase, and follow the manufacturer's instructions carefully. Such ladders can obviously be dangerous if not used with care.

Policy & Disaster Contingency Planning

Having read the above, you may see that having some way to document how these situations are handled would be a good idea. This is where having disaster contingency plans and policy documents come in. Such Plans and Policy documents are essential. They ensure that staff know what to do in a given situation and can therefore help assure security - that a disater does not occur. However, they can also minimise the effects of a disaster should one occur and prevent injury to staff. In this way, such documents may even prevent your business from going under - which could have happened to us if we didn't have such policies and contingency documents.

You can pay a professional to prepare or help you prepare these documents. Part of our offering is that we can help you write security policies, but we do not offer disaster contingency planning services. You may not be in a position where you can afford the luxury of having a professional to advise you. So below is some guidance as to how these documents can be prepared:

1. Start out by playing through your mind, then making a list of, all the different scenarios of disaster you can conceive, e.g. what would happen if: there was a flood, there was a fire, someone broke into the building and stole machines or stole a laptop, or guessed a password, etc.
   
   
2. Then think about and list down all the strategies you can think of for trying to prevent such events occurring in the first place and procedures that staff can use to try to avoid any such problems. The output of this stage will be that you can prepare a Security Policy which can in fact be a Manual that contains a number of chapters pertaining to different policies. The Manual can have a chapter called "Visitor Policy", another called "Fire Prevention Policy", another called "Anti-Virus Policy" and so-on.
   
   
   • Each chapter in the manual should consist of three sections. The first section is "Policy" which should be at the front of that chapter), e.g. "We have a policy that visitors are never left unattended". The second section (beneath the Policy section) should be "Standards": a short list of basic things users have to do in order to adhere to the policy, e.g. "you must not leave visitors unattended at any time", "you must keep your desk and computer desktop clear of anything sensitive if there is a user on the premises", etc. The third section (beneath the Standards section) should be "Procedures": paragraphs of detail to provide information as to specific situations.
     
     
   • For example, our anti-virus policy "Procedures" section contains screenshots and instructions as to the correct configuration and use of our anti-virus software. The Procedures section of our Visitor Policy contains information pertaining to how to handle visitors of specific types, e.g. how to handle deliveries, etc. There are various things in this document which could be included in your policy, e.g. "backup policy".
     
     
   • It is important to remember that a Policy is only as good as its ability to be located and the knowledge of staff to be able to use it! This means that the document should be easily accessible to all staff and mandatory for them to follow (preferably with a statement to this effect in their Contract of Employment). Training should also be given, e.g. induction training so that new staff know a) where the policy manual is to be found, b) what is in the policy and c) how to adhere to it! Training should also be given to existing staff periodically to make sure everyone is still aware of policy, and certainly when any updates are made to the policy.
     
     
   • Finally, policies work best when they have "buy-in" from the staff. At First Base Technologies we actually include a section called "Why" at the end of the "Procedures" section of our policy chapters explaining why particular procedures are important, e.g. "we keep our desks and computer desktops clear of anything sensitive when clients are in the office because it means they can't access/see something they shouldn't which could either lead to us being sued, losing their business and/or them bad-mouthing us to other people which would also lose us business". You'd be surprised how many people do not know why particular items are in a policy - when they learn why, it tends to make them far more vigilent in adhering to policy!
   
   
3. Next, think about and list down all the strategies you can think of for minimising the impact on the business should a security incident or disaster occur. The output of this is a document called a "Disaster Contingency Plan/s" which should state a) what to do if something bad happens - called "incident response", i.e. who is responsible and what should happen if e.g. a security breach occurs, if a fire occurs, if the burglar alarm goes off, etc, and b) what to do to recover from the situation - called "disaster recovery" which should state who is responsible and what should happen if the disaster actually occurs, e.g. what to do if data is lost, what to do if a fire has damaged the building, etc. Again, the relevant staff should be given training as to how to use this, and the ideal would be to set up a "dummy" incident - such as you would for fire drills - to ensure it works! Make sure that a copy of this document is kept off site - key personnel should have a copy at home so that they can refer to it if the copy of the document is inaccessible in the office for whatever reason - i.e. if it gets burnt! Again, there are ideas in this document that can help you prepare such a document.

We have a Disaster Contingency Planning Guidance document available on this site: CLICK HERE to download (136 KB).

Written by Didi Barnes on Tuesday June 23rd, 2004