In December, I conducted a workshop at the Nonprofit Coordinating Committee of New York on technology and business continuity lessons learned from the aftermath of Hurricane Sandy in NYC. The workshop was attended by a terrific group of nonprofit professionals who asked great questions and provided many valuable contributions. Below is the article Daniel Meyers, editor of New York Nonprofits, wrote and NPCC published in their newsletter detailing the workshop. Link on NPCC's website here.
Lessons Learned from Sandy
Joshua Peskay, co-founder of RoundTable Technology, runs a business dedicated to providing technolgy services to nonprofits. During last fall’s "Frankenstorm", he learned some lessons and ways to prepare for future disasters.
Expectations Have Changed
Joshua pointed out that although they were completely different events, 9/11 and Hurricane Sandy created similar problems for many New York City organizations. They both resulted in sustained power outages to parts of New York, particularly downtown, and they both caused major public transit disruptions.
One of the main differences between the continuity challenges faced in 2001 and those faced following Hurricane Sandy in 2012, is that far fewer online (cloud) services were available in 2001. During the past several years, new online services have been introduced that allow organizations to outsource their information technology to the cloud, so that they can access their email, files and applications without a physical office space. The new standard is that organizations should not only be able to survive major events with their information intact, they should be able to continue operating at near full-capacity throughout such events.
From an IT perspective, the goal is to support the staff during such an occurrence so that they can, if they are able, continue working. To prepare to function after a disruption, keep things simple by using this scenario as a guide. Take away two things for 7 days: power to your office and public transportation. These are the two things that are most likely to be disrupted for periods lasting several days or longer.
What Are Your Organization’s Priority Services? Determine which services are critical and must operate without fail. Think carefully about every aspect of your organization, beyond your core mission of, say, feeding seniors or tutoring children. For example, can you process payroll if all the servers and computers at your office are powered off and you can’t access them? If your constituents count on reaching you by phone, what happens to incoming calls if your office is without power?
As a disaster unfolds, you’re first going to want to know about the status of the staff: Who is alive and okay? Who is not impacted by the event and can work? Joshua found that one of the things that his nonprofit clients asked for was a web-based dashboard capable of indicating their co-workers’ status. Are they OK? Available to work? Do they have internet access? Since Hurricane Sandy he’s searched but not found anything appropriate that exists and is cost-effective. Consequently, he is interested in developing such a tool. Members should contact him if they are interested in this.
Establish a Chain of Command
Not IT-related, but an important consideration is on the operational and communication end: If the executive director is unavailable, who is in charge and can make decisions? Who’s in charge if the number two person isn’t available? In any case, how will work and expectations of activity be communicated to staff?
How can an organization operate effectively through a disaster?
The simple answer is to move everything tech related to the cloud. You may find that it’s not as expensive as you’d think.
Cloud computing refers to the concept of software and data files being accessed and stored online, almost always through a web browser and an internet connection. The data are stored online and do not physically reside in your office.
In a traditional pre-cloud office, the server and software and the data physically reside in an office; data needs to be regularly backed up and stored offsite for safekeeping. In the cloud, you don’t have to backup files because it’s stored elsewhere.
Many people have already been moving to the cloud, whether they realize it or not. For example, Google Apps, Microsoft Office 365 and Salesforce are all cloud services.
Moving fully to the cloud, you can achieve a state where all your organizational information and applications can be accessed with nothing more than a web browser and an internet connection. This gives you tremendous flexibility and reliability for your information technology.
However, the larger and more complicated your organization, the more expensive and challenging it may be to move fully to the cloud. The more customized applications, servers and infrastructure you have, the more work it will be to move those items to the cloud. But the payoff in ongoing cost reduction, reliability and flexibility will almost certainly be worth the up-front cost and effort.
Software as a Service (SaaS) is a form of cloud computing where products such as QuickBooks (for accounting and financial management) or BlackBaud (for fundraising and other functions) sell their product as a service rather than software you install on your computer. So whereas before you might have purchased a license for QuickBooks that would you install on your computer, in the SaaS model, you pay a modest monthly fee, login to their application via a website and use it.
Another aspect of SaaS and cloud computing is that upgrades happen automatically, without any action required on your part. When QuickBooks upgrades its hosted application, you will have that upgrade the next time you login, without any action required on your part.
Questions to Ask about Data Storage/Capabilities
Critical cloud services should be geographically distributed to help prevent a loss of uptime and data. Google Apps and similar large services have robust operations and have servers and data located in multiple areas, with sufficient redundancy.
Ideally, you want service storage and facilities not to be located in the same geographic area as your organization. If their only servers are in the same region as your organization, this may not provide enough redundancy during an emergency.
The things to determine of a smaller service are: Where is the provider located? What are their backup systems? What is their level of redundancy? If the service you’re having hosted is one you deem to be critical to your operations, you should try to have the best understanding possible of what will happen in various scenarios. If your office is located in downtown NYC, and your internet service provider has their main office in downtown NYC, and your accounting software is also hosted by a company based in downtown NYC, you may not be in the best shape should there be a major flood downtown.
If you move everything to the cloud, how much bandwidth do you need? Josh notes that most broadband coverage can cover it. What you want is greater to or equal to 1.5 downstream and greater or equal to 1 upstream when using applications like email, BlackBaud or QuickBooks.
There are lots of fast inexpensive options: For the best reliability, you should have two internet connections configured for failover. For example, install FIOS as well as DSL or wireless so that if one goes down the other can cover. What many organizations do (and this can work quite well) is get one circuit to handle voice traffic (for a VOIP service) and another circuit for data (internet only) and have them failover to one another. That way if your voice circuit fails, you still have internet, and if your internet fails, you still have voice.
MobileBeacon: www.mobilebeacon.org. Mobile sells wireless internet services to nonprofits. You pay roughly $100 per device plus $10 per month for service (pre-paid annually). This is a great backup to your internet connection, but should not be used as your only wireless connection. They also offer wireless hot spots for the same pricing. These can be very helpful for staff who travel a lot and want their own 4G internet to bring with them.
Whether you move your information to the cloud or not, security is always a concern. Joshua notes that the cloud is no less (or more) secure than traditional IT infrastructure. There is an inherent trade between security and convenience/accessibility. If you make users create strong but not memorable passwords, they’ll often get frustrated. But, weak passwords are more vulnerable to being cracked. The best practice available currently is the use of passphrases.
If a service allows for something beyond the usual password of 7 characters, four random words separated by spaces is very secure: forget passwords, think passphrases. Or, if the service allows for it, a fully punctuated sentence is very strong.
Going forward, passwords will probably evolve to multiple-factor authentication. For example, three separate security factors might include something you know like a user name or password; something you have like a keycode that changes every 30 seconds; and something you are (retina, thumb print, or voice). Google is currently the only provider that offers multi-factor authentication (http://bit.ly/A2VZaP). If you use Google services, Joshua strongly encourages you to use two-factor authentication. Hopefully others will offer this soon.
Read about passwords: Correct Horse Battery Staple – using passphrases instead of passwords: http://xkcd.com/936. Passphrase generator:http://correcthorsebatterystaple.net. Multi-factor authentication:http://bit.ly/joduQ. Kill the Password: Why a String of Characters Can’t Protect Us Anymore is about the death of passwords: http://bit.ly/TN7AJV.
Joshua Peskay can be reached at [email protected] or at 917-747-1154.
NPCC has a disaster preparedness guide and template at http://npccny.org/info/disaster_plan.htm.