Scenario Safari…don’t let your story end too soon.

As a kid, I remember the books that gave you choices. They were fun to read and helped me learn about cause and effect. Those “Choose Your Own Adventure” books were magical because they allowed you to control the narrative, make decisions, and see the consequences unfold. However, I must admit… I cheated. I held my fingers at a choice, then would go to both options in the book and read about what would happen. I wish I could do that in real life. Picking a scenario and knowing how it would play out, knowing precisely what choice was right, and knowing which would help me in the long run versus which would be suitable for now.

Leveraging Scenarios is a tool that has empowered me with a deeper understanding of risks and how to mitigate them with a tool or process for our customers. I am quick to admit that it is difficult for a technical person to grasp an HR or Accounting problem, but it can become crystal clear with a scenario or an analogy. This can help us to work on a process or tool to keep the business secure and the processes in place to support it.

The challenge we face is the sheer volume of potential problems and solutions that could impact an organization or business, it is overwhelming. However, with scenarios and planning, we can confidently navigate this complexity, assess the likely risks, and devise more practical solutions accessible to everyone.

Work with me to break this scenario down.

Let us step into the pages of choice and enter the busy day of a normal person at work.

We arrive that morning to numerous meetings and emails to respond to. We receive an email from someone we trust, a customer, or a vendor we work with regularly. The email has an attachment. We click on the attachment, and it does not appear to open. We forward the email to someone else in our department and ask them if they can open it. They click the attachment, and again, nothing appears to happen. It is the middle of the day, you get pulled away and don’t think anything of it…until the following morning.

You walk into the office, and your computer has a new background; it says your data is encrypted, every file you access on the network is encrypted, nothing can open, and your entire department can no longer work. You plop down in your chair… you are stunned, you are behind. Everything you worked on yesterday. Do you have to do it over?

Upon contacting your IT department, they quickly identified that you were the victim of a ransomware attack. The trusted email you received was from a compromised account from a vendor. The business faces a critical decision: pay the ransom and hope for data access or recover the data from the backup and use security tools to cleanse the infected systems, ensuring a secure and prepared future.

Let me be clear: If you had the appropriate tools in place, this event would have been stopped before any impact. But if you don’t…

The Reality of Cause and Effect in the Scenario

Unfortunately, this scenario doesn’t come with handy bookmarks to flip back and forth between outcomes. Each decision propels us to the unknown without guarantees or easy do-overs. Whether deciding to pay the ransom for a seemingly quick recovery, choosing to restore the data, or having to respond to a data breach, if the email is still in your system, the stakes can feel high and the path uncertain.

In our scenario above, there are numerous ways that a process, security software, vulnerability management, monitoring, or even IT could help or even stop the problem. If you have those in place, your company will likely not be impacted, or it will have been mitigated to the point that you will still be working.

But… what if you don’t have a backup? What if you don’t have an IT resource who can respond to the incident? Will insurance help in this scenario, and what will it cover? What if the person who clicked the email was the company owner and had access to everything, and the entire company is now impacted? What if the person was in IT, and your backups are also encrypted?

Did the scenario make you think…

Applying Lessons from Childhood Adventures

Even though we can’t peek ahead to see what will happen, we can draw valuable lessons from those childhood books to inform and help fortify our strategies today. Here’s how:

1. Gather Information: Just as you read through different paths in a “Choose Your Own Adventure” book, gather as much information as possible about your options. Research various backup solutions, security products, and monitoring tools. Work to understand their capabilities and consider the potential outcomes before deciding. Determine if a product will help or if your process needs to change.
2. Evaluate Risks and Rewards: Each choice has pros and cons. Weigh the risks and rewards of each option. Assess whether a cloud-based solution offers better protection than an on-premises setup or if a hybrid approach might be the best fit. Does compliance make it more complex?
3. Embrace Flexibility: If one path led to a dead end in the books, you could start over and try a different route. While data loss doesn’t allow for a do-over, being flexible and willing to adapt your backup strategies and security when things don’t go as planned is crucial. It can be even more critical to maintain a good business continuity plan and security tools to mitigate impact if something does occur.
4. Learn from Each Decision: Every choice, whether it leads to success or failure, is an opportunity to learn. Use each experience to refine your plans, like you become a better “adventurer” with each book you read. Use scenarios to start conversations with HR and accounting, and even talk with your insurance company about the scenarios to ensure you are covered before something goes wrong.

Leverage Scenarios for better outcomes

We look to establish a process that can help simulate the risks we are trying to avoid or the “scenario” we are most worried about. This gives us choices, but how do we develop the scenarios? Let me give you a hint: restoring data is the last step in any failed process or scenario. So, your adventure may be over without backups and a clear recovery path. However, let’s dive into the thoughts of scenarios to see if we can help.

1. Scenario Planning: Develop scenarios for potential data loss events and plan for various outcomes. This will help you anticipate challenges and be better prepared to handle them. List common issues or events you read about that scare you the most. Make a team of people at your company to help; we should not carry the burden alone.
2. Risk Management: Implement strategies to identify, assess, and mitigate those potential risks. This proactive approach can help minimize negative impacts and ensure smoother recovery during an incident. It can also ensure that standard processes can stop incidents before they occur.
3. Regular Testing: Test your plans to ensure they work as expected. Testing helps you identify gaps or issues and refine your process/strategy. Verify that your data and hosted third-party applications can be recovered. Is the backup data immutable?
4. Feedback Loops: Create feedback loops to review the outcomes of your efforts regularly. Use this feedback to adjust your strategies, improve future decision-making processes, and always look for new scenarios that could impact your users and your business.

Conclusion

While we may not have the luxury of flipping through the pages of life to see how each decision plays out, we can approach our backup and disaster recovery/security strategies with the same curiosity and thoughtfulness we had as children. By gathering information, evaluating risks, staying flexible, and learning from our experiences, we can confidently navigate the complexities of data protection and data loss. Remember, each decision is a step in your unique adventure, shaping the story of your journey toward data resilience. You can always reach out if you need a guide through the safari of options.