People have opinions on what to do and which is the best next step. Sometimes they are right. Sometimes they are dead wrong. And sometimes they are right until the world catches up with them and changes the playing field.
Adopting measures for business continuity can still create issues. For example, the internet was an amazing advancement for business continuity. It allowed business services to be dispersed even within one company. Remote capabilities meant enhanced survivability of physical structure operations in the event of a disaster or disruption. It was wonderful progress to not be tied to a physical place and what may befall it.
The downside to the internet was it also made users more vulnerable to DoS/malware attacks. It created a door that needed to be shut and locked in order to keep bad actors out. That is where updates and patches became a normal course of doing business. Think also about adopting any new technology - when it happens quickly (and often sloppily) - if you're brand new to it while others have been using it for a while, your inexperience leads to more vulnerabilities and putting a target on your back.
Another thing the internet does is give a false sense of security. Just because you are fully remote doesn't mean that you have no physical structures to worry about.
First you will worry about your vendors and their locations. Is it a good idea if you are located in San Francisco to have your back-up servers somewhere else? Yes! But not San Jose. Whatever happens in SF will likely impact SJ as well. Choose wisely and also ask if your vendors have a business continuity plan (most people assume their vendors do, but ask).
Another thing to be concerned about physical structure-wise in a remote environment is the employee's location. Make sure they are using a VPN and MFA to get access to work servers and files for increased security. All the security measures in the world won't protect a business from an inside vulnerability: phishing scams. Sadly that relies 100% on the amount and quality of the training you do, especially if the individuals absorb and practice the protection measures. Phishing plays on emotion - the average employee doesn't intend to allow a cyber event into an otherwise secure business, but they do.
That's not all you need to be concerned with: each one of your remote employees lives in a location that may or may not be secure from a disaster. Especially if they are concentrated in Houston, TX, or Tampa, FL, or Wilmington, NC, for example. When your employees can't work, you will have to shift that workload to another location/other employees to handle. Can they do that? Are the resources available to keep operations running?
Is this a case of "no matter what I do, I'm going to fail"? No. it is a reminder, however, that no plan results in 0% risk. There are a lot of directions you can take in protecting and expanding your business. Check out all the paths. It's the only way to be sure. Make moves but know that other roads exist or are being built - you will need to be aware of them along the way and be ahead of the curve.
As Yogi Berra once said, when you come to a fork in the road, take it.
