Published: 28 February 2022
The Russian invasion of Ukraine is underway. Businesses and service providers with software development or other IT service centers (captive or outsourced) in the impacted region must immediately take pragmatic and specific actions to minimize risks to their enterprise.
While Gartner research may touch on legal issues, we do not provide legal advice, and our research or guidance should not be construed or used as a specific guide to action. We encourage you to consult with your legal counsel before applying the guidance and recommendations contained in our research.
With the Russian invasion of Ukraine, end users and service providers with IT services delivery centers in these regions are uncertain about service continuity. Gartner estimates there are over 1 million IT professionals in Russia, Ukraine and Belarus put together, of whom around 250,000 work for consulting or outsourcing firms that serve clients outside of the region.
Many businesses and service providers are still recovering from the challenges of COVID-19, with the majority of the workforce working from home. As a result, many basic risk mitigation strategies like rehearsing third-party contingency plans and downtime procedures, disaster recovery (DR), and business continuity plans (BCP) for site, city and country outages may not have been run for some time. Moreover, these plans might not have been updated to consider work from home and public telecom and internet outages. Furthermore, work is predominantly delivered remotely; business artifacts — codes, design documents, test scripts and so on — might have been stored on local hard disks with a cloud backup. Anything stored on local hard disks in the countries of conflict carry significant business, market and operational risks.
Enterprise connectivity is now ubiquitous, and a major concern with this conflict is the possible use of cyberwarfare. With COVID-19 having extended networks from office blocks to drawing rooms, the potential points of entry for malware, ransomware and other forms of cyberattack increase. In a connected world, a cyberattack emanating from the conflict region can quickly spread to sites anywhere around the globe.Such attacks may mean that businesses will not be able to interact with their providers if telecommunications and hosting are disrupted.
The imposition of sanctions against Russia will increase the complexity for many businesses and service providers with IT staff and local IT operations in Russia and other impacted countries. Paying wages, expenses and invoices to local suppliers, moving staff in and out of the region, and controlling site security will all become vastly more difficult.
Act with a human-centric approach; failure to do so will risk lives, and could exacerbate mental health issues for you and your team. At all stages, seek to promote and prioritize actions that can support impacted staff within your organization, as well as from your service providers.
Reach out to your service providers to see how your organization can help. Seek out any local support your organization can offer and be prepared to advocate for impacted individuals. Also, collaborate with other service providers who can step in to minimize disruptions to your service delivery.
Continue to move your own or service provider’s staff to nonimpacted delivery locations or countries. It may be difficult, but if possible, use local connections, foreign governments, state departments and international aid organizations to fast-track moving staff and their families.
Immediately execute your DR/BCP for the impacted region, if not already done. Check with your service providers to ensure that they have successfully moved their work to safer locations. Enable their moves and remove any bottlenecks. Advocate for your service provider by identifying ways other providers can step in to expedite the move. Leverage third-party personnel safety and protection services that will work in the area.
Delay any new projects to be delivered from these regions until tensions are settled. Whether business or service provider, prioritize system patches and updates over feature releases to protect your enterprise systems from any vulnerabilities. Plan for only those feature releases that are business-critical and absolutely essential. The rest should be moved into backlogs for future releases.
Relax service-level agreements (SLAs) and key performance indicators (KPIs) to ease the burden on internal and service providers’ operations. Where such alternatives do not exist, seek legal advice on whether the conflict constitutes a “force majeure” event so that SLAs and KPIs can be relaxed for a certain period. If your service provider invokes force majeure provisions, ask your legal advisor about actions you can take to move work in-house or to another provider without breaching the contract.
Work with your network, security operations center (SOC), and security and risk management teams to temporarily segregate networks in these regions, and put in place enhanced intrusion detection and response capabilities. With the risk of cyberwarfare or ransomware attacks being spread across affected networks, it is important to bear in mind that your service provider may retain a local connection, which may pose a risk to your network. Validate that all important business artifacts, including code, data, designs, documentation, test scripts and configurations, are safely stored in servers within your local jurisdictions. Ensure that nothing is left on local hard disks, local servers or cloud servers in those countries. If work needs to continue locally, use cloud-based copies of the master data and replicate back to the master copy at least daily.
Seek specialist advice from accountants, legal advisors and crisis specialists if you have to move money in or out of Russia. With sanctions imposed against Russia, be extra careful that sanction conditions are not violated.
Communicate regularly, if required, on an agreed cadence with internal and external stakeholders and customers. It is important to let all stakeholders know what is going on with your support or development operations, how this may impact deliverables, and what you are trying to do to remediate the situation.
Prepare for longer-term possibilities if the conflict proliferates into other parts of the world, or leads to political unrest in nearby countries, by reviewing your DR/BCP and third-party contingency plans for your other countries of operation.
The situation at the time of writing is evolving by the hour. Business and service providers should take immediate actions to isolate their delivery centers in these regions and should already be reprioritizing initiatives and projects. Next, move work out of the impacted area, and take actions as recommended here.
Recommended by the Authors