The Basics of Business Continuity and Disaster Recovery Planning: Can Your Business Survive When Disaster Strikes
By Tammy Moskites, CIO/CISO, Venafi
When a natural disaster strikes, such as an earthquake or a Tsunami, often times we’re not able to prepare for the unexpected. We have no way of knowing about it in advance to take any precautionary measures. On the flip side, if there are news reports and alerts that a category 4 hurricanes is headed directly your way, you will have time to either evacuate town or batten down the hatches so your home can hopefully survive the storm. You may also have time to stock up on gas, water, food, batteries, candles and other supplies, in case you’re without power for a few days.
The same rules apply in the world of information technology. Yes, a disaster can happen at any time and while some may be more unexpected than others, there are several vital steps that you can take now to prepare your business to weather the storm. The first and most important step is creating a comprehensive disaster recovery and business continuity (DRBC) plan for your business. This is not a nice to have, it’s a must have, and it could mean the difference between your company surviving or failing miserably.
When a security or IT failure happens, whether it’s a data breach, a network outage, a natural disaster or some other issue, enterprises need to have all the right processes and procedures in place before hand to respond quickly. Business continuity planning will ensure that the business can keep running, while recovering from the disaster. Gartner did a study last year that estimated the cost of network downtime is roughly $336,000 per hour. Many companies, especially small businesses, cannot suffer this kind of monetary loss which is why being prepared in advance of a catastrophic event is the key.
To build out a DRBC plan for your business, you need to first identify all the points of failure and consider all worse case scenarios that would take your business down. Some of these scenarios include:
What if your network gets breached and you discover you’ve been attacked by disruptive malware?
What if a supply chain partner has a failure that will impact your business?
What if your data center is wiped out by a tornado or experiences flooding?
"Doing an upfront risk assessment will ensure you can properly prioritize your response when a disaster happens, and your teams will have accountability and know what steps to take to limit loss"
What if your systems accidentally go down as you move to virtualization or the cloud?
What if your security certificates expire and your website suffers an outage?
Many different scenarios could play out so it’s important to consider them all and how your business would communicate and respond, in order to stay afloat, when a disaster occurs. To do this, you must have a thorough understanding of all your IT systems and your entire network infrastructure-including the way it’s engineered, process and procedures required to operate it, and you must identify who owns the different systems that need to be kept running 24x7x365. Doing an upfront risk assessment will ensure you can properly prioritize your response when a disaster happens, and your teams will have accountability and know what steps to take to limit loss.
A well laid out DRBC plan is given below for your reference: Conduct a Business Impact Analysis (BIA) to identify the systems and processes that are the most critical for the survival of the company that will need to be restored first. This is where asset management comes to play: most people think they know what they have on their networks but they don’t–including, for instance, the number of servers and how they’re configured, which applications are running and where, and what software or operating systems are being used, etc.
Understand what resources and personnel are necessary to keep those critical systems going. You may need to train back up staff on what to do, in case your normal staff isn’t available. Find out what possible threats your system is susceptible to and calculate the risks and costs of each one. Your legal and finance departments need to be aware of the costs associated with downtime to ensure the funds will be there when needed.
Determine the maximum tolerable downtime of these systems that your business can sustain and create backup/alternative solutions.
Have a crisis communications plan in place so that you can effectively communicate with your employees and customers when a disaster occurs. This may involve hiring an outside public relations firm that specializes in crisis communications and utilizing social media channels.
Create a disaster recovery team that is spread out among your headquarters and remote offices so that they are trained and ready to go in the event a disaster occurs.
At least once a year, conduct simulations and real-world exercises with your teams to play out different scenarios and determine gaps or weaknesses in your DRBC plan, so you can revise it.
Ensure top level executives, including Chief Executive Officers (CEOs), Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs/CSOs) are involved in the DRBC planning process so they know exactly what could happen if the business suffers a disaster and what their role is in responding and communicating to both employees and customers. Senior leaders also need to sign off on the budget required to bring the systems back to normal operation. Having a firm grasp of this information, and knowing who owns the different systems within the business will instill confidence that teams will promptly and effectively take action if a disaster occurs. But you must also practice regular emergency response drills with the team to not only help strengthen the employees’ skill sets in stopping a disaster, but also to determine areas of the plan that need to be updated, either because of system enhancements, new employees, or information learned through other company’s failures that you are not prepared for.