What will your company do in the face of a worldwide pandemic (i.e. COVID-19), an active shooter, a hostage situation, an ice storm, hurricane, tornado, or flood? More importantly, how do you prepare, and will you be prepared?
Thinking through each threat scenario your company could encounter takes up a large chunk of time, and you might not know where to start, what to cover, or where to look. The time cost of mapping out a complete DR plan alone is enough to end the project before it ever begins.
But, flip your perspective and look at this DR plan as insurance. Like insurance, when the disaster does happen, your company is going to need it. Discovering disaster recovery after it’s too late is not your best option.
At CCI Systems, disaster recovery is a must to ensure the safety and security of our employees, clients, and partners. We know DR because we plan, prepare, and test each quarter, rotating between the 3 main disaster types.
In this article, you will learn what you need to consider during the outline stage of your DR plan, what the 3 main disaster types are, how applications and third party security analyses can put your company to the test, why the communication to and the education of your employees is very important, and why knowing how prepared your partners are will keep your company safe and secure.
Do not begin the planning process within 24-hours of a disaster event, or worse, after the disaster has occurred. Be proactive and start jotting down the outline of a plan right now!
When drawing up the DR plan, whether your company is customer-facing (B2C) or business-to-business (B2B), remember that this plan should be easily and readily shareable with clients. This provides transparency and reassurance into your company’s commitment to security.
This plan design will control the rollout and redeployment of your employees from their homes, from a hotel, or from another designated building outfitted to support the needs of your team (i.e. colocation data center).
Disaster recovery can be broken out into several categories with subcategories beneath those, depending on how in-depth your company might need to go. Typically, this hinges upon the field of work, service, and/or the focus of the company assembling and laying out their greatest points of impact.
For example, a cyber disaster can be split into:
Each of these subcategories can have a specific DR plan designed to uphold that portion of the business or network. This is where the company’s leadership decides how focused their plan needs to be to account for every variable.
For the sake of discussion, this section will reference the 3 primary elements of disaster recovery: natural disaster, human disaster, and cyber disaster.
A natural threat or natural disaster is the easiest DR type to envision and understand, as it affects all aspects of life in a given region.
Inclement weather events are situations your company can plan for, especially when alerted in advance by the National Weather Service. Being prepped for hazardous weather events can mitigate potential disasters.
Being able to know bad weather is coming gives a company time to prep, close up shop, or relocate personnel and equipment to a secure location when needed.
Power outages or external equipment damage are common during these events.
Top-of-mind to industries around the world in 2020 is a human disaster (or a man-made disaster). The timeliest example of this DR type is the COVID-19 pandemic affecting all facets of business and logistics this past year.
Other examples include human threats, such as:
Assessing and coordinating this disaster type with local authorities and other emergency coordinators within the community is recommended.
Cybersecurity has become a prominent feature of modern society and business. The loss of data or the fear of sensitive data being compromised (or breached) is a real and growing threat.
With the application of cloud-based software development and automation across every industry, the matter only becomes more prominent.
Of the 3 disaster types, mitigating cyber risks and threats arguably carry the most importance under the wide-reaching umbrella of telecommunications.
Running tests every month, bi-monthly, quarterly, or at the very least, annually, will prepare employees to implement disaster plans with ease.
Rotating between the three main categories of human, natural, and cyber disaster will keep the procedures fresh in the minds of employees and leaders alike.
The emphasis on smooth communication between employees and leadership will trickle down to clients and customers during a time of extreme stress.
If disaster strikes, the stress of the situation increases the probability and occurrence of errors and mistakes without a properly designed plan.
As an added precaution, a person (or persons) within the company may carry an emergency file to address all situations and scenarios, either as a hard copy or an encrypted digital copy, in the case of a real disaster.
Perfect practice makes perfect execution, so it is a good idea to get testing on the calendar today.
In the event of an emergency, technology can help tremendously when alerting and notifying all employees and personnel.
Recipients of the alerts and notifications will be given a bridge to jump on to take further instruction at the time of a declared emergency.
An additional measure is submitting your company to penetration testing. This will help to weed out any vulnerabilities which can be accomplished by hiring a third party security company, like CrowdStrike or Secureworks.
This will increase your ability to get the job done when a disaster occurs, proving your infrastructure cannot be shut down or penetrated by an outside force.
A disaster recovery plan will emphasize communication.
How your company communicates with and notifies your employees of a disaster event will create less disruption.
Continued training and testing will allow employees to reassure clients that everything is accounted for and taken care of during a time of crisis.
Being the first point of contact with clients, employees should know and understand the ins and outs of the DR plan. Confidence in the plan will allow a confident demeanor when speaking to clients under pressure.
Not all of these considerations will suit your DR plan, but it is important to show every precaution has been taken and considered in advance. This will ensure peace of mind for any partner or vendor your company does business with now and in the future.
Do you know what your business partners have by the way of a disaster recovery or business continuity plan? What other vendors or partners might they be working with in addition to your own company and do those affiliates have a plan as well?
Do they know what their vulnerabilities are by conducting a thorough gap analysis? How often do they update their materials and DR plans?
If you don’t know the answers to any of these questions, all you have to do is ask.
It is the duty of a provider—whether B2B or B2C—to be committed to supporting their customers. Contingency plans, formal or nonformal, are necessary to uphold that commitment.
The breach of a partner network who is connected to your network can spiderweb out into a massive data breach. Knowing your partners’ protocols, processes, and procedures will help mitigate any potential fallout.
Taking the extra step to plan together will ensure a unified strategy between both companies enabling you to better combat any future network outage or nefarious activity.
Once you address this question, you may find a partner of yours acknowledges they do not have a plan in place. It may be too costly for them to undertake, or it may be unimportant to their business objectives.
Depending on your operational risk appetite, your company will need to weigh the pros and cons of continuing to work with this partner or vendor.
If a partner or vendor is high risk with a high contribution to your network or systems, replacing this vendor may be the smartest option for security purposes.
Putting a DR plan in place is a collaborative effort from the top down to paint a picture of these possible scenarios and possible outcomes.
While the process can be incredibly painstaking for leadership and employees—making it an easy target for resistance from CEO and COO to directors and management—it is a necessary function of a well-protected and fortified company.
Awareness of disaster recovery is becoming more widespread and growing at such a rapid rate, some support service providers are beginning to offer Disaster Recovery as a Service (DRaaS).
By laying out every impact point with a thorough failsafe system, consisting of human and digital components, your company can weather a disaster and maintain a semblance of order under dire circumstances.
CCI Systems knows good disaster recovery planning. During the COVID-19 pandemic, CCI was able to move employees remote in less than 7 days.
Every single software we use is cloud-based, and every employee has a laptop with VPN connectivity. CCI even stores pallets of backup laptops to deploy for emergency use.
When your company offers services to clients and customers, or if your company hires an outsourced provider, it is important to know the details of a well-structured DR plan.