Carrying On After a Disaster

July 1, 2008

Natural disasters that are weather related can create more of a security threat to the business and its employees than more rare terror and violence threats.

The more often you test the disaster recovery plan, the greater the chance that there will be a smoother continuity of the business operation.

A TORNADO IN THE MIDWEST

A hurricane in the southeast. An armed robbery out west. A crooked CEO on Wall Street.

Disasters happen everyday. There are big ones and little ones. Some grab national headlines; others are hidden away. But all impact the enterprise and security, among other departments, needs to make sure the business carries on as quickly and completely as possible.

It’s called business continuity.

Enterprises that are not properly prepared for unexpected interruptions in their businesses -- power outages, terrorist attacks, server failures, natural disasters and other events -- will find their operations jeopardized, profits negatively impacted and employees potentially placed in peril. To avoid and minimize such threats, it is vital for enterprises to evaluate their business continuity and disaster recovery (BCDR) strategies.

MORE ATTENTION TO DISASTER RECOVERY

That’s a conclusion in a report, Business Continuity: Implementing Disaster Recovery Strategies and Technologies, from the Aberdeen Group and underwritten in part by IBM, InMage and MIR3.

“Managing business continuity is not an easy feat; however, enterprises must make it a priority,” Amir Moussavian of MIR3 told Security Magazine. “Instant, two-way communication with employees and administration can be the difference between success and failure when it comes to execution of a business continuity or disaster recovery plan. Additionally, companies that invest in alert systems are finding added value, using the technology to communicate with traveling employees about business challenges, manage correspondence with clients and receive and interpret real-time feedback from
recipients.”

The Aberdeen Group report encouraged chief security officers and their companies to review, test and implement BCDR plans. To gather the metrics for its paper, Aberdeen surveyed more than 150 organizations about their BCDR plans and needs. The study indicated that 76 percent of companies that currently maintain a BCDR plan said risk of business interruption was the primary factor driving them to implement the plans. Furthermore, the report pointed out that while 62 percent of the companies surveyed experienced between one and five business interruption events in the last 12 months, 34 percent said they still did not have a BCDR strategy.

MEASURE INTERRUPTIONS IN MINUTES. NOT HOURS

“Our study stated that, on average, businesses indicated their operations were interrupted by an unforeseen event for approximately four hours,” said Jeffery Hill, senior research analyst, data management and storage practice at Aberdeen Group. “The amount of time that it takes to recover from a four-hour server outage can cause business losses disproportionate to the size of the event in terms of lost revenue or data. Since enterprises can be severely set back by such unforeseen disruptions, it is necessary for them to plan ahead and address their company’s BCDR needs. Businesses should also consult with vendors to discuss which alert notification system can efficiently send messages to all of their organization’s employees within seconds via text message, cell phone, TTY, SMS and e-mail.”

Aberdeen used three key performance criteria to distinguish “best-in-class” companies when it came to business continuity.

An ability to meet recovery time objectives or RTO.
Recovery from the most recent business disruption in less than one hour.
Greater than ten percent decrease in unplanned downtime.

There is also emphasis on emergency notification, according to the Aberdeen Group report.

Consider the case of a large agency of the Federal government with more than 50,000 employees, 30,000 of which are located in a building in , Such agencies are required to meet a continuity of operations mandate from the General Accountability Office in which they must supply an approved plan for dealing with all aspects of continuity planning. The outbound telephone system could not handle the call volume to notify its 100-member critical response team, let alone get the word out to all 30,000 employees, in a timely fashion.

OUTSOURCING CERTAIN TASKS

The agency considered two approaches: an internal turnkey system managed by agency personnel or a hosted solution, in which a vendor of emergency notification services provides an infrastructure outside of the agency. The hosted solution turned out to be the best solution because it provided required functionality, including the ability to roll from cell phone to text messaging to SMS messaging automatically.

An unexpected benefit for the agency was the ability to use the same notification system for non-critical alerts. For example, a team leader could use this method to notify his or her team members of important meetings or changes in schedules in an automated way.

According to the Aberdeen Group report, if there is one message that enterprises need to hear it is that the business continuity is more than a strategic exercise. The business cost of even a brief interruption can be measured in lost business and lost customers. The message is clear: Organizations must proactively develop, test and implement a comprehensive disaster recovery strategy to ensure business continuity, or be exposed to potentially disastrous losses.

Bill is the editor emeritus of Security Magazine, and he can be reached at (773) 929-6859.

With the advent of Internet of Things (IoT) technology and Industrial Internet of Things (IIoT), the cyber security practices are increasingly getting integrated with the physical security practices.

We will provide insight on NDAA Section 889 and how the act has evolved and impacted business, so that organizations can better mitigate risk and stay compliant.