Photobank - Fotolia

Disaster planning: How to expect the unexpected

Focusing too much on specific disasters rather than considering an organisation’s data protection, network security and process requirements, can lead to unpredicted vulnerabilities

This article can also be found in the Premium Editorial Download: Computer Weekly: Digital takes the racing line in Formula One

If there is one thing that unites all organisations that have had the misfortune of experiencing any disaster, natural or otherwise, it’s that they tend to have believed it would never happen to them.  Indeed, such disasters can affect everything from small teams of independent developers to large multinational corporations.

The number and types of disasters are increasing year on year, and can be broadly divided into three categories: natural, anthropogenic and cyber.

Natural disasters are typically weather and geological events, such as hurricanes, severe storms, earthquakes and tsunamis, but can also include threats external to the Earth, such as powerful geomagnetic solar storms.

Anthropogenic disasters, on the other hand, are much more diverse, and can be everything from riots and terrorism to fires, burst pipes and industrial accidents.

The newest category of disasters is cyber disasters, which might be a cyber attack against an organisation, or a sustained loss of connectivity in the region.

A typical example of cyber disaster was the spread of the WannaCry attack, which took down much of the NHS.

The response by the IT teams of the NHS, of shutting down their networks and relying on pagers and written notes, indicated they were surprised by, but prepared for the attack.

Flooding

With the ever-increasing threat from climate change, flooding has become a growing threat against business premises.

However, flooding does not have to come from severe weather events; it can also occur from unexpected sources. “It never even crossed my mind that water would come from above,” says Jo Smedley of Red Herring Games, referring to an incident with a leaking washing machine on the floor above.

“We are in a flood risk area, and when the sirens go off, we ensure all important equipment and papers are lifted off the floor; but this time, the water came from above the office and deluged all the equipment and desks.”

Natural and anthropogenic disasters tend to affect all organisations in the region, but how they are affected will vary.

Larger organisations will typically have the advantages of a greater resource reserve and multiple premises in different regions, but they can be slow to react and their communications can struggle. Smaller organisations can be much more adaptable and swifter to react, but rarely have resources in reserve and are usually based in one fixed location.

As with all things, preparation is key, and therefore it is worth taking time to prepare business continuity strategies and disaster plans. Rather than being scenario-specific – having dedicated plans for different eventualities – organisations should take an agnostic approach with their business continuity strategies.

“If your business recovery plan is written strictly for recovery, regardless of scenario, then you will be in the best shape, as you will know that whatever happens, the plan has been tested,” says Dan Johnson, director of global business continuity and disaster recovery at Ensono. “You will go to your backup procedures that keep your daily processes moving and make sure business is flowing.”

Extreme weather events

An exception to this is if an organisation is based in a region that is regularly threatened by specific types of extreme weather events, such as hurricane season in Florida. In this case, it would be prudent to have dedicated scenarios in place, due to their likely frequency. Certain, potentially high-hazard industries are also required by their regulators to have plans in place for specific events.

Business impact assessments are the first step in continuity planning. Business processes are evaluated to allow organisations to identify the critical areas of the organisation, together with which processes are most important for keeping the business afloat. These assessments should also determine the internal and external processes that support these critical procedures, considering the impact if they could not be performed.

Following a business impact assessment, round table discussions should be held. These allow further understanding of the interoperability of the organisation and the potential points of failure.  At the very least, these should involve key stakeholders, from each of the critical business units, to run theoretical scenarios of potential crises. For instance, in the case of loss of power, how would they respond and what would they need to maintain continuity?

Read more about business continuity and disaster recovery

Once the critical processes and interdependencies have been identified, organisations can take steps to ensure that – in the event of a crisis – there are the appropriate backup systems and processes in place to support the organisation and maintain business continuity.

A core element of any continuity of business plan is a suitable backup strategy. With the advent of cloud storage systems, such as Dropbox or Onedrive, offsite cloud storage has never been simpler. That said, care must be taken in ensuring that data has been securely stored and that the proper access controls are in place.

“As most of our business relies on computer files, I had already been working with a backup storage company,” says Smedley about the flooding incident. “This meant we could get down the files we needed immediately to keep us operational, using laptops from home.”

The key to any successful business continuity plan is ensuring communication. This is not just internally, with management teams and project leaders, but externally as well.

Communicating with clients, suppliers and the media ensures awareness is raised as to the organisation’s current situation. Managing such communications ensures an organisation’s responsiveness and business continuity, as well as ensuring inaccurate reports are not circulated, especially to the media.

“I have really good relationships with all my suppliers, due to prompt payments of invoices and regular business networking,” says Smedley. “Everyone responded to us speedily and did what they could to help, within 24 hours.”

Administrative challenge

Communication for larger companies can become a struggle, especially if they have high turnover rates. In these cases, it can become an administrative challenge to maintain an up-to-date list of everyone’s contact details in such eventualities. Therefore, organisations may choose to focus on contacting managers, and to rely on them to inform their employees about what has happened and how business operations are to be executed.

Contact lists need to be thorough and up-to-date, in case of the telecommunications infrastructure being impacted. It is worth having multiple contact details for everyone, from landline and mobile, through to email and Skype.

Having more than one method for contacting employees also builds redundancy into the contact lists. However, it is also important to remember that the storage of contact details is subject to the General Data Protection Regulation (GDPR), as it’s classed as personal data, and hence the appropriate controls and security measures need to be in place.

Organisations may also wish to consider having a dedicated webpage or phone line providing site status information. This can be used to provide updates for both likely events, such as adverse weather conditions or traffic problems near the site, as well as more serious incidents.

Identifying points of contact for news organisations and social media is also useful. “You need to know who, and what kind of message, you are going to pass out to the media,” says Johnson.  “So, it is one message coming from your company and not a hundred different people giving their opinion online.”

Business continuity operations

Security plays a critical role in business continuity operations. IT teams need to ensure that backup systems are fully patched and that access rights are up to date.

The maintenance of backup systems can often become a low priority, but this can be to an organisation’s detriment, given that disasters can occur at any time. Therefore, the updating and patching of backup systems should become routine.

“The worst thing that can happen is that you recover, and think everything is going fine in backup mode, only for something to happen from someone impacting your network, because you did not have your security in place,” says Johnson.

Continuity of business plans do not end once the crisis has passed. They need to remain in place until the premises are fully operational again, which could take several weeks or more.

Business continuity plans should consider the viability of employees working from home, as well as the need for backup premises. However, just having the location available is not enough; it also needs to be accessible by the employees.

As well as maintaining the ongoing business operations, organisations should factor in the possibility of employees requiring counselling following a traumatic event. For example, in the event of a fire or active shooter at the premises, it is highly likely that employees will be psychologically scarred and be unwilling to return to the location of the incident. Counselling services could therefore be identified as part of business continuity plans, in preparation for such events.

Resilient systems

Another form of disaster planning that organisations can undertake is building resilience into their systems. For hardware management, a business continuity by design approach ensures that each time new systems are incorporated into an existing network, they do not have a single point of failure.

Consideration should also be given to the physical items required for business continuity. Incident response packs – also known as battle boxes – are kits for continuing business operations during a crisis (when it’s safe to do so).

Unlike disaster management supplies (which typically contain items like medical supplies and loudhailers), incident response packs may include items like stationery and important documents. However, with the increasing dependence on permanent access to data, the inclusion of smart devices may also need to be considered.

Owing to their portability and independence from mains power, at least one tablet or laptop should be considered for each incident response pack. Those with a long battery life, and which share a similar operating system and software suite to the organisation’s, will be the most effective devices. These devices need to be regularly charged and updated to ensure applications are securely patched.

Another consideration is having multiple uninterruptible power supply (UPS) power banks and spare wall chargers, with sufficient adapter cables for all devices. These chargers and cables should not be chosen based on price, as an unsuitable charger can damage devices and – in extreme cases – make them unusable.

Backup power supply

In some cases, organisations might want to consider having a backup power supply, such as a generator, in case the electricity supply is lost for more than a few hours.

Given the current rate of change in the modern enterprise environment, organisations should regularly review their business continuity plans to ensure the backup processes they have in place are still viable and have not become obsolete due to new systems being used.

None of these systems and preparations will mean anything unless employees are aware of what should be done and the system is regularly tested to ensure operability. Organisations should take steps to ensure employees are regularly informed of the business continuity plans and what they should do in the event of a crisis. These could be combined with fire drills to assess the organisation’s response to critical failures. 

With the multiple emerging threats facing modern enterprises, it is impossible for organisations to prepare for every potential eventuality. Rather than being scenario-specific, they should approach disaster planning by looking at the business itself and what could go wrong. Having these plans in place will give organisations the ability to better withstand disasters and maintain operability for far longer.

Some might argue that spending money and resources on preparing for something that may never happen is wasteful. But, as Franz Kafka reputedly once said: “Better to have, and not need, than to need, and not have.”

Read more on Business continuity planning