Disasters may be detrimental to organizations that don’t have an emergency plan. Planet 9 advises on how to ensure continuity during an emergency.
An essential element of business survival is the ability to manage disruptive events. Organizations in the United States hardly prepared for the 2021 Atlantic hurricane season before being attacked by a new uncontrolled threat – western wildfires. In the case that organizations are more or less prepared for hurricanes, wildfires still take most by surprise. Natural disasters may be detrimental to ones that cannot ensure the safety and security of data and systems. Therefore, to avoid a collapse, organizations should have a “plan B.”
In terms of data security, “plan B” is simply a business continuity and disaster recovery plan. Here are several recommendations in regards to developing the plan, preparing for the disaster, protecting systems and the data integrity during an emergency, and recovering after common disasters.
The first rule to help your business mitigate and recover from a disaster is having continuity and disaster recovery plans in place. Continuity planning ensures that the organization can continue functioning in the emergency mode until regular operations can resume. Disaster recovery planning, in turn, contains a set of policies and procedures to protect sensitive information and ensure the fastest response and recovery.
Most existing cybersecurity regulations such as the GDPR, CCPA, PCI DSS, HIPAA contain business continuity requirements. For example, HIPAA requires implementing a contingency plan when a disaster blocks access to systems containing patients’ protected health information (PHI). PCI DSS requires implementing an incident response plan in the event of a data breach while ensuring business recovery and continuity. These regulations also have something to say if data is mismanaged during a disaster. More particularly, organizations may be penalized in case of improper data management during an emergency.
The business continuity plan is developed based on various risks the organization may face in a particular area. The best way to develop a disaster recovery plan is to compile a list of all potential security risks that could happen during a disaster. The risks may include but are not limited to storms, wildfires, floodings. Next, one should create solutions to prevent and protect against them. As such, business continuity and disaster recovery plans are a kind of a “plan B,” allowing businesses to keep running even in the event of a disaster.
One of the most widely established standards pertaining to business continuity is ISO 22301:2019 Security and resilience — Business continuity management systems — Requirements. ISO 22301:2019 is the international standard designed to help businesses prevent, prepare, address, and recover from disasters. Specifically, the document specifies requirements for implementing and maintaining a business continuity management system (BCMS) that develops business continuity appropriate to the amount and type of impact that the organization may or may not accept following a disruption.
According to ISO 22301:2019, businesses must develop their business continuity management system based on:
These principles are summarized below and represented as common recommendations on assuring business continuity during disruptions like natural disasters.
No doubt that the main focus of natural disaster mitigation is saving lives. However, when it comes to businesses, one of the primary tasks is protecting data and securing digital systems. A critical safeguard measure for sensitive information is making data backups. Organizations should have a data backup plan to create and maintain retrievable copies of sensitive information during an emergency. However, creating backups and putting them on a shelf is not enough. Organizations should maintain the security and availability of their backups and patch the backups according to changes in the organization’s live system. When making data backups, remember that an in-house or on-premises backup system may be unreliable and easily destroyed during a disaster. Therefore, considering off-site or cloud environments is more reasonable.
The first thing that comes to mind when trying to secure people from a disaster’s epicenter is evacuation — the same works with data. However, businesses no longer need to transfer data folders to a safe place physically. It is possible now to “evacuate” critical information to a remote cloud environment. One should note that the “evacuation plan” must be developed well before the disaster occurs.
The traditional approach to disaster recovery requires loading the servers with the OS and application software and then patching them to the last configuration before the data can be restored. This process is often resource-intensive and time-consuming. Nowadays, most cloud providers offer cloud disaster recovery services to help clients quickly recover their resources and get remote access to critical systems in a secure virtual environment.
Compared to traditional data recovery processes, cloud disaster recovery requires encapsulating the entire server, including the OS, applications, and patches, into a single virtual server. This virtual server can be copied or backed up to a remote data center in a matter of minutes. Such an approach significantly reduces the recovery time, which is often essential while working in an emergency.
Some more unpleasant symptoms of most disaster events are power failures and hardware damages. Even if you have off-site backups, your business may suffer from the downtime caused by such physical disruptions. Thus, be more attentive to the safety and security of the hardware. In case of hurricanes, consider investing in raised floors not to let flooding damage your equipment. Also, invest in fire extinguishants and don’t forget about physical security. Take all measures that would help your business to run through the disaster with minimal losses.
Even if the natural disaster does not physically affect business, hacking attacks and scams may be proliferating. As we already mentioned, the first thing that comes to people’s minds is saving lives, and perpetrators may take advantage of it. Hence, hackers may create fake donation websites only to obtain sensitive personal information supplied by the victims. Such scams were widely spread during Hurricanes Katrina in 2005 and Florence in 2018. Hackers continue using similar fraud schemes to set up fake charity sites while stealing the card information of those trying to help people in need. The main thing we can do to minimize the risk of a hacker attack is to educate personnel on recognizing, resisting, and reporting these attacks.
In the areas especially prone to natural disasters, organizations must train their employees on the tactics hackers use in different disasters scenarios. To minimize the possibility of becoming the victim of a hacker attack, train your teams to recognize phishing emails, reveal fake donation websites, and report suspicious activity. Also, be sure to remind your personnel that they’ll see more phishing attempts after disasters and stay vigilant.
There is no way to prevent disasters, but minimizing the risks and damages they cause is still possible. Despite the technological and operational advancements, hurricanes, wildfires and other natural threats are often detrimental to businesses. Disasters may cause data loss, software/hardware damages, and increasing hacker activity. To avoid the most harmful scenario, businesses should take a proactive approach to disaster management and preparedness. Remember, the cost of data protection and backup is typically much less than the recovery expenses.
Have more questions regarding business continuity and disaster recovery? Contact the Planet 9 team. We’ll be happy to assist!