It's Hurricane Season: 5 Expert Tips for Your Business Continuity Plan
Hawai`i businesses are well aware of the importance of disaster preparation. The outlook for 2022 anticipates two to four tropical cyclones, including hurricanes.
At a recent Hawaiian Telcom University event, my colleague Jordan Silva and I shared some helpful tips on Disaster Recovery and Business Continuity Plans. It is important to understand the difference between the two. A Business Continuity Plan (BCP) is a set of strategies and protocols designed to help organizations make sure that critical business operations run smoothly during and right after the disaster. Disaster Recovery (DR) is a process of restoring business operations after the crisis.
When it comes to planning for disasters many companies start with Disaster Recovery, though, at that point the crisis has already happened, and you can only evaluate its impact and start restoring your operations. What helps minimize the impact of the disastrous event before it happens is the Business Continuity Plan, and it needs to be prioritized.
Start with Roles and Responsibilities.
Many organizations start planning for disaster with technical solutions such as backup and security, but the flaws often lie in their communication plans. The worst time to be deciding who is accountable for certain actions and decisions is during a disaster. Prepare for these types of events by assigning roles and responsibilities related to your BCP/DR process. It is important to think through the smallest details, like who is responsible for declaring a disaster, who is telling staff not to report to work, who triggers the disaster recovery plan, and who gives the all clear. As businesses grow larger, planning for disasters becomes more complicated. Large organizations with many employees require a thorough communication plan, because every employee
needs to know their part in the process. It needs to be written down and practiced regularly.
Be Prepared for Outages.
Natural Disasters often result in power, internet, and phone outages. Make sure you have a hard copy of your most recent BCP and DR plan. If you are a critical business and need to stay open during a disaster, establish what you need to keep providing services during an outage. Make sure that the methods you choose are within compliance. For example, an outage is not an excuse for improperly stored personal data which ends up being stolen. Determine which operations need to be functional all the time and inform the employees involved in those operations.
Treat Ransomware and Data Breach as Disasters.
Ransomware remains one of the biggest threats for businesses, and it continues to be on the rise. It requires a similar response as a disastrous event and should be treated as such. Although ransomware’s risk profile is different than a hurricane because cybercriminals are targeting your business, the planning process is similar. Most businesses can either pay the ransom and hope the attacker provides the decryption key, or they can eradicate the attacker and recover from their backups. In any case, it is important to have a BCP and DR plan. The same goes for data breaches except, unlike natural disasters, these can easily go undetected. It is up to you to find the breach and figure out when it happened.
Invest (Only) in the Right Tools.
Never rely on a single cybersecurity solution because any defense mechanism can fail. Defense in Depth means using layers of protective mechanisms to defend your business assets and is one of the best available approaches to reduce risk.
When selecting your cyber threat prevention and disaster recovery tools, start with the weakest link in your security layers. If you have a good backup solution, start investing in better defenses to decrease reliance on your backups. If your defenses are good, but
your backups often fail or restoration time is too long, invest in a better backup solution instead of a brand-new firewall, for example.
Invest only in tools you need and can successfully deploy and manage. Your defense tools should never be more expensive than the assets you are trying to protect, especially if the risk you are trying to protect against is low. If your solution ends up being more advanced than your process, consider opting for a managed solution, where a team of experts is fully responsible for configuring and maintaining this technology.
Pick the Right Backup Solution.
You should always expect that any of your defense tools, no matter how advanced, can always fail. It may be a human error, a glitch, or a flaw in a recent update. You may also lose your data during a natural disaster. If this happens you need to be able to recover your data from a backup.
When it comes to backups, here are the four key things to consider:
1. What needs to be backed up. Identify the assets you need to back up and where they are located.
2. How often it needs to be backed up. Establish the backup frequency, based on how often your data changes.
3. How long you can wait for it to be restored. Determine how long your business can operate without this data. If your business is in a low-bandwidth area, relying solely on an offsite backup can be problematic, especially if you need to restore your data quickly.
4. How long it needs to be stored. Consider this timeframe from a compliance and security perspective. An IBM study found the average time for a business to realize they were breached was over 200 days. If you only have one month of backups, you will have no way to recover anything pre-breach in a situation like this.
These tips should ensure that your organization and your hard work can survive the unpredictable. Remember: be PREPARED, be AWARE, and be SAFE.
———
Michael Morales is Director - Business Services Consulting at Hawaiian Telcom. Reach him at michael.morales@hawaiiantel.com
© Honolulu Star-Advertiser