Disaster Recovery and Business Continuity

Introduction

We have all heard at least once in our life someone yell “the show must go on”. In Cybersecurity, this motto is often used to explain the necessity for a Business Continuity and Disaster Recovery plan (BC&DR). Incidents can happen, but they shouldn’t be a reason for you to stop your activity or lose more money than necessary. To defend from said perils, you must have a (BC&DR) plan. In this article I will give you a detailed explanation of how these two work together and a few guidelines for implementing them.

What are Business Continuity and Disaster Recovery

These two plans can be intertwined or even outlined in the same document, however, they address two different aspects of Cybersecurity and Organization Management:

Disaster recovery is the process of restoring normal operations after a (catastrophic) accident has occurred. This includes restoring data, hardware, software, and other IT assets to a state as close as possible to its optimal state. Disaster recovery plans typically address matters such as backing up data, creating and testing emergency procedures, and training employees on how to respond to catastrophic events.

On the other hand, business continuity is the process of quickly maintaining or restoring vital business operations during and after an adverse event. This usually requires developing plans to minimize disruption to the business, after identifying the most critical activities and the related infrastructures/resources that most accidents should not impact. Business continuity plans typically include strategies for maintaining or quickly restoring vital business functions, such as customer service, production, and financial operations.

The key difference between these two practices relies on the fact that Business Continuity plans are emergency temporary solutions that are easy to adopt in order to give an efficient response to an emerging issue. Disaster Recovery plans, on the other hand, can be slow and complex, but they aim to bring information and infrastructures as close as possible to the condition preceding the accident.

Importance of Having a Bc&dr Plan

The importance of having a Business Continuity and Disaster Recovery (BC&DR) plan was highlighted by the Fujitsu Group’s response to the Great East Japan Earthquake of 2011. Despite suffering a loss of around $100 million, they quickly restored all critical systems within 24 hours and fully operational within a week, due to their well-prepared BC&DR plan. Not only did they recover their own systems, but they were able to offer aid and support to other companies and individuals affected by the disaster. Having a BC&DR plan in place can significantly reduce a company’s potential cost of a natural disaster. Multiple case studies, including the Fujitsu incident, have demonstrated this. 

To create or evaluate your BC&DR plan, consider the following key steps.

Starting from Business Continuity:

1. Identify critical business Functions: A business function refers to any combination of activities and the necessary resources required to transform inputs into outputs. Critical functions, on the other hand, are those activities and individuals that are essential for the continued operation of your business – without them, your company would be unable to produce any outputs. The initial step in identifying critical functions is determining the key individuals and assets indispensable to your business’s survival.
2. Identify potential disruptions: Once you have identified assets and resources that are critical to your operations, it is essential to identify the potential threats that could potentially affect their functionality. These threats could include natural disasters such as earthquakes, political unrest, or exploitation of cyber vulnerabilities. It is important to not overlook the importance of clearly defining which of these disruptions apply to some, all, or none of the critical functions. This will help you to perform the next step in the risk management process efficiently.
3. Develop procedures for maintaining or quickly restoring critical business Functions: Once you have identified critical functions, it is important to develop a plan that ensures these functions can continue to operate in the event of a disaster. This can include creating a secondary location, having backup communication equipment, or implementing a set of instructions for other functions to follow in case of disruption. The effectiveness of this step will greatly impact your ability to identify a comprehensive solution for the most likely causes of disruption.
4. Develop a communication plan: A well-crafted Business Continuity plan is ineffective if it is not properly implemented. It is essential to have a plan in place to effectively inform employees and customers of any disruptions as they occur. To ensure the successful execution of your Business Continuity plan, it is crucial to have a strong and detailed communication plan in place. This plan should take into account potential disruptions identified during the planning process, to ensure that you are able to initiate your Business Continuity plan quickly and efficiently when the need arises.
5. Test and update the business continuity plan regularly: As previously stated, if your plan is not executed correctly, it will be ineffective. To ensure success, it is important to continuously train employees on business continuity procedures and actively incorporate feedback received from them, as deemed appropriate. It is crucial to ensure that your workforce is properly trained and any potential weaknesses in your plan are identified before a crisis occurs.
6. Establish a plan for maintaining and updating the business continuity plan: Identify and document any resources that need to be regularly updated in order for the Business Continuity plan to be effective. Establish specific deadlines and assign individuals responsible for keeping these documents current.

On the other side, a Disaster recovery plan should incorporate the following:

1. Identify Critical Systems and Data for Recovery: It is crucial to identify the infrastructure and resources that are of high priority and need to be recovered in the event of a loss.
2. Identify Potential Disaster Scenarios: Different disaster scenarios can have varying recovery costs. For example, a server room flooded for 24 hours will have a different recovery cost than one flooded for less than 1 hour.
3. Develop Procedures for Backing up and Restoring Data and Systems: Create a detailed plan to recover the resources identified in step one, based on the scenarios developed in step two.
4. Test and Regularly Update the Disaster Recovery Plan: Ensure that employees are informed of the disaster recovery procedures and trained to follow them. If the procedures involve the involvement of third parties, make sure to have appropriate agreements in place.
5. Establish a Plan for Maintaining and Updating the Disaster Recovery Plan: Identify and document any resources and vendors needed for the recovery process, and keep those lists updated. Additionally, remember to update your scenarios and budgeting as needed.

When it comes to developing a Disaster Recovery and Business Continuity plan, the approach you take is entirely up to you and your company’s preferences. Some companies prefer to have a single, comprehensive document for simplicity’s sake, while others prefer to tackle each aspect separately. Regardless of which approach you choose, it’s important to keep in mind that neither one inherently offers any particular advantages or disadvantages over the other.

The Bottom Line

It’s crucial to keep an open mind and stay vigilant when developing either a Disaster Recovery or Business Continuity plan. The reasons for doing so may not be regulatory compliance, but rather strategic and competitive considerations. Unforeseen events such as political turmoil, cyber attacks, and natural disasters can significantly impact any industry. Those companies that are prepared to weather such events and recover quickly are the ones that will be able to turn a crisis into an opportunity. Don’t let a lack of planning be the factor that holds you back.