This article is courtesy of TechRepublic Premium. For more content like this, as well as a full library of ebooks and whitepapers, sign up for Premium today. Read more about it here.
No organization can afford to ignore disaster preparedness—the stakes are higher than ever and new risks are coming into play. Planning, reviewing, testing, and drilling should be an ongoing process.
Recent events like Russia's US 2016 election interference and new disclosures about the release of CIA documents should impress upon CEOs, CIOs, and other high-level corporate decision makers the need to revisit and potentially retune their disaster recovery and business continuation plans for greater risks of cyber break-ins and information compromise. At the same time, executives need to remain vigilant about DR situations that are created when systems fail or services are disrupted.
Unfortunately, there is one persisting fact that hasn't changed much: Disaster recovery readiness (and retuning, if needed) comes in near dead last in corporate project planning.
This is largely due to decision makers believing that disaster planning is low priority because disasters are unlikely to happen.
However, a 2016 CloudEndure survey revealed that 57% of companies had at least one system and/or service outage in the last three months, and one-third of respondents had an outage in either the last week or the last month. 2016 also saw major PR disasters, such as Wells Fargo being fined $185 million for illegal sales practices that included opening as many as two million accounts for customers without their knowledge and Samsung's exploding Samsung7 smartphone. And in the cyber DR space, Snapchat, Verizon, Wendy's, the Department of Justice, LinkedIn, and Oracle were all hit with data or security breach disasters.
Enjoying this article?
Download this article and thousands of whitepapers and ebooks from our Premium library. Enjoy expert IT analyst briefings and access to the top IT professionals, all in an ad-free experience.Join Premium Today
"When it comes to managing a data breach, having a response plan is simply not the same as being prepared," said Michael Bruemmer, vice president at Experian Data Breach Resolution. "Unfortunately many companies are simply checking the box on this security tactic. Developing a plan is the first step, but preparedness must be considered an ongoing process, with regular reviews of the plan and practice drills."
So what can your company do to ensure that your DR plan is equipped to handle a disaster if and when it strikes?
1: Make sure your disaster scenarios are current
Cyber threats like malware, ransomware, data breaches, security break-ins, and intellectual property theft continue to propagate. If you're not updating your disaster recovery plan regularly, chances are that your plan is out of date when it comes to addressing threats like these.
2: Make DR a corporate-wide responsibility
For years, DR plans have been assigned to IT because there was a feeling that a majority of DR situations occurred when systems failed, and this was the domain of IT. IT is still the central player—but others should be on the playing field as well, such as marketing/PR, which has the responsibility of keeping stakeholders, customers, and the media up to date during a disaster. Your communications plan with persons inside and outside of the company should be well coordinated with your asset and system recovery plan.
3: Mandate a DR review and test at least annually as part of your corporate governance
DR in every case doesn't have to be a full dress rehearsal, but it should require every role holder in the plan to review his or her responsibilities and to make revisions as needed. An interdisciplinary business-IT group should also meet annually to discuss any new areas that the DR plan needs to address. Finally, the DR plan needs to be exercised so that you know it will work. These test exercises can be done through data center failover exercises in IT—but they should also be done through desk checks and practice scenarios in marketing to ensure that communication trees and responsibilities are followed.
4: Talk with your vendors
Especially if you are moving more apps to the cloud, DR tests will need to be arranged with vendors. To ensure vendor participation, you should also include in new contracts a provision that guarantees you an annual DR test window on the vendor's system.
5: Meet with your liability insurance provider
Every year, corporate liability insurance providers look at their losses and develop new guidelines for insurance and premiums. This includes reviewing the disasters that have occurred to their corporate clients. The bad news is that you usually see your liability insurance costs go up. The good news is that you can gain insight by meeting with insurers to see what types of disasters they have been seeing so you can make sure that these disasters are addressed in your DR plan.
6: Make your DR plan review and test part of your normal business cycles
DR shouldn't be a "special project." Just as your company has monthly, quarterly, and annual financial close cycles, a regular cycle should be established for DR plan review and test. No one enjoys making the time for these activities, but the risks and consequences of experiencing a disaster and not being prepared for it far outweigh this.