Skip to main content

How’s Your Disaster Recovery Plan?

Column: The eSecurity Advisor

From the August 2007 Issue

  • “Fires Burning Thousands of Acres in the West, South and East!”
  • “Tornadoes Destroying Homes and Stores in the Midwest!”
  • “Floods in the East!”
  • “Hurricanes in the South!”

With these types of headlines filling our newspapers this year and in years
past, you would think the entire country should be named a national disaster
area. Some of this is just plain hoopla and ballyhoo by the national and local
news media trying to boost their ratings. But generally, June through November
is the peak time for natural and (in some cases) man-made disasters. Contrary
to what the media tells us about the disasters happening all around us, most
of the 300 million people in the United States are unaffected by these events.
But that is no reason to not prepare!

It is important to recognize that the failures of the unprepared to be prepared
are lessons and sometimes a wakeup call for the rest of us. The times when misfortune
affect certain areas and other parts of the country are times when the rest
of us need to reflect on what our business would do if we suffered some type
of disaster, whether it be a fire, tornado, hurricane, or perhaps one of many
possible man-made (intentional or unintentional) disasters. While you may not
be experiencing a disaster today, neither were the people who were struck by
a disaster today facing one the day before. Even if there is no disaster happening
in your part of the country, you need to be learning from the experiences of
others who were unprepared and failed to maintain proper disaster recovery and
business continuity plans.

Reading Recommendations
There are many books, pamphlets, training classes, and articles on disaster
recovery and business continuity plans from various sources including the Internet.
Here are several resources that I have found helpful.

  • “Manager’s Guide to Contingency Planning for Disasters,”
    by Kenneth N. Myers
  • “Disaster Recovery Planning: Preparing for the Unthinkable,”
    3rd Edition by Jon William Toigo
  • Disaster Recovery Journal — monthly magazine focused on Disaster
    Recovery issues (
  • The Conference on Emergency Response Planning for Your Business by SkillPath

The effect of 9/11
My father is a retired safety, fire protection and security engineer. He worked
in the auto industry making sure that the production facilities for one of the
big three met the appropriate company and governmental standards. Some of his
friends in the insurance and fire protection industry obtained some amazing
pictures of 9/11, which, while publicly available, were not widely distributed
outside the safety, fire protection and security industry. As I was helping
my father organize some pictures on his computer the other day, we came across
these pictures. Every time I see these pictures, I am in awe of the magnitude
of the destruction to not only the twin towers but also many of the surrounding
buildings. Many of the businesses in the twin towers never recovered from the
disaster that day and simply vanished, taking with them all the jobs, hopes,
dreams, information, data and livelihoods of those both living and now deceased.

Right after 9/11, many business leaders in and around New York got religion.
There was a flurry of activity figuring out what to do in case of a disaster.
Training classes were taken. Business continuity plans were developed. Business
disaster plans were put in place. They were all dutifully copied, bound and
distributed to all employees who promptly put them on the bookshelf behind their
desks and quickly forgot about the plans.

Then Came Katrina, Rita & Wilma
We quickly discovered, just four years later when these storms hit Texas, Louisiana,
Mississippi, Alabama and Florida, that businesses had not really learned anything
from 9/11. These storms drastically affected businesses in these states. Many
small businesses have yet to recover, and many never will. Even well established
businesses with deeper pockets were caught unaware or unprepared when these
storms hit. Casinos, computer companies, restaurants and local units of government
(to name a few) found themselves totally unprepared to handle the disaster that
had befallen them. Some of this was because of outdated plans that had been
sitting on the bookshelf for years and never updated. Others had updated plans,
but the plans had never been practiced or tested, and people didn’t know
what to do. Some plans didn’t address the issues at hand, and people trying
to follow the plans couldn’t because they had no instructions and could
not find the person with the authority to make the decisions or changes to the
plan based on circumstances.

What is the Effect of a Disaster on a Business?
Here are the top four reasons a business fails after a major disaster:

  1. Customers are impacted by the event. You may have customers displaced by
    the event who cannot or will not return to the area, which results in uncollected
    revenue or a lost customer.
  2. Your product or service may not be one that people need either when dealing
    with the disaster or after the disaster is cleaned up and things get back
    to some normalcy.
  3. The business’ inability or unwillingness to respond to the changed
    environment after the disaster. This includes the assumption that business
    as it was before the disaster will miraculously return to the same level after
    the disaster.
  4. The level of financial strength of the business prior to the disaster,
    which may not be able to help carry it through the post disaster event.

? What Makes a Good Plan?
A good plan is one that contains general outlines of the things people are to
do as well as who is responsible. The plan should not be a step-by-step guide
for how to deal with particular types of disasters. Instead, the plan should
focus on who is responsible for particular parts of the business recovery process,
who is the backup person if the primary person is not available, and guidelines
for what needs to be done for recovery. Again, it should not be a list of steps,
but simply guidelines. The reason for this is because with guidelines and responsibility,
the people responsible are able to make decisions about unexpected conditions,
which may not be delineated in a step-by-step plan. Because they have guidelines
versus step-by-step instructions, they have to utilize their best judgments
based on the guidelines to accomplish the recovery procedures.

Some Planning Considerations
In developing your plan, here are 10 helpful tips to consider:

  • Use an online backup service such a eVault or NovaStor for business critical
  • Use an e-mail filtering service such as MX Logic, which contains a recovery,
    archive and viewing component in the event your e-mail server is not functioning.
  • Use a hosted IP phone solution (VoIP) so your phones will be answered (even
    if it is only by an automated attendant) in the event your building is inaccessible.
  • Make sure you have reliable backup. External USB 2.0 hard drives make great
    backup to disk drives. Tape still works well, too. Having two options is better
    than one, so each of these in combination is a good idea. Make sure to check
    your ability to restore files.
  • Have a safe deposit box at a bank where you store one copy of your backup
  • Store a customer list in paper form offsite where it is easily accessible.
    This should not be in the safe deposit box in the event the bank is not accessible
    (power failure).
  • Keep a second set of media offsite but not in a bank safe deposit box so
    it is accessible if needed.
  • Develop a plan and make sure to practice the plan with the employees responsible
    for each component. Make sure the employees know what they are responsible
    for under the plan.
  • Keep your plan current and up to date.
  • Utilize community resources to develop and test your plans. Police and
    fire departments love to practice preparing for disasters, and they do it
    all the time. Have some fun by taking half a day or a full day to work with
    first responders practicing mock disasters at your facilities. This will help
    prepare your employees and also give them a change of pace and something a
    little different and somewhat exciting to do every now and then.

It is important to follow the Boy Scout motto when thinking about what could
happen. “Be Prepared!” is a rally cry for Scouts and should also
be for owners of businesses. It will not happen without ownership involvement
in the development of a contingency plan for your business. Take the first step
today by making a list of the business-critical data you need to get backed
up offsite and assign an employee to research online backup companies. Good
luck as you move forward with your plan.