Contributor:
Dan Gallagher | Senior Manager, Information Assurance & Cybersecurity
John Messina | Manager, Risk & Accounting Advisory, PMP
As all businesses have learned in the 21st century, the need to be able to be operational every day is crucial. Even a few hours offline could mean huge financial and reputational damage. Most executive management teams and board members need to ensure the continuity of business is at the forefront of an organization’s mind. Leaders should ask themselves how their organization could better avoid substantial negative impact in the future.
With the pressure to perform in this climate, waiting until a disaster occurs is not time to learn about weaknesses. Being ill prepared could lead to unintended consequences such as loss of revenue, jobs, reputation, regulatory scrutiny, and in extreme cases, can cause a company to go out of business.
In New York City, there were two instances where difficult lessons were learned after a disaster had occurred. In 1999, New York City completed a twelve-million-dollar project to complete its new Emergency Management Office1. The office was located at 7 World Trade Center and was to be the city’s command center during all emergencies. Due to the unfortunate events that took place on September 11, 2001, the building where the command center was located collapsed and was destroyed.
Lower Manhattan, home to the New York Stock Exchange and many large office buildings, housed primary and secondary data centers for many of the companies in the New York area, and many were on the lower floors of the office buildings. On October 29, 2012, Super Storm Sandy struck New York, sending flood waters into much of lower Manhattan and causing widespread damage and power outages which lasted weeks2. If a building was lucky enough to have power and systems were not destroyed, there was still no way to access their data for several days and weeks due to the severe flooding. In retrospect, both examples, yielded crucial lessons about the location of critical infrastructure only after an incident occurred.
Business Continuity vs. Disaster Recovery
Business continuity (BC) and disaster recovery (DR) plans help companies prepare and recover from natural disaster, human error and other unplanned events. As Benjamin Franklin once said, “By failing to prepare, you are preparing to fail.”
BC plans are broader and focus on the organization as a whole, including people and interactions with third parties. The goal of a BC plan is to minimize downtime and the time it takes to return to business as usual.
DR plans have a more singular focus on technology infrastructure — with the goal of restoring critical data quickly after a disaster. BC and DR plans should be used together to prepare businesses for disaster recovery.
Disaster Preparedness Testing
Being prepared for any potential disaster with BC and DR plans is not a luxury — it is a vital undertaking for every organization. Executive management teams should start preparing for uncertainty now, as there is no telling when a disaster may occur. But how can a company be prepared in today’s world? The answer is by performing various types of testing and gathering lessons learned before a disaster occurs. Most regulated industries require testing done at pre-defined intervals, but what are the goals of testing, and what kind of testing should a company perform? Let us examine some of the possibilities.
Choosing the Right Testing Options for Your Organization
There are various kinds of testing that a company can do, all with the same end goal: Documenting lessons learned and providing management with tangible results. The subject of testing can be any potential disaster from hurricanes or tornadoes, earthquakes, blizzards or power outages, to name a few. Some common types of testing are:
- Full Scale Tests: These require the diversion of operations from your production environment to your disaster recovery location and simulate a scenario where your primary site is offline. This scenario, while the most thorough, requires more time and planning.
- Data Recovery: This is on a smaller scale and includes restoring data from a backup location to a primary location. This ensures your backups are operational.
- Application Recovery: This simulates the ability to use an organization’s critical applications (such as banking systems) from an alternate location.
- Tabletop Exercises: These are the least invasive tests and involve all critical team members in an organization. The exercise involves a walkthrough of disaster scenarios in a group setting, with all team members discussing potential responses and taking note of any gaps. Decision makers are brought together in one place to discuss multiple scenarios with varying degrees of severity during these tests.
Goals of Disaster Preparedness Testing
The ultimate goals of testing can vary from company to company and industry to industry, but the most common goals are:
- Lessons Learned: Performing testing can validate that a company’s policies and procedures are designed correctly and uncover any gaps. Lessons learned are vital to staying prepared.
- Gap Remediation: If any gaps or interdependencies are uncovered during testing, management can document the gaps and work to remediate them as needed.
- Reduce Potential Downtime and Cost: Learning a gap during testing and rectifying it quickly can reduce potential future downtime and cost.
- Preserve Reputation: Reducing or eliminating downtime can save a business’ reputation and customer satisfaction.
- Training: Performing regular testing also gives employees the foundational knowledge to carry out tasks during a real emergency. Testing serves as training for employees and expands their knowledge, which better helps an organization respond to a disaster.
- Satisfy Regulations: For those in highly regulated environments such as banking and healthcare, testing can help meet the required standards and avoid regulatory scrutiny such as fines.
- Retest: If any major gaps are uncovered or the results do not meet the company’s expectations, retesting is always needed.
Being prepared for any potential disaster is not a luxury. It is a vital undertaking in every organization. Executive management teams should start preparing for uncertainty now, as there is no telling when a disaster may occur.
How Cherry Bekaert Can Help
Business Continuity and Disaster Recovery (BC/DR) are critical components of any cyber, IT and risk management program. Cherry Bekaert’s Information Assurance & Cybersecurity and Managed IT Services can guide organizations through comprehensive BC/DR testing reviews. Our experienced professionals can review BC/DR plans, observe and review test results in real time or after conclusion, and perform tabletop testing and training while documenting results in a report which can be given to auditors and regulators.
To discuss how Cherry Bekaert can help you assess and improve your third-party risk management (TPRM) posture or your cyber and IT security programs, please contact our cyber and IT security practices today or reach out to your Cherry Bekaert advisor.
Related Insights
- Webinar recording: Managing Cybersecurity Risk in the Public Sector
- Article: How to Craft a Proactive Generative AI Strategy To Manage Cybersecurity Risks
- Article: Third-Party Risk Management (TPRM): Top Strategies for Managing Vendor Risks
References
1 "Rudy’s High-Tech Lair: A $12 Million Weapon Against All Enemies," Observer, April 12, 1999, https://observer.com/1999/04/rudys-hightech-lair-a-12-million-weapon-against-all-enemies/.
2 "Sandy and Its Impacts," City of New York, November 29, 2012, https://www.nyc.gov/html/sirr/downloads/pdf/final_report/Ch_1_SandyImpacts_FINAL_singles.pdf.