Business Continuity and Disaster Recovery: How to Avoid a Crash Landing
I Piloted an Emergency Landing, and So Can You
It can be easy to put business continuity and disaster recovery planning on the back burner if your organization has never been affected by a disaster. But what would happen if a power outage, tornado, or data breach hit your organization and you didn’t have any plan in place? Disaster strikes when you’re least expecting it. It’s critical that you ensure that your organization is prepared. Learning from the experiences of others who have survived emergency situations is a key way to better prepare your organization for disaster.
On June 23, 2018, I was flying home from the Miami area to Tampa after finishing some charity work, piloting my private airplane. As I was flying over Lake Okeechobee and without any warning, the engine of my plane fell silent – something I never wanted to hear. I quickly realized that I had just nine minutes to implement an emergency landing plan before my plane would crash. Because of extensive preparations, I was able to successfully pilot my plane to the ground without harm using six basic steps. The same six steps that helped me pilot an emergency landing can also help your organization navigate a disaster. Let’s review the following steps:
- Prepare for an incident
- Diagnose the problem
- Determine your assets
- Determine your options
- Prepare for curveballs
- Make a post-action report
If we could predict disasters, we would avoid them – but we can’t. Avoiding disaster is essentially impossible but preparing for an incident can help lessen the impact. So, how can you prepare for disaster? Training and practice are key ways that you can prepare your organization for disaster. Your disaster recovery team should be continuously practicing the steps it would take to implement your business continuity and disaster recovery plans. Placing your disaster recovery team under heightened stressors will also assist in better preparing them for the high levels of stress that will occur when disaster does hit. Your plans should be like muscle memory for your team; each member must be intuitive about how your systems work. During my flight, knowing systems like my GPS, engine, radio, and fuel gauge was critical, just like knowing your firewalls, applications, networks, and cloud environments will be critical.
What’s the Problem?
When disaster strikes, noticing how the problem stands out from what’s expected is critical. We all know what the inside of plane sounds like, right? There’s a buzz in the air from the sound of engines and wind. When my plane went silent, I knew something was extremely wrong. Your employees must be trained to notice anomalies in your systems without delay. Once the problem is diagnosed, the incident must be reported immediately. This will allow your organization to put more resources on the problem.
What are Your Assets?
In high-stress situations, determining your assets is a way to focus your team and identify the problems at hand that can be solved. During my flight, I quickly identified my assets as the time I had to land, the nearest airport, and my training. You should always be looking for unexpected assets, though. In my case, it was help from the local sheriff’s office. In your situation, it may be outside help from a PR firm or IT consultant. Having a focused mind will allow you to uncover these assets.
What are Your Options?
Often times, the number of options to mitigate disaster-related problems can be overwhelming. I don’t want you to get lost in this, though. Keep as many options open as possible, but eliminate options immediately once they’re no longer viable. You need to analyze options and commit to a plan, not fixate on or misinterpret facts.
Prepare for the Curveball
Even if you have a business continuity and disaster recovery plan, things don’t always go the way they’re planned. You must keep this in mind as you’re strategizing how to recover. When I decided to land my plane on a highway, I knew that powerlines, an oncoming semi-trick, and a slow-moving Sedan were in my way. What did I do? I prepared myself for these obstacles and didn’t let them overwhelm me. If you’re in the midst of dealing with a major data breach and a malicious hacker makes a ransom demand, you cannot give up. Manage the incident all the way to the end.
Make a Post-Action Report
Congratulations! You’ve made it through the disaster. Celebrate your successes and don’t be discouraged if you didn’t do everything perfectly—you won’t and I didn’t. But you can learn from your mistakes. At this point, you’ll need to question how you can improve your plan. What could you have done differently? Is there additional training or practice that your disaster recovery team needs to be put through?
While we can’t prevent disaster from happening, we can set our organization’s up for success by creating, practicing, and implementing business recovery and disaster recovery plans. Following these six steps will allow your organization to be best prepared for when, not if, a disaster hit. Remember: extraordinary events happen on ordinary days. Will you be prepared?
Ready to get started on your organization’s business continuity and disaster recover plans? Find out how KirkpatrickPrice can help you create business continuity and disaster recovery plans.
About Randy Bartels
Randy Bartels serves as Vice President of Security Services at KirkpatrickPrice. His experience crosses a wide range of information technology disciplines including security and network architecture, software lifecycle management, operations, and penetration testing. Randy is responsible for leading complex engagements and investigating risks in new areas of technology. He holds CISSP, CISA, CSSLP, and QSA certifications.