If the last two years have taught us anything, it’s that the threat landscape is constantly evolving. With offices reopening as the shadow of the coronavirus pandemic recedes, many business owners hoped life was returning to normal, only to be faced with supply chain disruptions and rising costs due to inflation. Cyber criminals have also been busy, using a variety of schemes to exploit corporate networks for their own ill-gotten gains. Meanwhile, nature continues to test the resilience of businesses as drought, wildfires, and disastrous weather events occur with ever-increasing frequency.
This emergence of new challenges drives home the need for businesses to prepare for a wide range of potential disasters while anticipating new threats. To do so, it’s imperative to have an up-to-date disaster recovery program that includes a current risk assessment, operational analysis and disaster recovery plan. As we head into summer, it’s an opportune time to review your emergency preparedness and make sure your disaster recovery plan is equipped to handle any surprises life has in store for your business.
The Best Defense Begins with a Current, Realistic Risk Assessment
A viable disaster recovery plan hinges on a realistic assessment of the threats and vulnerabilities that could potentially disrupt your business. Because circumstances can change rapidly, it’s important to perform a risk assessment at least annually, so you have a clear understanding of any new threats to your organization. If it’s been a while since you performed a risk assessment, start by identifying vulnerabilities to your physical location, IT systems, networks, and data.
Next, catalog any environmental, natural, and human threats and note any changes that could impact your operations. Are weather experts forecasting heavy electrical storms in your area this summer? Are there any new malware attacks on the horizon? Are any of your major suppliers experiencing shortages? Through regular risk assessments, you can factor in any significant developments impacting your business and prepare accordingly.
Building Resilience with an Operational Analysis
Conducting a regular analysis of your business operations goes hand in glove with an effective risk assessment. As you assess the various threats to your business, consider changes to your operational environment, as well as external risks. Have any employees left your organization? Make sure their accounts have been disabled or deactivated. Are you reopening an office or moving to a hybrid workforce? Ensure you have a system in place to monitor and track the day-to-day usage and location of physical assets and internet usage. Compare these factors against your baseline from previous audits and note any changes when you prepare your disaster recovery roadmap for the upcoming year.
When conducting your operational analysis, you also want to pay attention to your data backups. Do you store backup copies at a geographically remote location? How quickly could you restore critical applications and data in an emergency? To protect the confidentiality, availability, and integrity of your company’s information, perform regular restoration tests of your backup media and make sure you have a current inventory that identifies all backups by status and location. Avoid putting all your eggs into the “cloud” basket — ensure that your plans include contingencies for your business to function if it loses connection to your online backups stored on cloud services.
An effective operational analysis should also include a data and application criticality analysis. Required by HIPAA, the criticality analysis is a best practice that every business should adopt to ensure your data and IT resources will be available when you need them. To get started, take stock of all your IT systems and applications and assess the impact that any loss in function would have on your business. Identify which systems need to be restored in minutes versus those that can be placed on the back burner for a few days. Then create a list of applications and systems to restore in order of priority.
Plan for Success with an Updated Disaster Recovery Plan
Once you’ve performed a comprehensive risk assessment and operational analysis, you’ll have a good idea of what to include in your disaster recovery plan. If you already have one, congratulations! But remember, having a plan is only half the battle. If you’re not updating your plan at least annually, chances are good that it won’t contain the information you need when a disaster occurs.
A regular review of team assignments is necessary because staff turnover can create critical gaps in your disaster recovery team. During your review, identify team members who have left the company and note any disaster recovery roles and responsibilities assigned to them. Ensure you’ve got a current organizational chart, so you can identify potential replacements with the decision-making ability and expertise to take over for any team members who have moved on.
The ideal disaster recovery team is cross-functional, representing all your major business units and corporate leaders. The plan update is a good time to review your organization and make the adjustments needed to reflect changes in your organization and leadership. Also, work to build your team’s cross-training capabilities, so each member can wear multiple hats in a critical situation.
Once you’ve addressed the composition of your team, don’t forget to verify and collect current contact information for all team members. A good approach is to ask each team member to build a customer and employee contact list and identify which individuals they will have responsibility for contacting in an emergency. Ensure everyone has quick access to this information. Creating and distributing a laminated card with all team members’ cell phone numbers is a good practice. In addition, you may want to identify alternate methods for placing orders and sending invoice payments if possible.
Teamwork Makes Your Plan Work
Before you publish your plan and distribute it to your entire organization, assemble your updated disaster recovery team to test your plan against a variety of scenarios. Performing tabletop tests and functional, real-time exercises will give team members a chance to work together and resolve any deficiencies before an emergency takes place. Ideally, this should be done in a formal meeting with someone assigned to take notes and document lessons learned. Try not to run the same scenarios year after year; draw from current events and use actual threats and risks in the tabletop tests, so that the functional tests will best reflect real-world situations.
Annual security awareness training for all employees should include the disaster recovery plan, including any new information. All employees should be made aware of the critical points, as well as identifying evacuation routes, emergency assembly points and how to contact those responsible for coordinating emergency response. You’ll also want to address any local requirements related to fire prevention and other topics.
Redundancy and Due Diligence Are the Keys to Securing Your Supply Chain
With supply shortages impacting many businesses, it’s more important than ever to identify backup vendors for critical supplies. When selecting new suppliers, a thorough vendor due diligence is important. In addition to reviewing financials and security attestations, look at your vendors’ disaster recovery preparedness. Do they have backup sites that are geographically distributed, so they can transfer operations if a facility is disabled? Do they employ standardized workflows and production processes that can be replicated at alternate sites without loss of critical RPO (recovery point objective) and RTO (recovery time objective)? Ask about their communication channels as well. Do they employ multiple internet connections, using diverse carriers and fiber routes? Whenever possible, line up fully vetted backup suppliers well in advance of any supply chain issues, so you can make necessary adjustments without impacting your ability to deliver the service your customers expect.
The pandemic and recent supply chain issues have driven home the importance of building resilience in business operations. At the same time, rising cybercrime and extreme weather events underscore the importance of evolving to address emerging threats. Keeping your disaster recovery program current by conducting regular risk assessments and operational analyses and updating your disaster recovery plan will ensure you’re able to weather any storm or other unexpected events.
Steve Berman is Director of Risk and Compliance for DATAMATX, one of the nation’s largest privately held full-service providers of high-volume print and electronic transactional communications. For more information, visit www.datamatx.com.
This article originally appeared in the July/August, 2022 issue of Mailing Systems Technology.