Goodnight Irene: A Lesson in Disaster Planning

Many large organizations make preparations for disaster, but the recent hurricane that hit the East Coast of the US illustrates why long-term business continuity planning on a local level can be critical to survival – and your employees’ well being.

While much of what we cover here at Infosecurity involves the safeguarding of information, one recent event reaffirmed the value of the ‘A’ in infosec’s CIA acronym. The availability of information can be critical to a business when Mother Nature strikes, so the value of a good disaster plan cannot be understated. Specifically I’m talking about Hurricane Irene, and I’d like to share my personal observations about how the aftermath of this disaster played out for two organizations with fundamentally different approaches to business continuity planning. The names of these two organizations have been omitted, for obvious reasons.

Disasters by their very nature are unpredictable, and they often require response plans that are broad by necessity. What Hurricane Irene taught me is that it pays to be a student of history and tailor these broad response plans to local needs.

First the story of a large, multi-national firm with a highly mobile staff and armed with a comprehensive business continuity plan. While the hurricane spared the local facility in question, widespread flooding would prevent the location from opening in the days following the event, with many staff stranded for days thereafter due to rushing floodwaters.

Yet, in the case of this organization, it was business as usual for employees who were not in immediate danger, and provided they had electricity, a working internet connection was all that was needed to keep both the business running smoothly and employees safe.

The second organization – a services firm – did not have the luxury of working remotely, as most business was conducted onsite. The company in question has employees that number in the thousands across hundreds of facilities. In short, this organization does not suffer from a lack of available resources.

It was not prepared, however, to pick up business critical information in one fell swoop, and put it to use from a remote location. So one member of the site’s staff – a manager – was tasked with braving dangerous flood waters to recover business critical data. The continuity plan in this case planned for only a brief outage – one to two days at most. Remember what I said before about disasters being unpredictable?

The disturbing thing about this approach was the lack of local customization. The site in question was located in a historically flood-prone area, yet no provisions were made for a potential extended disruption of business; thus the heroic measures that were required to recover its day-to-day business data.

The less-well prepared company, in this case, planned for only a brief disruption of business, and the confusion that ensued among its staff and clients persisted for weeks. Lost wages, lost revenue, and staff placed in danger were all the unfortunate outcomes of this rather large organization’s lack of comprehensive long-term continuity planning at the local level.

I realize that not all businesses can easily survive over the long-term from remote locations, nor can they serve their clients interests by doing so. Yet what if your business is one of those that can withstand such a state during a lengthy disruption? Don’t you owe it to your business, your customers, and your employees to have a long-term plan in place?

I am lucky that the company I work for has an excellent business continuity strategy. My job – by and large – can be performed from a remote location. Peace of mind is what this offered me the evening the storm blew through. All I had to worry about was whether the lights would stay on. “Goodnight Irene”, I say to this storm. “I’ll see you in my dreams.”

What’s Hot on Infosecurity Magazine?