Were you surprised to hear about the worker at the Chicago O’Hare airport last Friday? Certainly I was. Who would have ever thought someone working in the control center would light the hardware on fire, and then try to commit suicide? Unimaginable, right? However, what I was more surprised about was that there was no roll-over contingency operations center in place in the event something catastrophe took out the O’Hare operations center. After all, Chicago is in an area with a wide range of weather events, from blizzards and ice to severe storms and tornadoes, and everything in between. Not to mention that all airports are considered to be a target of a wide number of terrorist groups.
Just two days prior to the incident Chicago Mayor Emanuel said that he realized the city was at risk of being a terrorist target, but that “the quick response to a suspicious package left at O’Hare Airport shows that the city is taking the threat of possible terrorism here seriously. He says it shows the city does have a plan in place, and is working closely with the federal government. The mayor says Chicago has an advantage because of its Emergency Management and Communications system to coordinate as well as communication with federal law enforcement.” Talk about a case of blind trust in security that turned out to be unjustified, and apparently based upon only one type of incident out of possibly hundreds of potential threats. He’s been eating crow since Friday.
The FAA “hopes to return the facility to full service by Oct. 13.” Two weeks!? Was there even a disaster recovery plan in existence? This is something the FAA is going to check on after this incident; not only for O’Hare, but also for all it’s other “major facilities.” My question to the FAA (as well as the city of Chicago) is: When was the last time they even did such facility and disaster recovery audits/reviews? Given the high-threat terrorists levels that have existed for 1 ½ decades for airports it would seem that checking to ensure effective disaster recovery and business resumption plans exist would be high on their priority lists to perform on a regular basis.
Unfortunately we cannot assume that effective and efficient (and for those of us with a long tenure in the cyber-security business, obviously necessary) disaster recovery plans will be in place for the most obvious of organizations and businesses.
Business Continuity and Disaster Recovery Plans are a Necessity of Business
Having a robust and well-tested business continuity and disaster recovery plan (BC/DRP) is not an option for any size of business; it is a necessity. Business leaders need to realize that without such advance preparation they could easily go out of business. This is not a new revelation; businesses have needed to have such BC/DRPs in place for decades.
My first huge real-life experience with putting a BC/DRP into action happened during the “Floods of ‘93” when I was responsible for information security at a large multi-national financial and healthcare corporation in Des Moines, Iowa. Fortunately a couple of months earlier we had just finished a long, huge project to get comprehensive BC/DRPs created throughout the organization, and had finished testing them with the business units the previous month. Talk about lucky timing! Those plans saved us from what we estimated would have been significant financial and data loss. However, even with brand new plans and training, during the recovery processes we still revealed areas that we had not covered within the plans…areas that until the real disaster hit we had not even thought about before; the unimaginable. Who would have thought the entire city would have been flooded, and that we would have no electricity or water for almost two months? Who would have thought that with the lack of cooling and water, we would be prohibited by the fire department from having employees go to any floor above the third floor for safety reasons? And there were several other “who would have thought” issues that we learned from, and quickly addressed in updates to our new plans after we had resolved the immediate flooding disaster situations.
When creating and updating your BC/DRPs, you need to not only think about what is likely to be a business disruption, but also look at what has happened to other businesses and organizations, learn from their situations and disasters, and consider if the same types of situations could possibly happen to your organization as well. Your BC/DRP should be created to be as flexible and comprehensive as possible to appropriately prepare for the unimaginable.
How to Accomplish This
You need to assign responsibilities for the BC/DRP, determine necessary resources to create and update the BC/DRP, provide training for the BC/DRP team members, and keep the BC/DRPs updated over time. You also need to make sure you identify and include remote locations where you can have either mirrored data centers or failover data centers in the event of a catastrophic disaster, such as the one at O’Hare. I still am flabbergasted that it seems they didn’t have such operations established for a major transportation hub!
And I don’t want to hear you say you can’t afford the resources it takes to have a BC/DRP. Can you afford to go out of business after your computers and data are wiped out? Can you afford to get a huge regulatory fine for not having documented and up-to-date BC/DRPs? Can you afford to be offline and not answering the calls or needs of your customers, patients or employees for an extended period of time? Can you afford to pay for lawsuits, lawyers, and civil awards against your organization?
There are plenty of options for the smallest to the largest of organizations to consider, of every budget, to have an effective BC/DRP in place. To see some of the possibilities, see IBM’s new infographic showing some statistics about backup media and administration options.
Bottom line for organizations of all sizes…
Every organization, of any size, in any location, in every industry, needs to:
- Assign responsibilities for BC/DRP,
- Document a BC/DRP and keep it updated over time,
- Train the BC/DRP team members,
- Test the BC/DRP regularly (I recommend having a table-top test at least once annually and when major organizational changes occur),
- Make regular multiple copies of backups, and test backups to ensure they are valid and will actually be usable during an emergency, and
- Identify remote locations where operations can be moved temporarily in the event your site is completely compromised and unusable.
And note: even if you use a contracted managed service provider (MSP), you still need a BC/DRP, and you need to reference the MSP appropriately within your documentation.
This post was brought to you by IBM for Midsize Business (http://goo.gl/t3fgW) and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.
Tags: BCP, business continuity, business resiliency, Chicago O’Hare, compliance documentation, data protection law, disaster recovery, documentation, DR, DR/BCP, facebook, IBM, Information Security, information security risks, infosec, marketing, midmarket, O’Hare fies, privacy, privacy law, privacy professor, privacy risks, privacyprof, Rebecca Herold, social media, twitter