How To Write a Complete Disaster Recovery Plan


After seeing their Northeast customers get pummelled by Hurricane Irene, IT solution providers have a pretty good idea of the value of a disaster recovery plan. But most DR plans focus on natural disasters — tornadoes, hurricanes, earthquakes — with a few addressing terrorist attacks. Seldom are cyberattacks mentioned. Here, the CEO of Idappcom, a vulnerability assessment tool vendor, discusses the importance of working with customers to develop a complete DR plan. — Jennifer Bosavage, editor

For every company there is a requirement to exercise due diligence and care of the company’s assets and the future ability to produce returns for investors, from revenue. That is increasingly embedded in legislation, regulation, standards and best practice guidelines. In order to exercise due diligence and care, your customers need to plan for the day they can’t – in other words, you need to help them develop a business continuity plan.

Get a copy of your customer's plan (if they have one), dust it off and actually read it with them. In the majority of cases it will cover eventualities such as damage caused by fire, theft or even flooding. It may even include a section on external threats, i.e., terrorist attacks and other disaster eventualities. And there is probably a plan for overcoming a power failure, where to resource external staff and crisis management.

What does it say about suffering a cyberattack? Chances are it doesn’t.

In this day and age, most companies, irrespective of whether a single office or a large international conglomerate, are reliant on computer systems to function. If attacked tomorrow, your customer might be shut down. No company, not even Mastercard, is immune. That's where an IT solution provider can come in to help plan for the inevitable.

The Attack
An attacker isn’t just interested in stealing information or funds. Organizations are experiencing attacks, whether denial of service or injected with malware, designed to wreak havoc and shut the business down. Any company can be a target. Further, it isn't just anonymous cyber terrorists waiting to pounce, disgruntled employees could wreak just as much havoc on systems, and sometimes, IT systems simply fail.

The effect of being closed for business, however temporarily, will cost your customer money. For an online retailer it’s obvious: If customers aren’t able to make purchases, there’s the immediate loss of revenue. For a large manufacturing company, if its IT infrastructure fails and production has to shut down for 24 hours the costs will soon mount potentially into the millions. The expense isn’t limited to the immediate problem of restoring services or production - there’s the lost time, ruined stock, ongoing costs of rebuilding confidence in the customer base and potentially amongst shareholders, plus the knock on effects such as an increase in insurance premiums. The costs quickly mount.

The AT&T Business Continuity Study 2010, reported:

  • Three-quarters (77 percent) of companies indicate that employee use of mobile devices plays a major/minor role in the business continuity plan;
  • Half have virtualized their computing infrastructure, with less than four out of ten (38 percent) having implemented a business continuity plan for the virtualized infrastructure;
  • 84 percent of all companies surveyed have e-mail or text messaging capabilities to reach employees outside of work, and three-fourths (73 percent) have systems in place that enable most employees to work from home or remote locations.

    All of those resources offer a lifeline to an organization in the event of a general infrastructure failing; however, on a day-to-day basis they also "throw open the doors" to the outside world risking extreme disruption through attack.

    First Line of Defense
    An IT team has many responsibilities with one main, overriding objective - to deliver the best service possible. The trick is to also promote the best security possible. IT solution providers must convince the customer's CEO of the need for enhanced security and then ensure that the IT team deliver it. The function of the CEO and board of directors, as part of their legal responsibility and charge by shareholders, is to exercise good corporate governance. Regular audit and validation leads to enhanced security, and costs very little. With constant vulnerability testing and security enhancement through configuration, better rules can be defined and implemented. That can avoid additional capital expenditure in unnecessary security devices, saving budgets.