Hawaii businesses are well aware of the importance of disaster preparation. The outlook for 2022 anticipates two to four tropical cyclones, including hurricanes.

At a recent Hawaiian Telcom University event, my colleague Jordan Silva and I shared some helpful tips on disaster recovery and business continuity plans. It is important to understand the difference between the two. A business continuity plan, or BCP, is a set of strategies and protocols designed to help organizations make sure that critical business operations run smoothly during and right after the disaster. Disaster recovery, or DR, is a process of restoring business operations after the crisis.

When it comes to planning for disasters, many companies start with disaster recovery, though at that point the crisis has already happened and you can only evaluate its impact and start restoring your operations. What helps minimize the impact of the disastrous event before it happens is the business continuity plan, and it needs to be prioritized.

>> Start with roles and responsibilities. Many organizations start planning for disaster with technical solutions such as backup and security, but the flaws often lie in their communication plans. The worst time to be deciding who is accountable for certain actions and decisions is during a disaster. Prepare for these types of events by assigning roles and responsibilities related to your BCP/DR process. It is important to think through the smallest details, like who is responsible for declaring a disaster, who is telling staff not to report to work, who triggers the disaster recovery plan and who gives the all-clear. As businesses grow larger, planning for disasters becomes more complicated. Large organizations with many employees require a thorough communication plan, because every employee needs to know their part in the process. It needs to be written down and practiced regularly.

>> Be prepared for outages. Natural disasters often result in power, internet and phone outages. Make sure you have a hard copy of your most recent BCP and DR plan. If you are a critical business and need to stay open during a disaster, establish what you need to keep providing services during an outage. Make sure that the methods you choose are within compliance. For example, an outage is not an excuse for improperly stored personal data that ends up being stolen. Determine which operations need to be functional all the time, and inform the employees involved in those operations.

>> Treat ransomware and data breach as disasters. Ransomware remains one of the biggest threats for businesses, and it continues to be on the rise. It requires a similar response as a disastrous event and should be treated as such. Although ransomware’s risk profile is different from a hurricane because cybercriminals are targeting your business, the planning process is similar. Most businesses can either pay the ransom and hope the attacker provides the decryption key, or they can eradicate the attacker and recover from their backups. In any case, it is important to have a BCP and DR plan. The same goes for data breaches, except, unlike natural disasters, these can easily go undetected. It is up to you to find the breach and figure out when it happened.

>> Invest (only) in the right tools. Never rely on a single cybersecurity solution, because any defense mechanism can fail. Defense in depth means using layers of protective mechanisms to defend your business assets and is one of the best available approaches to reduce risk.

When selecting your cyberthreat prevention and disaster recovery tools, start with the weakest link in your security layers. If you have a good backup solution, start investing in better defenses to decrease reliance on your backups. If your defenses are good but your backups often fail or restoration time is too long, invest in a better backup solution instead of a brand-new firewall, for example.

Invest only in tools you need and can successfully deploy and manage. Your defense tools should never be more expensive than the assets you are trying to protect, especially if the risk you are trying to protect against is low. If your solution ends up being more advanced than your process, consider opting for a managed solution, where a team of experts is fully responsible for configuring and maintaining this technology.

>> Pick the right backup solution. You should always expect that any of your defense tools, no matter how advanced, can always fail. It may be a human error, a glitch or a flaw in a recent update. You also could lose your data during a natural disaster. If this happens you need to be able to recover your data from a backup.

When it comes to backups, here are the four key things to consider:

>> What needs to be backed up. Identify the assets you need to back up and where they are located.

>> How often it needs to be backed up. Establish the backup frequency, based on how often your data changes.

>> How long you can wait for it to be restored. Determine how long your business can operate without this data. If your business is in a low-bandwidth area, relying solely on an off-site backup can be problematic, especially if you need to restore your data quickly.

>> How long it needs to be stored. Consider this time frame from a compliance and security perspective. An IBM study found the average time for a business to realize it was breached was over 200 days. If you have only one month of backups, you will have no way to recover anything pre-breach in a situation like this.

These tips should ensure that your organization and your hard work can survive the unpredictable. Remember: be prepared, be aware and be safe.

———

Michael Morales is director of business services consulting at Hawaiian Telcom. Reach him at michael. morales@hawaiiantel.com.