History of Business Continuity and Disaster Recovery

Ever since Adam and Eve took a bite of the forbidden fruit, mankind has had to learn to overcome and adapt to both manmade and natural disasters. From battling wars throughout the centuries, dealing with plagues, entire cities burning down like San Francisco earthquakes like the one in 1906 that led to the burning of more than 80% of San Francisco, CA, and hurricanes, just to name a few, man has had to have the fortitude to recover from these events in order to continue to survive. If not, then any hope for the future would be lost.

This paper will discuss where business continuity and disaster recovery came from as well as where it may lead us to in the future. While business continuity and disaster recovery are fairly common place in today’s business environment, it is important that we understand where these business practices came from, as well as where they may lead to in the future.

While business continuity and disaster recovery may resemble each other, it is important to realize that there is a big difference between the two. Business continuity is an organizations ability to continue to provide their services to their customers before, during and after a disaster strikes. Like business continuity, disaster recovery also allows an organization to either recover or continue their vital business functions during and after a disaster strikes. The difference here is that disaster recovery pertains to the information technology portion of the organization.

The business continuity strategy is the overarching policy of an organization. It will contain all the plans and tools an organization must follow in the event of a disaster. The disaster recovery plan is just one of several plans contained within the business continuity master plan.

So, what is business continuity? “While it began as a practice focused on keeping the lights on in the face of cyber-attack or natural disaster, business continuity management today is an integrated discipline that focuses on multifaceted approaches to the identification and remediation of risks and actionable plans to address those risks when necessary” (Denovo, 2018).

Business continuity management focuses on the processes and procedures to minimize the risk levels that may affect an organization. By employing enterprise risk management an organization can guide how business continuity is managed. There are four steps involved in enterprise risk management. The first is identification of potential risks. The second step is to design mitigation strategies for the identified risks. The third step is to implement the mitigation strategies. And the final step is to validate through testing.

Business continuity management is not just a single plan that revolves around risks only, it is a series of plans. Once all of the plans are combined, that is when you will have your overarching business continuity management plan. A few of these under lying plans include an administrative plan, crisis management plan, technical recovery plan, work area recovery plan, and pandemic plan.

The administrative plan is a high-level document that details what each team member will be tasked with during a disaster. It also details the organizations long term strategy for contingency planning. This plan will also include documents including vendor information as well as service contract information.

The crisis management plan will guide the organization through the appropriate steps to take in the early stages of a disaster. It will give detailed information on who needs to be notified immediately in the wake of a disaster, what actions need to be taken to secure equipment, the building, and most importantly, ensure there is no risk to life.

The technical recovery plan is often considered the disaster recovery plan.  “Although these plans offer detailed instructions for how to re-create a technical function for a company, they are really more than instructions for rebuilding a computer server in IT” (Wallace, M., & Webber, L., 2011). If an organization were to build a technical recovery plan for every piece of equipment, this would become a very expensive and time-consuming process. This is why it is important for the organization to identify the most critical equipment and business processes that need to be up and operational immediately after a disaster strikes. By focusing on the vital items for this plan, it will save time and expense.

The work area recovery plan will detail where employees will work in the event of a disaster at the organizations main building. This plan will detail where the alternate worksite is located, what type of equipment will be furnished at the alternate site, as well as detailing what type of security will be furnished at the site.

The pandemic plan details how an organization will handle the disruption of their business flow in the event of a pandemic outbreak. A pandemic outbreak may last as long as 18 months, so an organization must be prepared to deal with the potential of being shorthanded during this outbreak.  Items covered in this plan include social distancing, sanitation, communications and timing (i.e. knowing when to activate the plan).

As mentioned previously, disaster recovery is the recovery of an organization’s technology infrastructure including, hardware, data, applications and telecommunications. In order for an organizations disaster recovery to be successful, they need to have a well-documented and thoroughly tested disaster recovery plan in place. This plan must detail how an organization will continue providing for their customers after a disaster strikes.

The disaster recovery plan will identify the critical IT systems that need to come online in the aftermath of a disaster. This includes, hardware, applications, and networks. The plan will also outline the order the systems need to be brought up in as well as how to reconfigure the system and recover if necessary.

“A DR plan checklist includes the following steps, according to independent consultant and IT auditor Paul Kirvan:

• Establishing the scope of the activity;
• Gathering relevant network infrastructure documents;
• Identifying the most serious threats and vulnerabilities, and the most critical assets;
• Reviewing the history of unplanned incidents and outages, and how they were handled;
• Identifying the current DR strategies;
• Identifying the emergency response team;
• Having management review and approve the disaster recovery plan;
• Testing the plan;
• Updating the plan; and
• Implementing a DR plan audit.” (Rouse, 2017)

It is important to remember that the disaster recovery plan is a living document. As technology advances and people come and go, the disaster recovery plan must be updated to account for these factors.

Another important consideration when building out a disaster recovery plan, is where is your data stored. If it is stored locally, it may be wise to consider an offsite backup location. If a disaster strikes your facility and all your data is stored there, not only will your hardware infrastructure need to be replaced, but your data will have to be recreated, if that is even a possibility.

Now that business continuity and disaster recovery has been defined, it is time to take a look at where these two business principles came from. As Santayana stated “Those who cannot remember the past are condemned to repeat it” (1936).

Prior to the mid-twentieth century, what we now call Disaster Recovery and Business Continuity doctrine consisted primarily of fire prevention and insurance, and maybe a fireproof safe for the most important paper documents” (Fox, 2019).              The only organizations using computers in the 1950’s and 1960’s were primarily the government, banking institutions, universities and the airlines. During the early years of computers, it is important to remember that that the typical computer of the time took up huge amounts of space and they were also ridiculously expensive.

In the 1950’s, Dr. W. Edwards Deming pioneered the “Deming Cycle.” The Deming Cycle “serves as the basis for modern business continuity planning. The Deming Cycle calls for businesses to assess processes that can cause products to deviate from expectations using a four-part cycle: Plan, Do, Check, Act” (Holt, 2018).

• Plan – This step is where you plan what you want to do and how you expect to accomplish it.
• Do – Once your plan is ready, you will do what the plan requires.
• Check – This is where you will test your plan and see if it has met your plan requirements.
• Act – Here you will take what you have learned so far and make corrections and/or improvements to your initial plan.

Beginning back in the 1970’s, business began to rely more heavily on both mainframe and minicomputers for their everyday business operations. It became apparent rather quickly that if the computers malfunctioned or were affected by some sort of natural disaster, that the business could be in big trouble by not being able to continue their operations. This is where it became evident that there must be some type of safe guard in place to protect the organization.

Due to this vulnerability, and “seeing the commercial opportunity, some of the large computer vendors also developed a range of services, essentially selling the availability of spare machines in the event that their equipment went wrong” (Drewitt, 2012). This was a win win for the manufactures of the hardware, essentially selling the same organization twice the equipment, the main computer equipment and the backup systems.

As mainframe computers and minicomputers were becoming more popular in the world of business, the more it became obvious that there had to be a way of protecting an organization from a disaster created by the computing system crashing. This is where the term disaster recovery came from. To this day, disaster recovery still refers to the use of IT alternative systems in the event of a natural disaster or a human induced disaster within the business world.

With so much chaos in today’s world, you would think that business continuity and disaster recovery would be a top priority for organizations all around the world, but unfortunately this is not the case. While large organizations may have the funding to implement a solid business continuity plan, they may be reluctant to enact on due to the amount of time and money that is involved in this process. Small to midsized businesses may even be more reluctant due to the costs involved.

Due to recent events, including the 9/11 terrorist attacks, several years of more intense weather patterns including hurricanes, flooding and wild fires, organizations now face a greater threat of disaster striking. When these disasters strike, those organizations without a business continuity plan are exponentially more doomed to fail than those with a business continuity plan in place.

“As a result, regulatory compliance is often the key motivator for the implementation of a business continuity plan. Although requirements vary according to industry and geography, regulators want business to have effective business continuity plans that enable them to continue operations with minimal disruption during and after a disaster” (Utilicomm Solutions, 2017). When it comes to regulations there are only two types, government-imposed regulations and a standards and requirements which must be met in order to become a member in an organization. An example of the later is the International Organization for Standardization (ISO).

Some government regulations pertain to all industries, while other regulations are business sector specific, this includes the financial industry, the healthcare industry and the utility sector. Geminare (ND) published a brochure that that lists some of the more common regulations in place for businesses today. The regulations that pertain to all industries include the Sarbanes-Oxley Act, IRS Procedure 86-19, Consumer Credit Protection Act (CCPA) Section 2001 Title IX, and the Foreign Corrupt Practices Act 1977.

For the financial industry, the following regulations must be adhered to, Expedited Funds Availability (EFA) Act 1989, Federal Financial Institutions Examination Council (FFIEC), BASEL II, BASEL Committee on Banking Supervision 2003, GAO/IMTEC-91-56 Financial Markets: Computer Security Controls, and FFIEC Inter—Agency Policy 1997.

The healthcare industry comes with its own set of government regulations including the Health Insurance Portability & Accountability Act (HIPPA) 1996 and the Food and Drug Administration (FDA) Code of Federal Regulations (CFR), title XXI 1999.

The utilities sector must follow the North American Electric Reliability Council (NERC) P6T3, the NERC Urgent Action Standard 1216, Federal Energy Regulatory Commission (FERC) RM01-12-00 2003, NERC security Guidelines for electricity sector 2001, the FTC’s Federal Information Security Management Act 16-CFR-314 2003, and the Telecommunications act of 1996, Section 256 Coordination of Interconnectivity. These are only a few examples of the government regulations that the utility sector must follow.

Don’t think that the federal government is immune from following government mandated regulations. They have a long list that they must comply with as well. Here are just a few of the federal governments regulations they must comply with:

• Continuity of Operations (COOP) and Continuity of Government (COG) Federal Preparedness
• FEMA FRPG 01-94
• Federal Information Security Management Act (FISMA)
• National Institute of Standards and Technology (NIST) SP800-34 2002
• NIST 800-53 2005 Recommended Security Controls for Federal Information Systems
• Governmental Accounting Standards Board (GASB) Statement No. 34 1999

As businesses become more and more dependent on the internet and the cloud for daily business, it is important for them to acknowledge the risks that come with this. In the past few years, ransomware attacks have become common place as well as other types of cyber threats including denial of service (DoS) attacks, viruses and malware.

Ransomware is malicious software that will get into an unsuspecting users’ computer via a computer virus or through malware loaded onto the user’s computer. Once the ransomware is embedded and then activated, it will lock up the computer system so the system owner cannot access it. Once this happens, the cyber criminal will then demand a large sum of money in order unlock the computer system.

There have been several high-profile cases of ransomware attacks in the news. These attacks have all but shut down hospitals, schools and city governments including the cities of Baltimore and Atlanta. While there is insurance available for ransomware attacks, it still does not get back all the lost data. Depending on the type of policy you get, the insurance can cover the cost of the ransom as well as the cost to recover what data they can. It is critical that businesses know what they are covered for prior to a ransomware attack happening.

“Business continuity and disaster recovery (BCDR) solutions have continued to prove to be the most effective in lessening the impact of a ransomware attack. Ninety-two percent of managed service providers (MSPs) report that their clients with BCDR solutions in place are less likely to experience significant downtime during an attack. In addition, four out of five MSPs state victimized clients with BCDR tools in place recovered from an attack in 24 hours or less, while less than one in five MSP clients without BCDR were able to do the same. MSPs are in a unique position today to educate small to medium sized businesses (SMBs) on how to protect against a ransomware attack, including employee training and the tools to implement” (D’Andrea, 2019).

With facts like the ones stated previously, you can clearly see the importance of developing a tried and true business continuity plan along with a disaster recovery plan for your organization. Threats against business will always be out there, These threats may come in the form of a natural disaster, a manmade disaster, or some form of cyber-attack, but if you have your business continuity plans in place and they are well tested, you have a much higher probability of recovering from these events than if you have no plan at all.

References

• Crocetti, P. (2017, January). Disaster Recovery Plan (DRP). Retrieved from https://searchdisasterrecovery.techtarget.com/definition/disaster-recovery-plan
• D’Andrea, J. (2019, October 16). Cost of Ransomware Related Downtime Increased More Than 200 Percent, an Amount 23 times Greater Than the Ransom Request. Retrieved from https://www.businesswire.com/news/home/20191016005043/en/
• Denovo, (2018, May 31). Exploring The Evolution Of Business Continuity Management. Retrieved from https://denovo-us.com/blog/exploring-the-evolution-of-business-continuity-management/
• Drewitt, T. (2012). Everything you want to know about business continuity. Retrieved from https://ebookcentral.proquest.com
• Fox, J. (2019). History of Disaster Recovery and Business Continuity. Retrieved from https://www.jdfoxexec.com/resource-center/articles/history-of-disaster-recovery/
• Geminare (ND). An Overview of U.S. Regulations Pertaining to Business Continuity. Retrieved from https://www.geminare.com/wpcontent/uploads/U.S._Regulatory_Compliance_Overview.pdf
• Holt, J. (2018, January 25). The Evolution of Business Continuity Planning. Retrieved from http://blog.continuitylogic.com/evolution-of-business-continuity-planning
• Santayana, G. (1936). The works of George Santayana. Retrieved from http://hdl.handle.net/2027/mdp.49015002223114
• Utilicomm Solutions (2017, June 30). How Regulatory Compliance Drives Business Continuity. Retrieved from https://www.utilicomm.com/how-regulatory-compliance-drives-business-continuity-planning
• Wallace, M., & Webber, L. (2011). The Disaster Recovery Handbook: A Step-by-Step Plan to Ensure Business Continuity and Protect Vital Operations, Facilities, and Assets (Vol. 2nd ed). New York: AMACOM.