This article originally appeared in the January 2023 issue of Security Business magazine. When sharing, don’t forget to mention Security Business magazine on LinkedIn and @SecBusinessMag on Twitter.
Having a disaster recovery plan means different things to different people. For some, it means getting the lights turned back on as soon as possible; for others, it is making sure customer phone calls and email messages are answered. For just about everyone, it is all about knowing who is supposed to do what when things hit the fan.
That said, there is a common theme here: Having a tested plan in place will help you meet all these goals and more.
Knowing a disaster is about to happen is luck and technology – think hurricanes, electrical storms, that sort of thing. In many cases, experts can provide advanced warning for potential danger; however, many disasters are unforeseen, such as tornados, riots, and earthquakes. That means building a disaster recovery plan relies on the old adage: Hope for the best but prepare for the worst.
Security integrators and central stations can recover from a disaster, but they must have a plan already in place to do so.
The Risk Assessment
If you do not have a disaster recovery plan, then you need to build one from scratch. At this point, your needs are the same as a firm with a well-honed plan in place: If something goes wrong, what do you have to do, who will do it, and how does it need to be done?
When you conduct a risk assessment, you must look at:
- The critical assets in your company;
- Specific threats to those assets;
- How effective those assets are during downtime; and
- The risk correlation to those assets and the threats they face.
After identifying these specific risk issues, be sure you review them on an annual basis because of changes to policies, technology, and processes. Even though changes are part of normal business operations, the changes can drastically affect how well something will work during a disaster situation.
Ask yourself, what part of your business is the most critical? What are you going to specifically do if different events happen? Building a disaster recovery plan helps you recognize and address where you have shortcomings.
Running a risk assessment means going through a business, layer by layer, and looking at the different processes in place to truly understand how they interact (or don’t). With this data in place, business owners and managers need to periodically revisit to understand what may have changed policy-wise since the time of the original assessment, such as firewall requirements, VPN adoption, and more. Those updates may have altered how those interactions work.
Documentation is Key
Developing a disaster recovery plan for security integrators and central stations is about process, process, process. An organization should have a plan in place that says, for example, “if a firewall change is made, I must have a second set of eyes look at it to make sure it passes the sniff test.”
Any security process updates, policy changes, etc., need justification and documentation. Why were changes made, what changes were made and how do those changes affect the systems currently in place? Documentation also requires that someone other than the requestor of the change reviews the changes and understands the potential impact.
The process of documenting all changes that occur during the year will help highlight issues that need to be addressed before a disaster. Consider what upgrades were made to the system; what patches were released and to which system; if all the monitors are on the system and if back-ups are automatically slated to kick in when needed; what physical equipment was replaced during the year and why; etc.
Using Communications to Mitigate Customer Impact
The quicker you recover from a disaster, the quicker you can communicate and fully inform all the stakeholders and customers involved during an outage event.
Having a strong communication strategy built into a disaster recovery plan can help mitigate the financial impact of a disaster as well as the operational impact. A communications strategy provides everyone on a team and in an organization with specific people they should look to for leadership and their individual responsibilities. It eliminates confusion, panic, and overlap which, in turn, helps them to better manage the customer impact.
When a disaster strikes a team without a communication strategy, the situation will likely devolve into chaos almost immediately; therefore, it is crucial from an operational standpoint to be sure the team knows who is responsible for what, and their role in helping work through a disaster or outage.
A handful of things to consider:
- Is there a phone chain to follow in a disaster?
- Does everyone have a copy of the phone chain?
- Who are the back-up personnel if someone on that phone chain can’t be reached?
- Who assumes operations control of a facility in a disaster?
- Who fields calls and emails from customers?
- What is the message to those customers?
- If one facility is off-line, will calls automatically roll over to a different facility?
The whole process of mitigating the customer impact is about ensuring that the needed personnel and resources are available in a situation, because the goal is to maintain the same level of security, no matter what has happened. Building a communication strategy into a disaster plan helps you properly control what you can control in an uncontrollable situation.