Disaster Recovery and Business Continuity
A recent Ernst & Young survey of 1,735 C-level executives and IT professionals found 57 percent of them said they consider disaster recovery and business continuity as their top priority but only 39 percent plan to invest in improvement efforts. This is surprising since 42 percent said they do not have an agreed communications strategy or plan in place in the event of a significant cyber attack.
When we think of mass communications and emergency notification systems, we often think of weather-related events, power outages, fires, and other workplace emergencies. We don’t always jump to cyber security. Yet, cyber security is a big deal. It is estimated that cyber attacks cost businesses as much as $400 billion a year and is expected to reach $2 trillion by 2019.
Most of us have been victims of cyber security through the places we shop and banking systems we use. We all remember Home Depot, Target and more recently, Yahoo all being hacked. I personally received emails from all three of these companies warning me that my personal data may have been compromised.
While I assume these companies have learned their lessons, this EY survey proves plenty are still trying to catch up to the modern threats. One chief security strategist predicts 2017 will be “the year of increasingly creative [hacks].” It’s a vicious cycle: IT gets smarter and deploys new cybersecurity strategies only to find hackers evolve to find other ways in. As the saying goes, “If you build a 20-foot wall, they’ll build a 21-foot ladder.”
The nearly 40 percent of executives who say they are already or are planning on investing in disaster recovery and business continuity efforts are contributing to the surge in incident and emergency management solutions. In fact, this industry is booming with growth predictions reaching the $114 billion mark. What constitutes “incident and emergency management?” According to MarketsandMarkets who made the prediction, it is comprised of several things, including “solutions and systems.” The solutions and systems are:
- Web-based emergency management system
- Emergency notification system/mass notification system
- Surveillance system
- Geospatial technologies solution
- CBRNE/hazmat solution
- Disaster recovery solution
- Situational awareness solution
- Application system
Related: Control in the Chaos
Notice the first two systems noted in the report are an emergency management system and an emergency/mass notification system. How do these systems relate to cybersecurity? Increasing cyber threats are what will “propel the demand for high quality, technologically advanced, reliable mass notification systems, which could provide better security against cyber-attacks.” These systems can help companies quickly respond to threats or breaches and ensure the most rapid continuity of operation should an attack occur.
A Comprehensive Plan for All Attacks
Some experts recommend companies have a well-designed and practiced incident notification, response, and recovery plans that are integrated into an overall disaster recovery plan that includes a business continuity strategy. Integral to this plan are “comprehensive internal and external communications.”
When an attack happens, it isn’t much different from any emergency that befalls a company. Just as with a weather-related event such as a hurricane or wildfire, companies must be prepared. This means having a solid emergency plan in place, one that is tested, practiced, and understood by every employee in the company, whether on location or remote. Of course, the type of emergency will trigger various responses. In the event of a cyber attack, there wouldn’t be much of a reason to evacuate the premises as in a flood. However, in both instances, employees will be looking to the executives to give them instructions on what to do before, during, and after an event.
These internal communications require a system capable of reaching the masses at once across multiple channels and devices. Because of how we live and work in today’s mobile culture, it is no longer enough to send a mass email or a phone message. Instead, companies must invest in those systems mentioned above to ensure every employee is reached as quickly as possible.
These emergency or mass notification systems will become a lifeline for the employees as well as the company itself. While the employees will depend on the system for information, the company will need to respond quickly and give employees the intel they need to keep business running or bring it back up to speed as quickly as possible. In this case, it doesn’t matter the emergency. A cyber attack or a power outage would still have the same effect of interrupting, if not suspending, business operations. Ensuring employees know what to do to rebound and then effectively communicate with customers, partners, suppliers, etc. is critical in any business continuity plan.
Case in Point: The 2016 Presidential Campaign
The New York Times recently published an article about “How Russian Cyberpower Invaded the U.S.” It points out that without immediate detection and prompt response afterwards, the Democratic National Campaign was blindsided by a Russian cyberattack that ran amuck for nearly seven months. Once the top D.N.C. officials were alerted to the attack, it was mayhem to get the message out to employees of what they needed to do to protect their systems. John Podesta, Hillary Clinton’s presidential campaign chairman, was slow to respond. Perhaps his delay was due to how he was informed of the attack and what to do in response.
In an email from a Clinton campaign aide to Mr. Podesta’s assistant, it was advised that Mr. Podesta “change his password immediately, and ensure that two-factor authentication is turned on his account.” A link to do both was provided. An email. Not a direct email to Mr. Podesta, but an email to his assistant.
This is remarkable when you consider the impact of this cyber attack and the inefficiency of email. Some argue it cost the democratic party the presidency. Yet with so much at stake, a single email was all that was sent, months after the attack.
While the results of the presidential campaign will likely be discussed at length for years to come, I have to wonder what would have happened if the cyber attack was sooner detected and employees were sooner warned of what to do – not through an email, but through multiple channels simultaneously. Not only does this multi-modal approach ensure every employee receives the message on the device and channel they are most likely to be using, but it also communicates the message’s urgency. One email can get lost in an inbox, unopened for hours, even days and weeks after it is sent. But a push notification, an SMS text, and other alerts would have gotten the attention the message deserved.
Modern Threats Require Modern Communications
When you assess your own emergency response and business continuity plans, be sure to review your communication plan with a critical eye. While email and voice calls may have done the job in the past, they don’t do the job well, efficiently, or effectively enough in a modern culture. Today’s workforce requires more options, more connectivity, more engagement. When determining where to invest dollars to improve disaster recovery and business continuity, your communications strategy should be at the top of the list. We have seen what can happen when communications fail.
A mass communications system doesn’t have to be expensive and it doesn’t mean you have to replace everything you already have in place. Find an emergency communication system that will integrate with your existing systems for a more comprehensive solution that can scale across the entire organization. Whether you face a weather event, natural disaster, power or IT outage, bomb threat or cyber threat, your communications system will be the go-to for both you and your employees.