Fire Hydrants and BC/DR Plans: How Testing Can Help Put Out Potential Fires

Red Fire Hydrant
The importance of testing your business continuity and disaster recovery (BC/DR) plan has never been a dry subject for us at Rentsys. With 2015's record-breaking fire season coming to a close, we wanted to learn a little bit more about the value fire departments find in testing their hydrants, as well as how we can learn from their examples. Steve O'Neal, a Rentsys account executive, recently spoke with a local safety officer and found several similarities between testing fire hydrants and testing BC/DR plans.


The National Fire Protection Association (NFPA) sets a standard for the minimum water flow that hydrants must meet. Testing hydrants ahead of time not only ensures the codes are satisfied but also maintains quality. If hydrants aren't regularly maintained, they can rust, causing parts to snap off.

If your business is subject to industry regulations like fire hydrants are, it's important to test your BC/DR plan regularly to ensure you're meeting the compliance requirements. Otherwise, you expose yourself to potential regulatory violations, such as excessive downtime or rusty procedures, endangering you to security breaches.


Hydrants are a part of a huge underground network that provides water access to an entire community. Sometimes valves have to be temporarily closed to allow for maintenance, but due to the complexities of this network, water flow can be reduced without ever being fully cut off from users. Unfortunately, sometimes after the work is completed, these closed valves are forgotten and not reopened. While this omission doesn't affect the community on a day-to-day basis, the reduced water flow wouldn't be sufficient to put out a fire when needed for an emergency.

Similar to hydrants, your BC/DR plan needs to be updated and maintained to coincide with the progress of your company. Facilitating your business growth requires you to revise, modernize and develop your current and future products and services, as well as the tools you use to deliver them. However, if you don't consistently update and test your BC/DR plan to ensure that it keeps up with the innovation of your business, your plan won't offer the full flow of information you need to calm the fire, so to speak, when it comes.

Avoiding Neglect

One of the dangerous consequences of not regularly testing hydrants is that they become hidden, either by overgrown plants or by decorations placed by residents who find the sight of hydrants unpleasant. Unfortunately, when a crisis occurs, these obstructions can make it almost impossible for firefighters to find hydrants and carry out their jobs.

Just as residents don't want to look at fire hydrants, many companies don't like to dwell on BC/DR planning because it's not always pleasant to think about. Instead they focus on revenue, shareholders or customer growth. A common issue that we've seen over the years is businesses that have a plan but don't make it a priority to regularly test. This leaves the BC/DR plan to get buried under more gratifying things such as profits.

We recommend taking the time to fully test your BC/DR plan at least once a year to help you work out any kinks before a disaster actually strikes. How often do you test your BC/DR plan?

For more tips on how to test you BC/DR plan, check out our post "Business Continuity Awareness Week: Testing Business Continuity Plans."

Integrating Disaster Recovery and Crisis Communications

When your business experiences a major interruption, a disaster recovery (DR) plan is essential to keeping systems up and running and restoring business-critical data if necessary. 

It’s also important to keep your customers and stakeholders in the loop about what’s going on within the walls of your organization and how that affects them — especially for an isolated crisis such as a data breach. That’s where a crisis communications strategy comes in. (We talked more about creating a crisis communications plan in a recent webinar with DRJ. You can watch it here.)

The Problem of Isolated DR and Crisis Communications Plans

The challenge is that both plans aren’t always handled by one department. The IT department takes control of DR, and the PR department or another business unit typically manages the crisis communications strategy. Ideally, these strategies should be developed as part of an overarching business continuity (BC) program, but for businesses without a documented BC strategy or poorly governed BC programs, the DR and crisis communications plans can develop independently of each other. In a crisis scenario, this could result in a disjointed response strategy, which can make the business seem flighty and untrustworthy.

If your organization struggles to integrate DR and crisis communications, you may be wondering how you can break down the silos between the departments who handle each of these plans. Below are our recommendations.

Remember the Common Goal

First and foremost, it’s important to remember that both the DR plan and the crisis communications plan should have a common goal: to protect — or even enhance — your reputation throughout a crisis. To accomplish that goal, there needs to be a collaborative initiative involving both personnel and technology.

Identify Specific Objectives

For the DR and crisis communications plans to work effectively together, it’s critical to first identify the desired outcome. For instance, what are your recovery time objectives and recovery point objectives? Are there any compliance requirements you have to meet? Do you have any service level agreements tied to business deals? What are your corporate goals? When deciding what objectives you need to meet, be sure to avoid general answers and agree on specific, measurable criteria.

Implement the Right Tools

Both plans will continually evolve as the business’s objectives, strategies and technology change. That’s why it’s crucial to document current versions of finalized plans, as well as any crisis communications information (media contacts, drafts of press statements, executive and corporate bios, etc.). In addition, each team member should be aware of their unique responsibilities as well as what other teams are working on at that moment. A cloud-based business continuity planning software solution is a good way to organize this information in a central location.

Because time is of the essence during a crisis, also consider implementing a mass notification tool to communicate quickly with key team members. Some tools integrate with BC planning software platforms, which can further streamline plan implementation. Once the crisis communications team defines what it wants to accomplish, the IT group can suggest technical options that help support that strategy.

Despite the challenges, integrating the DR and crisis communications strategies is indeed possible — and necessary. What barriers have you encountered when trying to integrate DR and crisis communications? How are you working to overcome them? Let us know in the comments!

[Webinar Recap] Crisis Communications: The Modern Do’s and Don’ts

Crisis Communications: The Modern Do's and Don'ts Presentation Slide
In today’s world, disasters such as cyber attacks and data breaches are becoming routine. At the same time, social media is transferring the role of reporter to its users, who are able to broadcast their version of the news as it unfolds — accurate or not. So how do you protect your business from a crisis?

Jeffrey Bell, partner for Gallatin Public Affairs, and Brandon Tanner, senior manager for Rentsys, addressed this topic in the recent Disaster Recovery Journal webinar “Crisis Communications: The Modern Do’s and Don’ts.”

As Jeff explained in the presentation, having the proper communications plan and tools in place gives you more control over the outcome of a crisis. In fact, the goal of an effective crisis communications plan is to enhance your company’s reputation.

To find out how to prepare your organization for a crisis, check out the recording of the webinar here.

[INFOGRAPHIC] Cost of Security

Did you know that in 2010, financial institutions continued to climb as the number one target for phishing attempts, representing 50 percent of the targeted industries? Further, the average cost of a cyber attack was nearly $416,000 to participating organizations.

Check out this infographic from Pragmatix to gain insight into the dangers of not being prepared for a security breach.

Cost of Security Inforgraphic

Cybersecurity is a growing concern. To learn about the FFIEC's new tool to help you assess your risk, check out our post FFIEC Update: Cybersecurity Assessment Tool.

Why High Availability Solutions Shouldn’t Replace Disaster Recovery Planning

24/7 floating over businessman's hand
These days the cloud is no longer a no-go for critical infrastructure. In a survey conducted by Infosys last year, 81 percent of respondents said they were already or were planning to use mission-critical apps in the cloud within the next two years.

With many cloud environments featuring capabilities for high availability, which by definition provide 99.999 percent uptime, how does that affect disaster recovery (DR) planning? If you manage all your applications in a third-party cloud environment with high availability built into the apps’ architecture, does that mean you can nix internal DR plans, procedures and tests?

The answer is no, and here are three reasons why.

You Need a Plan for Handling Data Corruption

DR planning is still a key component of the organization’s overall business continuity strategy. It’s important to have a high availability strategy for your critical systems and information, but if your high availability solution replicates errors, your data — while it might be available — would be useless. In that case, you’d need to fall back on your DR plan to recover that system.

Your Employees and Vendors Need a Plan to Follow

Even if you’ve outsourced management of critical applications, your employees still need to know what will transpire in the event of a power outage, facility loss or other incident. For instance, where will they work? How will they access the data and applications that are necessary to their job duties?

Your Cloud Provider Needs to Understand Your Environment

If you’re using a third party to manage your environment, it’s important to test so the vendor understands your environment. With documented and rehearsed DR plans, the vendor will be familiar with how to react during a business interruption and can do more on your behalf.

Although high availability is a key part of protecting your top-priority applications, it shouldn’t replace DR planning. To see what other components you should include in your DR plan, download our checklist.  

How Do I Get My Data Back If My Cloud Provider Goes Bankrupt?

It’s a business continuity and disaster recovery planner’s worst nightmare: You wake up to the news that your cloud provider — the one that houses your critical data — has gone under. How do you get your data back?

Going out of business signThe scenario isn’t entirely unheard of. In 2013, cloud provider Nirvanix announced it was closing its doors and told customers they had two weeks to migrate their data to another location. This announcement, however, should not have come as a surprise to customers. According to InfoWorld, Nirvanix had been informing its customers that it was having financial difficulties and at one point informed customers and partners that they could no longer upload data to the Nirvanix cloud.

Your provider going bankrupt should not come as a surprise to you, either. Before working with a cloud provider (or any other vendor who manages your critical data), you should assess the vendor’s financial situation as part of the due diligence process. If there are any red flags, proceed with caution.

No matter the financial situation of the provider, the contract you sign should have provisions around what happens with your data in the event of bankruptcy, default, etc. These provisions could include arrangements for transferring the data to another cloud environment or copying your data to external media and returning it to you.

If a provider won’t add a contract provision that protects you in the event of a bankruptcy, consider looking at alternate vendors. For more guidance on choosing the right cloud provider, check out our post "11 Questions to Include in Your IT Vendor Due Diligence."

[INFOGRAPHIC] What Is the Cloud?

People love to use the term "cloud" in the tech space, but the actual meaning of the word is about as hazy as the same-named vapors in the sky. In a recent infographic, Spiceworks cleared up some of the misconceptions about what cloud computing is, explaining how it works in terms that anyone can understand.

What Is the Cloud?

For answers to some of the cloud questions we’ve been asked, check out this post

[INFOGRAPHIC] Disaster Recovery Preparedness: Are You Ready?

With the commencement of National Preparedness Month, a pressing question you need to answer when strategizing your business continuity and disaster recovery plan is "Are you ready?" Business interruptions are not a matter of if, but when and what type. A study by the EMC Global Data Protection Index showed that 53 percent of respondents cited hardware failure as their cause of outage, along with 39 percent for loss of power.

Take a look at these statistics from Expedient's infographic to help you assess where you stand.

Disaster Recovery Preparedness Infographic

How can you best protect your business? Check out our Disaster Recovery Helpful Hints — Part 1, Part 2, and Part 3 for tips on how to realistically analyze the risks everyday and natural disasters pose to you.

Client Spotlight: Frost Bank Puts BC/DR Plan in Action During Hurricane

With a hurricane on the way and more than 300,000 people evacuating from Galveston, TX, Frost Bank had some decisions to make. There isn't much to love about a pending disaster, but Frost Bank was thankful for its business continuity and disaster recovery (BC/DR) plan that made those decisions much easier.

Frost Bank was able to continue service for customers who were not evacuated by setting up a mobile recovery center at the branch in Pearland, TX. Frost moved a second mobile recovery center to Galveston Island as soon as evacuees were allowed to return, so they could provide cash to customers who were unable to use credit or debit cards while Galveston's infrastructure was inoperable.

Frost Bank serves as an example of why having a BC/DR plan in place is a critical part of being able to continue service as soon as possible after a disaster. If you're looking for a way to implement a BC/DR plan for you company, review our disaster recovery plan checklist.

How Far Away Should Your Disaster Recovery Site Be?

Pins in map
The question "How far away should my primary data center be from my disaster recovery (DR) site?" has plagued DR planners for years. Companies first began seriously examining the role distance plays in DR after 9/11, when the attacks on the Twin Towers caused a large portion of Manhattan to shut down and all the recovery vendor sites filled to capacity.

Unfortunately, there’s no clear-cut answer to this question. Some suggest locating the backup site at least two FEMA-defined regions away, but most people shy away from setting firm guidelines measured in miles.

Instead, the geography should be dictated by the risks related to your organization’s business processes, data and physical location (a business impact analysis should reveal what these risks are). Once you’re aware of the risks you face, you can weigh the benefits and drawbacks of nearby and distant DR sites.

Nearby Disaster Recovery Site

A nearby DR site is beneficial for a variety of reasons. It’s within driving distance, making it easily accessible. If your DR site is nearby and is unaffected by an incident affecting your primary location, you can continue business operations more quickly than if your DR site were hundreds of miles away. In addition, the bandwidth costs are less, and you’re not as likely to experience significant system recovery delays due to latency issues.

However, the benefit of having a DR site within driving distance depends on the locale's risks. If your region is prone to hurricanes, earthquakes or floods, having a DR site in the same region can be risky. For instance, Hurricane Sandy was 1,100 miles in diameter — that’s more than a third of the continental United States. In regional disasters like this, your DR site could be affected by the same event as your primary facility, rendering it useless.

On the other hand, Spokane, WA is a geologically stable area whose biggest threats are wildfire and train derailment. Many businesses in these areas are comfortable with a nearby DR site as long as the site is on a different power grid.

Distant Disaster Recovery Site

Distant DR sites are beneficial because there’s less shared geographic risk. For example, if a business affected by Hurricane Sandy had had a DR site in Washington, the recovery environment would not have been compromised.

One of the significant challenges of a distant DR site is latency. When recovering data or systems across a significant distance, slower recovery times and bandwidth costs can negatively impact business continuity goals. The distance can be challenging for employees who need to be on-site as well. After a significant disaster, employees are often busy tending to their personal situations and aren’t able to travel far.

When answering the question of how far away a DR site should be from the primary site, then, it’s a matter of mitigating shared risks, not measuring miles. For more about the role of location in data vaulting, check out our post "Where in the World Is Your Data?"

National Preparedness Month Is Here

National Preparedness Month Promo image
Image courtesy of
Don’t wait. Communicate. Make your emergency plan today. These are’s tips for this year’s National Preparedness Month (NPM), which kicked off September 1.

The campaign is encouraging the American public to have a plan for staying safe and communicating during disasters such as floods and wildfires. Each week this month is dedicated to a specific hazard, with the last week culminating in America’s PrepareAthon!, a grassroots campaign encouraging communities to increase preparedness and resilience.

The full schedule is as follows:

  • Week 1 (September 1-5): Flood
  • Week 2 (September 6-12): Wildfire
  • Week 3 (September 13-19): Hurricane
  • Week 4 (September 20-26): Power Outage
  • Week 5 (September 27-30): Lead up to National PrepareAthon! Day (September 30)

Will you participate in NPM? To get started, check out our planning checklists on the Resources page of our website.

Remembering Hurricane Katrina: Declaration Stories

August 29, 2015, marks the 10-year anniversary of Hurricane Katrina, which decimated New Orleans and other areas in Louisiana, Mississippi and Alabama. Because of Katrina — and later Rita along the Texas Gulf Coast and Wilma in South Florida — 2005 was a landmark year not only for us at Rentsys but for many of our customers as well. By year’s end, we had experienced 43 disaster declarations, some of which lasted for months or even over a year.

Steve O'Neal, a current account executive and former operations manager, spoke to us about some of the memorable declarations he recalls from August and September 2005.

Helping Keep Gas Prices Down

Command Center MRC
Mobile Command Center
Photo by Glen Boote
Off the coast of Louisiana, a critical oil terminal and one of its refineries lost communications after  Katrina. Connectivity was (and is) a key part of the crude oil supply chain, as each facility needed to be able to communicate with and provide refined products to refineries around the country.

By providing a Mobile Command Center equipped with satellite equipment, we were able to help the plants restore communications, which in turn led to a drop in gas prices. (Watch our video "Real Stories About Real Declarations" to hear more about this story.) 

Coping With Gas Shortages and Sleeping in Motor Homes

Spare fuel tank in front of MRC
Spare fuel tank for Mobile Claims Office
Photo by Glen Boote
Although gas production continued, supply was short in areas of the country that had been affected by Katrina. We witnessed the shortage firsthand during a declaration in Covington, LA, just 40 miles north of downtown New Orleans, where we deployed a Mobile Claims Office for an insurance company.

We’d come prepared with a gas tank to fuel the claims center, and because the mobile unit was deployed next to a gas station, people flocked to us looking for fuel when the gas station ran out. 

We had to conserve fuel ourselves, as our team and the client had each deployed motor homes to sleep in. (The hotels that were open were full, and at one point our crew was asked to leave a hotel in Louisiana when the highway patrol commandeered it as a command post.) Some nights there were as many as 10 people sleeping in makeshift beds on the floors and couches in the motor homes.

Giving People a Place to Cash FEMA Checks

Mobile Banking Center
Mobile Banking Center in Pascagoula, MS
Photo by Glen Boote

Steve had been working more than 20 days straight when a bank in Pascagoula, MS declared. The company’s entire first floor — along with most of the town — was flooded. FEMA was cutting checks for recovery efforts, but there was nowhere in town for people to cash them, so our client wanted to resume operations in a Mobile Banking Center.

Once the branch was open, the bank gained several new customers who opened accounts so they could cash their FEMA checks. Despite dealing with their own crises in the aftermath of the hurricane, the bank’s employees had returned to work to help provide this critical service to the community. (Some employees even resorted to threading rope through their belt loops because they had no belts!) Since air-conditioned spaces were hard to find, many staff members brought their family members with them to the mobile unit. 

Responding to the Aftermath

Unfortunately, Katrina was not the grand finale for the 2005 hurricane season. In September, Rita triggered one of the largest evacuations in U.S. history, and in October, Wilma struck South Florida.

Meanwhile, even as we responded to declarations related to each of these storms, we maintained our regular testing schedule. "You’re not going to reschedule our test?" our Northern customers asked in shock. We had DR coordinators deployed all over the country for declarations and tests, but we were still able to respond to every call within our normal time frame.

For many residents affected by Katrina and the subsequent hurricanes that year, recovery was not so timely. Even today, New Orleans is still recovering from the impact of Katrina.

Was your business affected by Katrina? How did you cope with the effects of the storm?

One Thing Your Cloud Provider Could Be Missing

Support badge
Your cloud solution could be missing something. We’re not talking about bandwidth, security or service level agreements (though these things are all important). We’re talking about customer service.

Often businesses evaluating potential cloud vendors are focused so much on tech specs that they don’t think about the matter of interacting with the vendor after the contract is signed. Sometimes this isn’t an issue if you’ve chosen a good provider. Other times, however, you might find that getting the support you need is like pulling teeth.

The following three categories can help you identify if a potential service provider will be a help or hindrance to meeting your data and application management goals.

Listening Skills

Are the cloud provider’s representatives trying to sell you services you don’t need, or are they dedicated to helping you build a backup solution that’s right for you? To get the most value out of your cloud solution, you need to make sure you’re not paying for products and services that you won’t use or that don’t do what you need them to.

Technical Assistance

What type of technical assistance does the provider offer? Support options could include self-service, phone support, on-site, in-house, outsourced or a combination.

It’s also important to know when assistance is available. Is the support provider — whether it be your vendor or a third party — only available during business hours? Is the company in the same time zone as you?  Be sure to find out what level of support to expect and make sure you’re comfortable with it.

Technician Certifications

Knowing who will be offering your support can be almost as important as knowing the type of support you’ll receive. If you’re using a managed cloud service, are the people who will be handling your data certified engineers? Even if you manage your own data, will you have access to qualified help desk agents to resolve any issues?

Working with the right vendor can make a world of difference in how effective your cloud solution is for your business. To read more about best practices for implementing a cloud solution, read this post.

[INFOGRAPHIC] Continuity Planning Among Midsize Businesses

Nearly all (92 percent) of today’s midsize businesses have a business continuity plan in place, according to The Hartford’s 2014 Midsize Business Monitor, the results of which were released in July 2015.

But this figure isn’t as optimistic as it seems when you consider that 33 percent of these plans are verbal, and less than a third of the documented continuity plans are tested. Check out The Hartford’s infographic to read more about how midsize businesses are faring when it comes to business continuity.

Continuity Planning Among Midsize Businesses Infographic

For more details on how testing could help midsize organizations improve their ability to respond to a business interruption, read our post "Four Reasons Testing Your Business Continuity Program Is Essential."

FFIEC Update: Cybersecurity Assessment Tool

Businesspeople discussing cyber security
Cybersecurity is a growing concern, particularly among highly regulated industries such as finance. In February, the Federal Financial Institutions Examination Council (FFIEC) urged financial organizations to prepare for cyber risks in an appendix to its IT Examination Handbook. The FFIEC is continuing its push for better cybersecurity practices through the release of its new Cybersecurity Assessment Tool.

The tool walks organizations through completing a risk assessment, which involves determining an organization’s inherent risk profile and cybersecurity maturity levels within five domains:

  • Cyber Risk Management and Oversight
  • Threat Intelligence and Collaboration
  • Cybersecurity Controls
  • External Dependency Management
  • Cyber Incident Management and Resilience

As threats, vulnerabilities and operational environments evolve, FFIEC members plan to update the tool as necessary. To access the tool and related documents, visit

[Webinar Recap] DRaaS 101: What You Need to Know About Managing Your DR in the Cloud

DRaaS Overview Slide
Disaster recovery as a service (DRaasS) is a hot topic in the DR world right now. But is DRaaS just another buzzword, or is it a better way of doing DR?

In a recent webinar with the Disaster Recovery Journal, Brandon Tanner, senior manager for Rentsys, talked about how DRaaS got its start, how businesses are using it and how to select a DRaaS provider.

If you missed the live presentation, you can access the recording here

Freight Trains and Chemical Spills: How to Prepare Your Business

Freight train chemical spill
In July 2015, a train carrying the flammable, toxic chemical acrylonitrile partly derailed and caught fire near Knoxville, TN, forcing 5,000 people to vacate the area.

A few days later, July 6, marked the two-year anniversary of the oil train derailment and subsequent explosions in Lac-M├ęgantic, QC, which killed 47 and forced 2,000 people to evacuate their homes.

While some business continuity planners focus on risk assessments for natural disasters of hurricanes, tornadoes and earthquakes, man-made disasters such as train derailments and chemical spills can’t be ignored.

The Risks of Transporting Chemicals by Rail

Unfortunately, the risks of rail-transported hazardous materials are prevalent in certain areas of the U.S. and Canada. In Washington state, for example, up to 17 trains carry nearly 1 million gallons of crude oil through Spokane and other counties.

While en route to oil refineries, one or two trains pass daily through Seattle’s antiquated downtown rail tunnel. If a spill or explosion were to occur, the city’s emergency managers warned that such an event would have a catastrophic effect on the city’s citizens, buildings and environment.

This threat has become even more pronounced in recent years, with federal data revealing that more oil was spilled during U.S. rail incidents in 2013 than was spilled in nearly four decades.

Preparing for a Hazmat Catastrophe

Though the U.S. government recently coordinated with Canada to pass a rule for improving the safe transport of flammable liquids by rail, it’s still important that you take the following steps to protect your business and employees if you’re located near an industrial freight line.

Plan for an Alternate Facility

If a spill or explosion occurs in your region, you need to have a plan for alternate work arrangements. Even if your facility is left untouched, city evacuations can prevent you from accessing your building.

Some common alernate facility options are Business Recovery Centers (BRCs), Mobile Recovery Centers (MRCs), modular buildings or rented office space. Because hazmat disasters happen with no notice and will likely affect other businesses in your region, you should consider contracting space ahead of time rather than relying on a first-come, first-served solution.

To minimize downtime, the facility should ideally be equipped with voice and data connectivity infrastructure and office technology preconfigured to your specifications. Also make sure the space can be available within your recovery time objectives. BRCs, for example, can be available in mere hours after a disaster declaration, and MRCs can be delivered within 24-48 hours. The availability of modular buildings and office space will vary.

Location is another key factor in selecting a facility. Choose a facility too far away, and your employees might not be able to travel to that location. Opt for a facility too close, and you run the risk of the building being affected by the same disaster that shuts your facility’s doors. The benefit of an MRC-based mobile recovery solution is that the unit can be deployed in a location of your choice without having to obtain permits from the city, as you would with a modular building.

Prepare for Loss of Data and Hardware

In the aftermath of a spill or explosion, your business could face restricted access to or even a total loss of critical IT infrastructure components. These assets could include servers and hard drives; on-premise traditional data repositories, such as tape; and end-user laptops and desktop computers. To continue business operations, you need access to your entire IT environment, including data, applications, operating systems and configurations.

Today, there are several available cloud solutions that give you the flexibility to recover your environment from anywhere with an internet connection. You might also choose to use a colocation solution to protect your environment — particularly if you contract a BRC that offers on-site rack space. If you go this route, make sure the hosting facility is located close enough to your primary facility to address cost and latency concerns, but far enough away to ensure there’s not a common risk between geographies.

Conduct BC/DR Testing and Employee Safety Drills

Once you have a plan in place, it’s important to test it to identify interdependencies among your systems and processes, reveal differences between production and recovered environments, and make sure your staff members know what’s expected of them.

You should also conduct routine safety drills so your employees will know what to do in case a spill or explosion occurs during business hours.

Is your company susceptible to the risks of hazardous materials transported by rail? If so, what steps are you taking to prepare?

What Shark Week Can Teach Us About BC/DR

Roy Scheider's character in Jaws captured the essence of Shark Week in a single line of dialogue more than 10 years before Discovery Channel starts its annual block of shark-focused programming. After Jaws pokes his head above the surface of the water in one scene, a stunned Scheider slowly walks backward to the boat's cabin and tells Robert Shaw's character, "You're going to need a bigger boat."

You might find yourself uttering Scheider's famous line while preparing your company for a disaster. Whether you're planning for natural disasters such as hurricanes, earthquakes or tornadoes, or backing up crucial data from your business's servers, there will probably come a time when you think you're going to need a bigger boat.

With Shark Week coming to a close, here are a few things you can learn about business continuity and disaster preparedness from some of the interesting shark news over the last week.

Get Educated

Discovery Channel's Shark Week has caught some criticism over the years for becoming more entertainment-focused than educational, but one Illinois girl is thankful she tuned in before taking a trip to Florida. Ashlyn Gilpin, a high school freshman, was attacked by a shark in May at Cocoa Beach and credited Shark Week with teaching her how to react during the attack and not make it worse.

Knowing what to expect in a disaster is crucial to preparing your business for making it through a bad situation. Just as Gilpin benefited from watching Shark Week, you can benefit from participating in educational programs such as webinars, reading trade publications or learning from other professional in your industry so you know how to prepare for and react to a disaster.

Be Protected

Drought conditions and high salt levels in coastal waters have contributed to an increase in shark attacks along the Eastern coast of the United States, so what's a water lover to do when their local beach is being stalked by Jaws? An Australian company designed shark-repellent wet suits that camouflage swimmers from a shark's limited vision capabilities.

While it doesn't offer the same protection as swimming in a shark-proof cage, the innovative wet suits are a means of protecting yourself while still enjoying shark-haunted waters. Just as the wet suits let swimmers carry on as usual, you company's data needs to be protected in a manner that doesn't disrupt daily business. Backing up data to a secure, private cloud is an easy way to ensure critical information stays secure and also offers a way to quickly rebound if a system goes down.

Get a Bigger Boat

Scheider was on to something when he suggested getting a bigger boat all those years ago. In June, U.S. Coast Guard captain Ben Chancey was fishing for grouper in Florida when a shark knocked him from his kayak and sent him quickly swimming for a nearby support boat. Once the shark stopped attacking the kayak, Chancey was able to return to his undersized ship and reel in the shark for a big catch.

While Chancey was able to finish landing the shark back aboard his kayak, he was still at a disadvantage in the small boat. Had the much bigger support boats not been nearby, Chancey would have been in a much more perilous situation, stranded in the water with several sharks. When a disaster strikes your business, you can recover quickly with the help of a backup facility such as a Mobile Recovery Center or a Business Recovery Center. Having access to an alternate facility can help you rebound and reel in the biggest fish.

Need some more tips for how to keep your company prepared? Read our post "Most Commonly Forgotten BC/DR Items."

11 Questions to Include in Your IT Vendor Due Diligence

Outsourcing vector art
Outsourced IT is nothing new, but as Verizon Wireless’s recent report "Better Outcomes for IT Outsourcing" points out, digital transformation is changing the face of outsourcing. Customers want flexible service delivery models, ways to improve inefficient processes and spending models based on opex versus capex.

But with the rise of cybersecurity issues, tightly wound supply chains and customer expectations for always-on service, you need to make sure that any vendor with access to your data and systems is fully vetted.

Before you involve any third party in your IT processes, make sure you know the answers to these questions:

  • Has the vendor undergone a compliance audit such as the SOC 2 Type II? How often are audits performed?
  • Does the vendor's services and certifications align with your organization's service level agreements (SLAs), business impact analysis recovery objectives and industry-specific compliance requirements?
  • What performance objectives, remediation procedures and exit provisions are included in the vendor's SLAs?
  • What is the vendor's business continuity and disaster recovery (BC/DR) strategy?
  • What BC/DR test practices does the vendor follow? When was the last test?
  • What tools and industries do the vendor's staff members have experience with?
  • Where is data stored and how long is it retained?
  • Are data center engineers certified and experienced?
  • Do employees receive routine background checks?
  • What access control methods does the vendor use?
  • Has the vendor ever experienced a data breach? If so, how did the company handle it?

Depending on your industry and the type of solution you’re looking for, you’ll likely have a few questions to add to this list. But by being informed about these 11 key areas and making sure the vendor’s answers align with your business’s needs, you can help ensure a better outcome for your outsourced IT functions.

For examples of vendor evaluation guidelines specific to a unique industry or technology service, check out our post "FFIEC Update: Ensuring Resiliency of Outsourced Technology Services" and download our vendor evaluation guide.

The Fourth of July: Fireworks and Fire Danger

American flags
On June 11, 1776, the Continental Congress gave the Committee of Five, which included Thomas Jefferson and John Adams among others, three weeks to draft a document that made a case for the colonies' independence from Great Britain. The American Revolution had already begun on April 19, 1775, but this document was meant to declare absolute independence from the crown.

Though the Declaration of Independence wasn't signed until much later, July 4 marks the day we remember our nation's independence. Every year since then, many celebrate the holiday with fireworks, barbecues and fellowship.

But the Fourth of July festivities can also bring about certain dangers caused by fireworks, bonfires and grilling. For instance, in 2011, fireworks caused 17,800 fires that resulted in eight civilian deaths and $32 million in property damage. Take these steps to help mitigate the possibility of your becoming a statistic:

  • If you’re burning anything, make sure all fires are being watched closely.
  • When cooking or burning, stay upwind to avoid smoke inhalation.
  • Avoid grilling near buildings or other structures, as well as low branches.
  • Keep children away from fires, grills, matches and lighters.
  • Use fireworks away from residences.
  • Have fire extinguishers readily available in case a fire flares up.
  • Do not burn or use fireworks if there is a burn ban in effect.
  • Do not become negligent or reckless while using potentially dangerous items.
  • If there is an emergency, do not hesitate to call 911.

These tips can help you avoid unexpected fire-related disaster, but unfortunately problems do arise despite our best efforts. When the time came for the colonists to gain independence from the British, the Committee of Five was ready. If it becomes necessary for you to respond to an emergency this Fourth of July, will you be ready?

[Webinar Recap] Getting the Most Value From Your Business Continuity and Disaster Recovery Plan

A water main break wreaks havoc on a business’s facility. Civil rioting forces employees to steer clear of their main facility. A fire reduces a building to a gutted, ashy shell. A mass software update requires all hands on deck. Heavy rains and flash flooding make a downtown commute out of the question. A booming business requires a new facility faster than it can expand.

You might place some of these events on opposite ends of the disaster spectrum, but they all have one thing in common: They’re all real-life examples of situations that had the potential to cause significant business interruptions.

Mobile bank branch open for business
Photo courtesy of Service Credit Union
During a recent Association of Contingency Planners webinar, Rentsys National Sales Manager David Tedford and one of our clients, Service Credit Union CIO Bill Arnold, spoke about how businesses can gain the most value from their contracted business continuity and disaster recovery (BC/DR) solutions by implementing them for both disaster- and non-disaster-related scenarios.

Service Credit Union, for example, has used a mobile bank branch to recover from a fire and to accommodate customers during a branch expansion project.

The webinar is over, but to hear more about Service Credit Union’s experiences, you can access the recorded presentation here.

Business Continuity Planning Best Practices From ‘Jurassic World’

In the movie "Jurassic World," genetic scientists produce a genetically modified hybrid dinosaur named Indominus Rex — a move intended to wow the park's customers and create new revenue streams.

Jurassic World
Image courtesy of Universal Studios
While your company likely won't ever face the unique challenges of wrangling carnivorous dinosaurs, "Jurassic World" does illustrate three best practices of business continuity planning. By following the steps below, you can be more equipped when an event such as a hurricane, power outage or data breach tries to wreak havoc on your business like Indominous Rex wreaks havoc on Jurassic World.

Be Aware of the Risks You Might Face

Being familiar with the unique risks your company faces is important, whether that be knowing the types of natural disasters that are common in your area or being aware that your company is developing genetically modified hybrid dinosaurs.

A risk assessment can help you evaluate the potential hazards to your company. In some cases, it's beneficial to get a neutral third-party perspective from a business continuity consultant. For example, having a technical risk assessment performed can help you identify risks to your technical environment that you might not have considered before.

Make Sure Employees Are Trained

Keeping your employees trained and aware of what to do in disaster situations and other business interruptions is necessary to minimize panic. In "Jurassic World," for example, an untrained employee might see an escaped velociraptor and sit there screaming in fear, while a trained employee would know to stay calm and sound an alarm. Knowing the right thing to do is crucial to the safety and well-being of all employees.

Training and awareness workshops can help educate your employees on what steps to take during a crisis. Whether it's a hurricane or an escaped dinosaur, your team needs to be equipped for every situation.

Determine Weak Areas in Your Plan

Tabletop exercises help target weak links in your business processes so you can take steps for continual improvement. For example, if you're in "Jurassic Park," these exercises could help determine that the Indominus Rex is uncontrollable and unsafe for public display. If you’re in the business world, tabletop exercises could help you determine you need to update your company’s procedures for responding to a specific scenario, such as a flu pandemic.

After identifying weak areas in your disaster recovery and business continuity plan, your business continuity planner can help you create action steps for improving your ability to avoid or minimize downtime.

For more Jurassic-style planning tips, check out this post.

Three Security Breaches That Shined the Spotlight on Cybersecurity

Computer hacker
As companies have increased the amount of sensitive data they store electronically, hackers have relentlessly attacked various institutions and people — movie producers, retailers, banks, celebrities, governments — in an attempt to open the floodgates. In recent years several major security breaches have sent the IT industry scurrying to plug the gaps and curtail the stream of customer and internal data reaching malicious hands.

We've told you about some disasters that were caused by human error, but what happens when disasters happen because somebody wanted them to happen? Here are three big security breaches that shined the spotlight on the importance of cybersecurity.

Sony Pictures Entertainment

It's believed that a hack of Sony Pictures Entertainment had been going on for more than a year before the leak was discovered in November 2014. Internal emails, movie scripts, early cuts of unreleased films and about 47,000 unique Social Security numbers were included in the claimed 100 terabytes of data stolen from Sony servers and leaked by the cybercriminals.

The U.S. government linked North Korea to the cyber attack in part because of the controversy and threats surrounding the Sony film "The Interview," a comedy about an assassination attempt on North Korean leader Kim Jong-un, but experts have cast doubt that the attack was backed by the country's government. Sony said it spent $15 million investigating and recovering from the hack, though it will recoup much of the cost from insurance.

Anthem Inc.

The breach of Anthem Inc., a healthcare company that manages plans under several insurance brands, might have started as early as April 2014 but wasn't discovered until January 2015. By then it had become of the biggest security breaches of all time, with hackers compromising almost 80 million records, 60-70 million of which affected either current or former Anthem members.

The breached records included names, birthdays, email addresses, Social Security numbers, medical identification numbers and addresses. Some of the records included employment data and income levels, but financial and medical information was not accessed. The malware used in the attack was believed to have originated in China, and the cost of Anthem's ongoing recovery could exceed its own cyberinsurance policy cap of $100 million.

Home Depot

Home Depot accounts for approximately 60 percent of revenues in the home improvement industry. That made the company an attractive target to hackers who installed malware on the company's servers to attack credit and debit card readers in the company's stores.

The hackers used a vendor's stolen log-on credential to access the servers before installing the malware, possibly as far back as April 2014. The information from 56 million credit and debit cards was stolen and listed for sale on a black market website before cybersecurity experts and Home Depot discovered the breach in September. Home Depot estimated that the breach cost the company $62 million, almost half of which was covered by insurance.

For more information on the importance of keeping your company's and clients' data secure, check out our post "Consumer Identity: Asset & Liability."

How Familiar Are You With Hurricane Terms?

Hurricane season is rapidly approaching. To adequately prepare for whatever storms might head your way, it's vital to familiarize yourself with common hurricane-related terms, courtesy of NOAA.

Tropical Disturbance: A loosely organized area of thunderstorms that remains in an area for 24 hours or more.

Tropical Depression: An area of low pressure characterized by rotary circulation of thunderstorms with winds of less than 39 mph.

Tropical Storm: An unorganized area of low pressure and thunderstorms with distinct circulation and winds of 39-73 mph.
ominous-looking sky
Hurricane Watch: Hurricane conditions are possible in the designated area within 48 hours.

Hurricane Warning: Hurricane conditions are expected in the designated area within 36 hours.

Hurricane: A pronounced rotary circulation with wind speeds of 74 mph or greater.

Storm Surge: An abnormal rise in sea level usually caused by a hurricane. Storm surge height is the rise in sea level caused by the storm.

The progression of a tropical disturbance into a hurricane can occur quickly. Without the proper protection, hurricane damage could be devastating. If you see a tropical disturbance in your area, stay updated on local weather reports in case a hurricane forms. Begin to board up your windows, prepare for flooding and back up all important data.

If a hurricane develops and is projected to reach your area, follow evacuation plans and prepare for roads to be crowded. For a comprehensive pre-hurricane plan, review our hurricane preparedness checklist.

[Webinar Recap] Business Continuity Myths Revealed

Business Continuity Myths Revealed Presentation SlideWith all the business continuity and disaster recovery (BC/DR) services available on the market today, staying operational after a business interruption should be easy, right? That depends on your strategy.

If you’ve ever found yourself saying any of the below statements, you’re buying into some of the most common business continuity myths out there.

10 Most Common Business Continuity Myths

Myth #1
I have business impact insurance, so I don’t need BC/DR services.

Myth #2
I back up my data to the cloud, so it’s protected.

Myth #3
We don’t have the budget to buy an IT DR solution, so it’s more cost-effective to build our own.

Myth #4
My employees can always work from home if anything happens.

Myth #5
A reciprocal agreement with a neighboring business gives us access to backup workspace when we need it.

Myth #6
We have another facility where any impacted employees can work.

Myth #7
We’ll use our cell phones during an outage.

Myth #8
We can call an OEM to get any backup equipment we need.

Myth #9
We can’t afford to test our BC/DR plan often because testing disrupts our daily operations.

Myth #10
Our IT department already does DR testing, so we don’t need to do a full-scale exercise.

During our recent webinar with the Disaster Recovery Journal, our national sales manager, David Tedford, explained why these statements are myths and what you can do to protect your organization.

The webinar is over, but you can listen to the full recording here.

Texas A&M Health Science Center Reminds Us of the Importance of Testing

Gym set up as emergency overflow treatment centerOur team recently volunteered for a community-wide disaster preparedness event, Disaster Day, hosted by the Texas A&M Health Science Center (TAMHSC).

The idea for Disaster Day began with Hurricane Ike in 2008, when the hospitals in College Station, TX started to overflow. Patients were taken to the Health Science Center (HSC) to be preliminarily treated until the hospitals cleared out, giving medical, nursing and pharmaceutical students real-life experience treating victims of a disaster.

TAMHSC saw this was an indispensable opportunity for students, but couldn’t rely on a natural disaster to occur every year. And that’s how the simulated exercise appropriately dubbed Disaster Day came to be. For the event, volunteers role play disaster victims receiving treatment for “injuries” and “medical conditions” caused by the disaster. In the HSC students’ eyes, though, the disaster — along with the injuries it’s caused — is real.

We chose to participate in Disaster Day this year not only to support the school but also to reinforce one of our main company philosophies: the importance of testing and preparedness. Two weeks before the event our volunteers attended a training session where we each received case studies of the injuries we'd be portraying — heart attacks due to stress and panic after a wildfire hit our area. To adequately prepare, we studied the cases and quizzed each other on our backstories until the day of the event.

Upon arriving at Disaster Day we were sent to the gym, which was set up as an emergency overflow treatment center for victims suffering from burns, dog bites, dehydration, smoke inhalation, etc. The scene was as chaotic as a real disaster would be. A girl lying in a cot was wailing in pain from burns over her entire body. Another victim coded, so emergency personnel ran over to start reviving her. A mother dropped to the floor when doctors were unable to resuscitate her daughter.

The simulation gave students a chance to test their medical knowledge and gave professors, who are real doctors and nurses, the opportunity to assess their students’ treatment of patients.

Just as the HSC needs to make sure its students are prepared for the medical field after graduating, you need to make sure your employees are prepared for a business interruption. Regularly testing your business continuity and disaster recovery (BC/DR) plan will give employees the opportunity to familiarize themselves with every aspect of the plan so they’re prepared in the event of a disaster.

If you’re new to the DR testing scene, check out some of our posts for tips.

Four Reasons Testing Your Business Continuity Program Is Essential

By Brandon Tanner, senior manager for Rentsys Recovery Services, Inc.

Word "continuity" on chalkboard
One of the most important things your business can do is test its business continuity program. You might assume that because you have a written plan your business is prepared for a disaster or business interruption, but how do you really know your plan works until you test it? Below are four reasons testing is essential.

It Identifies Interdependencies

Performing business continuity tests helps you identify interdependencies and gaps within your system databases and technology. For example, a customer we tested with was able to recover their main application and network environment, but they discovered there was a particular database the application made a call to for a subroutine. That specific database was housed in a separate environment and wasn’t being backed up. As a result, the entire system application that relied on that database wouldn’t have been able to operate during a real-world recovery scenario, which would have prevented an entire business unit from functioning. By testing, they were able to identify that interdependency ahead of time. 

It Reveals Differences Between Production and Recovered Environments

Differences between your current production environment and recovered environment could cripple your employees' productivity. People are used to using an application a certain way and for a specific purpose on a day-to-day basis. If an application isn't configured to allow users to perform the desired functions, the application will become essentially useless to your employees. Testing will reveal any configuration changes you need to make. >

It Validates Compliance Requirements

Many businesses are required to have certain security protocols in place for compliance purposes. They also need to meet specific recovery time objectives (RTOs) driven by business objectives, regulatory requirements or both. Unfortunately, sometimes when businesses are in the middle of an event, they tend to try to recover as quickly as they can, which can open up security issues. With testing, you can assess your ability to recover within your RTOs while validating that the required security controls are in place.

It Provides an Opportunity for Creating Time-Saving Documentation

It’s critical for people going through an exercise to document work issues in a recovery scenario. That way, if other people are involved in a recovery situation down the road, they have documentation that can expedite recovery, rather than wasting time working out logistics that were resolved during a previous test.

If you work with a business continuity services provider, that third party can leverage documentation on the customer's environment to speed up the recovery. After a disaster strikes, people are typically dealing with the effects of the event and making sure their families are taken care of, so key personnel are not always available to initiate the business’s recovery.

When we work with our customers during these types of events, we’re able to rely on the documentation we have to get the customer’s environment set up by the time the employees arrive on-site. In our experience, having detailed documentation can cut about six to 12 hours off the recovery process.

By proactively identifying weaknesses in your business continuity plan, you can save yourself a lot of headaches down the road.

What problems have you identified during a test? Tweet your answers to us at @RentsysRecovery.

Business Continuity Awareness Week: Testing Business Continuity Plans

Photo courtesy of the BCI
Today kicks off the Business Continuity Institute (BCI) Business Continuity Awareness Week. This year's theme is testing and exercising business continuity plans (BCPs), so in honor of #BCAW2015 we've put together a list of some of our top testing tips.

Conduct a Full-Scale Test Annually

One of the reasons business continuity plans fail is staff members simply take for granted the things they need to do their jobs. To truly make sure your BCP will work as planned, it's helpful to do a complete run-through of the plan at least annually to make sure you're not forgetting anything.

Test With Critical Vendors to Make Sure Both Parties Are on the Same Page

Testing with critical vendors helps make sure you each have the proper expectations of how a recovery event will unfold. You should have requirements outlined in a service level agreement, but it's important to test them.

Involve Employees and Ask for Feedback

When testing, make sure all the people who would be involved in a recovery — whether they're new or experienced employees — participate in the test. Afterward, ask them for feedback to identify any unclear or inefficient areas in your strategy.

Learn From Your Peers

Interface with other companies in your industry to see what they've learned from their tests. Not only will you learn what BC strategies were successful for them, but you'll also learn from their mistakes.

Publicize Your Test Efforts

The purpose of testing is to identify areas of improvement in your BC strategy, of course, but it's also an opportunity for positive publicity. By publicizing your test efforts, you're letting your customers know that you're dedicated to being available to them in the event of a business interruption.

What are your testing tips? Tweet them to us at @RentsysRecovery and use the hashtag #BCAW2015.

Popular Posts