In a report from FEMA, I found the number of major disasters declared over the past five years:
|Year||#||% change from previous year|
These numbers account for such things as weather disasters, floods, terrorist attacks, and those caused by human actions. Digging a little deeper, I wondered how many cyber/data breaches happened during 2017, or at least those deemed big enough to be reported. Here’s the list I found:
E-Sports Entertainment Association, Xbox 360 ISO and PSP ISO, InterContinental Hotels Group, Arby’s, River City Media, Verifone, Dun & Bradstreet, Saks Fifth Avenue, UNC Health Care, America’s JobLink, FAFSA: IRS Data Retrieval Tool, Chipotle, Sabre Hospitality Solutions, Gmail, Bronx Lebanon Hospital Center, Brooks Brother, DocuSign, OneLogin, Kmart, University of Oklahoma, Washington State University, Deep Root Analytics, Blue Cross Blue Shield/Anthem, California Association of Realtors, Verizon, Online Spambot, TalentPen and TigerSwan, Equifax, US Securities and Exchange Commission, SVR Tracking, Deloitte, Sonic, Whole Foods Market, Disqus, Hyatt Hotels, Forever 21, Maine Foster Care, Uber, Imgur, TIO Networks, eBay, Alteryx
That’s more than 40 companies - not a good trend. It also leads to the questions, "Is my business vulnerable?" and "What can I do about this?"
Here are some quick tips that I gleaned from a recent article from EverBridge:
Question your approach
Justification for the effort to define a recovery strategy on what is arguably a rare occurrence is a difficult task. Rather, look at the need from a value-based perspective for being able to recover, such as:
1. Regulatory compliance
2. Competitive advantage
3. Brand and reputation recognition
4. Knowledge capture
5. Increased robustness
Find out what others in your industry are doing and from there address the question, “What is right for us?” Not all companies need sub-second recovery… Some companies really can convert their entire work force to remote workers… Your solution needs to be tailored to your needs.
Simply, plans are worthless if you don’t exercise them on a regular basis. Leading standards on continuity planning refer to having regular exercises that increase in scope and complexity over time. Of course, “How often?” is a key question. Two exercises a year is thought to be a good benchmark for exercises, with one being a tabletop exercise and the other a more in-depth simulation.
Some food for thought: As you continue through your planning process, include your business recoverability and resilience as part of the discussion. Being prepared for “what if” scenarios is critical for long-term success.