Disaster Recovery Journal Fall 2023

REGISTER TODAY! www.drj.com/fall2023

Fall 2023 u Volume 36, Number 3

Innovative Strategies for Keeping Your Team Engaged Combatting Business Continuity Fatigue

INSIDE ... Maximize Exercising Preparation The Importance of the BIA Pre-Work AI-Empowering Resilience in Business Management DR Services Directory

Don’t Miss An Issue u Subscribe Today! u www.drj.com/#sign-up

Small-Medium Business Integrated Toolkit BIA Surveys, Dashbaords BC/DR Plan Templates 350+ Reports Low Cost

Global Enterprises Unlimited User Access Asset Geo-tagging Flexible, Customazible Integrated Workflow Voice, SMS Notification

www.eZPlan

(888) 480-3277

Platform for Building a Resilient Enterprise

• Cloud hosted • Secure Solution • Scalable • Product support • FREE upgrades

BIA, Plan Templates Gap Analysis Reports Exercise Management Role-Based Access Management Dashboards Management Consultants

powered by

nner.net

Info@eZPlanner.net

Disaster Recovery Journal 1862 Old Lemay Ferry, Arnold, MO 63010 (636) 282-5800; Fax: (636) 282-5802

Internet: www.drj.com E-mail: drj@drj.com EXECUTIVE PUBLISHER Bob Arnold bob@drj.com EDITOR IN CHIEF Jon Seals jon@drj.com ASSOCIATE EDITOR Pam Clifton PRESIDENT Bob Arnold bob@drj.com DIRECTOR OF EVENTS Lesley Vinyard lesley@drj.com REGISTRATION MANAGER Rose Chotrow rose@drj.com SENIOR WEB DESIGNER Amy Faulkner amy@drj.com PROGRAMS MANAGER

TABLE OF CONTENTS

COVER Combatting Business Continuity Fatigue By JAMES LODGE

Traci O’Neal traci@drj.com EVENT MARKETING Sonal Patel sonal@drj.com

8

14

34 Sustainable Artificial Intelligence

EXECUTIVE COUNCIL Dan Bailey, Jeff Dato, Peter Laz, Frank Perlmutter, Ann Pickren, Steve Piggott, Tracey Rice, Randy Till, Damian Walch, Belinda Wilson EDITORIAL ADVISORY BOARD Erick Anez, Ashley Goosman, James Green, David Halford, John Hill, Ray Holloman, Colleen Huber, Cary Jasgur, Lisa Jones, Joan Landry, Joe Layman, Melanie Lucht + (51) 1 436 6456 fijo Perú + 1 (786) 600 1864 USA ruth.rocha@drjenespanol.com www.drjenespanol.com ASIA Business Continuity Planning Asia Pte Ltd (BCP Asia) Henry Ee 1 Commonwealth Lane #08-27 One Commonwealth Singapore 149544 Phone: (65) 6325 2080 Fax: (65) 6223 5363 General: enquiry@bcpasia.com Events: conference@bcpasia.com Direct: henry@bcpasia.com www.bcpasia.com UNITED ARAB EMIRATES Continuity and Resilience A Division of CORE MANAGEMENT CONSULTING Dhiraj Lal , Executive Director P. O. Box 127557, Abu Dhabi, United Arab Emirates ( +971 2 8152831 | 7 +971 2 8152888 dhiraj@continuityandresilience.com www.continuityandresilience.com SOUTH AMERICA DRJ en Espanol Ruth Rocha , Directora Comercial

Adapting Weather Response Plans to Handle Compounding Disasters By SHANNON COPELAND

By BRIAN STANISLAUS & CHANDREGOWDA PACHEGOWDA

38 AI-Empowering Resilience in Business Management By BRIAN SATHIANATHAN

18

Disk-based Backup Targets Up Their Game to Meet Ransomware’s Challenges By JEROME M. WENDT

41

Career Spotlight: Dom Fortino By CARY JASGUR

24 Maximize Exercising Preparation By MARGARET J. MILLETT

46 DR Services Directory

26 The Importance of the BIA Pre-Work By MICHAEL HERRERA

30 Post Disaster Lessons: What Should be Learned and How By IHAB HANNA SAWALHA

DISASTER RECOVERY JOURNAL (ISSN 1079-736X; USPS 013-076; Publication Agreement No. 40679000) is published quarterly by Systems Support, Inc., 1862 Old Lemay Ferry, Arnold, MO 63010. Subscriptions are free to all qualified personnel in the U.S. and Canada involved in managing, preparing, or supervising business continuity planning. Rate for all others in the U.S. is $10, Canada and Mexico $24, all other countries $47. For renewals or change of address, please include current mailing label. Periodical Postage Paid at Arnold, MO and additional offices at St. Louis, MO. POSTMASTER: Send address changes to DISASTER RECOVERY JOURNAL, 1862 Old Lemay Ferry, Arnold, MO 63010. Canada Post Publication Agreement No. 40686534. Return undeliverable Canadian addresses to: DISASTER RECOVERY JOURNAL, PO Box 456, Niagra Falls, ON L2E 6V2. DISASTER RECOVERY JOURNAL is copyrighted 1987-2023, by Systems Support, Inc., all rights reserved. DISASTER RECOVERY JOURNAL is a registered trademark of Systems Support, Inc. Reproduction in whole or part is prohibited without expressed written permission. Articles submitted by readers do not represent the views or opinions of DISASTER RECOVERY JOURNAL and are published for their informational content only.

DISASTER RECOVERY JOURNAL | FALL 2023 5

FROM THE PRESIDENT’S DESK

What AI Means for Business Continuity W ith the recent release to the general public of tools like ChatGPT and Google Bard, the long-heralded arrival of AI has now occurred, and in a big way. In the wake of the debut of these tools, there has been a tsunami of think pieces on what AI means for society at large. Will it help cure disease? Ruin children’s ability to think for themselves? Make it easier to plan trips and meals? Worsen the problem of misinformation? Boost cybercrime? Improve mental health? Change warfare? Cost people their jobs? Destroy civilization? For all anyone knows, it might be any or all of the above. Leaving the broader discussion to other people, I’ve been trying to come to grips with what AI might mean for the field of business continuity. Influencing my thoughts is the fact these technologies are in their infancy. There will probably be huge advances in the next 10 years. What will their capabilities be then? Nobody knows. It seems to me there are two areas to look at in thinking about what AI means for BC: the risks AI poses to organizations’ ability to keep their critical processes running, and the possibilities of using AI as a tool to help in doing BC. For a closer look at how resilience professionals might fear AI, use it to help write plans and devise exercises, you might take a look at recent online exclusive articles on the site: “AI Anger Management,” “Chat GPT Comes to Business Continuity,” and “Business Continuity and Artificial Intelligence.” The articles above feed into the first tip I would give resilience professionals, faced as we are with the need to get our heads around the implications of AI: read widely about it, educate your self, get into discussions about it. As uncomfortable as the rise of AI might be in some respects, putting our heads in the sand won’t make it go away. Another tip I’d offer would be to use caution in leaning on AI to help with your BC program. The reason why is simple. In scouring the internet for infor mation to answer your questions, the tools might grab up bad data or advice—garbage which they would then feed it to you in a tone of absolute certainty. Plus, when AI tools like ChatGPT don’t “know” the answer, apparently they have a tendency to “hallucinate” a response, making something up out of thin air. That being said, it has to be stated that tools such as ChatGPT have an extraordinary potential to help us in doing BC. This is not in the future. It’s right now. Here’s an example of what they can do right now, for anyone, for free. I asked ChatGPT if it had the ability to evaluate a BC plan against the requirements of the FFIEC standard.

BOB ARNOLD, MBCI Hon.

Its reply was pretty darn impressive: Yes, I can certainly evaluate a business continuity plan against the requirements of the FFIEC (Federal Financial Institutions Examination Council) standard. The FFIEC’s Business Continuity Planning Booklet outlines the principles and expectations for effective business continuity planning in financial institutions. The booklet provides guidance on the key components of a comprehensive business continuity plan. ChatGPT then named them (risk assessment, business impact analysis, business continuity planning, testing and training, main tenance and review), concisely explaining each one. It concluded: By evaluating your business continuity plan against the requirements of the FFIEC standard, I can identify any potential gaps or areas for improvement in your plan. I then asked if it could look at a BC plan for me and tell me if there were any gaps. It replied: Yes, I can certainly review your business continuity plan and provide feedback on any potential gaps or areas for improvement. Please share the plan with me, and I will be happy to review it for you. That’s pretty amazing, especially when you consider how much work it would be for a person to extract this kind of infor mation from a standard or review a plan for gaps. Of course, it’s important to reiterate that you should double check anything AI tells you or creates for you. It’s also worth pointing out the limits of AI in doing this kind of work. The information that makes a program meaningful for an organization doesn’t reside in public sources, therefore it’s unavailable to the AI tools. Most of the information that really counts is located in people’s heads. The task of getting SMEs to put the things they know about their departments and business processes into words is more art than science. That’s the most important piece of all in building a BCM pro gram and getting it still requires the human touch. We are having an initial discussion of the impact of AI on resilience at DRJ Fall 2023 in Phoenix (Sept. 10-13). More com prehensive coverage will follow at DRJ Spring 2024 in Orlando (March 17-20). I hope to see you at both.

PRESIDENT bob@drj.com

6 DISASTER RECOVERY JOURNAL | FALL 2023

The Challenge in Achieving Resilience Without proving the actual financial impact to the top and bottom line of an incident, teams struggle to get buy-in, funding, and the capabilities required. People churn and processes constantly change - even as vendors and technologies update for key applications. Teams must have the ability to monitor, drill anytime at the touch of a button, execute with automation, and produce real-time reporting able to show hard dollar impact and answer any audit coming from an increasingly demanding regulatory body. Missing this ability, teams craft ‘continuity plans’ - point-in-time documentation which is not dynamic and does not deliver real-time understanding of the changes constantly taking place across various systems and locations. They then attempt costly manual drills using conference calls and texts, when in reality, key people are rarely available in a true emergency situation. The Solution for True Resilience Quantifying financial impact while proving mitigation and readiness at any point in time across people, processes, and technology is the way to fund your journey to True Resilience while reducing RTO by an average of 80% and operating costs by 50% or more. Perpetuuiti Enterprise-grade Resilience software suite alone holds patents for measuring impact for any incident across People, Processes, and Technology. (US Patent: “Systems and Methods for Business Impact Analysis and Disaster Recovery” - US patent 10255574). Gartner has recognized Perpetuuiti as having all 9 Key IT Resilience Orchestration (ITRO) automation capabilities. Pepsi, Delta Airlines, Nokia, ICICI Bank, Commercial Bank of Dubai and over 450 global leaders trust Perpetuuiti for True Resilience. START THE JOURNEY IF YOU CAN’T QUANTIFY, THEN YOU CANNOT QUALIFY

Start Your Journey here at DRJ by seeing True Resilience in Action. Here is how. General Session Breakout Session

GS-6 Achieving True Resilience with Automation, Drilling & AI Innovations

BT4-04 Resilience Automation & Cyber Recovery Innovations

Breakout Track 4 - 4.00 PM - 5.00 PM

General Session - 10.45 AM - 11.45 AM

GS-6

BT4-04

Shawn Blevins Head of North America, Chief Revenue Officer, Perpetuuiti

Shawn Blevins Head of North America, Chief Revenue Officer, Perpetuuiti

Richard Cocchiara Managing Principal CxO Expertise LLC

Richard Cocchiara Managing Principal CxO Expertise LLC

DEMO BREAKOUT ROOMS - SCHEDULE NOW

SHOW FLOOR BOOTH - 404

Text - 423.967.9324 Email - shawn.blevins@ptechnosoft.com

Innovative Strategies for Keeping Your Team Engaged Combatting Business Continuity Fatigue

By JAMES LODGE

8 DISASTER RECOVERY JOURNAL | FALL 2023

I n the dynamic and often unpre dictable world of business, continuity management has become a mainstay, an enduring guard against potential opera tional disruptions. However, just as a candle flickers before burning out, prolonged periods of vigilance and repeated cycles of crisis management can lead to what’s known as “business continuity fatigue.” This is an invisible, yet insidious enemy, silently sabotaging our strategies and dull ing the sharp edge of our resilience. This article explores business continu ity fatigue, an overlooked phenomenon which poses a significant threat to the very fabric of our operational resilience. This threat doesn’t stem from any exter nal challenge, but from within our ranks, manifesting in disengagement, diminished productivity, and a gradual erosion of

this phrase encapsulate? Let’s demystify it. Think about running a marathon, where the initial adrenaline and motivation drives you forward. However, as the miles stack up, each step gets heavier, breathing gets harder, and the finish line seems increas ingly distant. This creeping exhaustion, both physical and mental, is akin to what we mean by business continuity fatigue. Except, in our context, the marathon is the long haul of managing and maintaining operational resilience in the face of ongo ing or repeated crises. At its core, business continuity fatigue manifests as a collective weariness, a waning enthusiasm, and decreased pro ductivity within a team continually dealing with disruptions or threats. The constant state of vigilance, the ceaseless planning, and repeated execution of continuity strat egies can lead to feelings of exhaustion and disengagement. It’s as if the team is

Understanding this phenomenon is the first step toward addressing it. By recog nizing its signs and knowing its effects, leaders can proactively devise strategies to counteract this fatigue, ensuring their teams remain engaged, and their business resilience remains robust. In our next sec tion, we’ll delve into how to spot the signs of business continuity fatigue within your team. Unmasking the spectre of business continuity fatigue within our teams is only half the battle. The real challenge lies in keeping this phantom at bay. How do we keep our teams engaged, motivated, and ready to face any disruption head on? Let us now shift our focus to some novel tac tics for reinvigorating our teams and revit alising our business continuity initiatives. 1. Enhancing communication : Transparency and openness are the cornerstones of any healthy team dynamic. When it comes to combating fatigue, frequent, clear, and meaningful communication can work wonders. This could take the form of regular updates on the progress of business continuity efforts, providing context and clarity for certain measures, or even creating open forums for discussion and feedback. This strategy fosters a sense of inclusivity, shared purpose, and an environment where everyone feels heard, valued, and part of the bigger picture. 2. Encouraging resilience : Business continuity fatigue can be seen as a resilience issue on a personal and team level. By promoting resilience, we equip our teams with the tools to navigate these demanding scenarios. This could be achieved through resilience training programs, mental health support, or even by ensuring the team has adequate downtime and recovery periods after a crisis. It’s about building a team which doesn’t just bounce back, but bounces forward, learning, growing, and strengthening with each challenge. 3. Prioritizing employee well-being : An exhausted team is an unproductive team. Prioritizing employee well-being is no longer a “nice to have”; it’s a

“

morale. In short, business continuity fatigue isn’t just about exhaustion; it’s about a slow, progressive disconnection from our business continuity efforts and objectives. The good news? This

stuck in a never-ending loop, a Groundhog Day of crisis management. The insidious nature of this fatigue lies in its sub tlety. It doesn’t announce itself with a fanfare or a dramatic drop in perfor mance. Instead, it seeps quietly into the fabric of the team, slowly eroding morale, lowering produc tivity, and weakening the resolve of even the most dedicated individuals. If not addressed, it has the potential to undermine your business continu ity management, making your organization vulner able when the next dis ruption hits. Taking real-world

The constant state of vigilance, the ceaseless planning, and repeated execution of continuity strategies can lead to feelings of exhaustion and disengagement.

fatigue isn’t insurmount able. By employing a series of innovative strate gies, it’s possible to reig nite the engagement of our teams and restore the vitality and effectiveness of our continuity plans. So, let’s dive in, under stand this menace, and explore practical, innova tive ways of ensuring our teams remain engaged, energized, and ready to ensure continuity, no matter what storms we might face.

examples, consider companies that have faced repeated cyberattacks or those in regions prone to natural disasters. The constant cycle of preparation, response, and recovery can be both physically drain ing and mentally taxing, gradually leading to business continuity fatigue.

Business continuity fatigue, though a term you may not often encounter in your daily operations, is a reality many orga nizations grapple with, particularly those who have endured recurrent crises or sig nificant changes. But what exactly does

“

DISASTER RECOVERY JOURNAL | FALL 2023 9

business imperative. Flexible working arrangements, well-being programs, mental health resources, and regular check-ins can all help to reduce fatigue, boost engagement, and build a caring culture inside the organization. 4. Fostering a culture adaptability : In the face of constant change and periodic crises, cultivating an adaptation culture can be an antidote to tiredness. This entails not only preparing your team for change but also providing them with the skills and mindset necessary to succeed in it. It is about fostering in your team a feeling of curiosity, flexibility, and a thirst for constant learning. 5. Implementing effective change management : Frequent changes without a proper change management strategy can exacerbate continuity fatigue. Implementing an efficient change management strategy ensures changes are introduced in a systematic, intelligible manner, offering assistance during the transition, and decreasing the stress and tiredness that can accompany constant change. These methods’ adaptability is what makes them so enticing. They can be tai lored to your team’s particular needs as well as the specific difficulties that your

regular, detailed updates about the ongoing efforts against cyber threats and the overall state of the business continuity plan. They also introduced open forums where team members could voice their concerns, ask questions, or share their ideas. This open dialogue helped reduce uncertainty and anxiety among the team members and fostered a sense of collective purpose. n Encouraging resilience : Acme Corp then rolled out a comprehensive resilience training program. This included resources on stress management, self care techniques, and even counseling services. They also introduced “Recharge Days,” where the team was given time off after significant crises to rest and recover. These initiatives helped to enhance the team’s capacity to deal with challenges and bounce back stronger. n Prioritizing employee well-being : The company implemented several well-being initiatives, including flexible work hours, remote work options, and regular mental health check-ins. They also introduced an employee assistance program that provided access to mental health resources and counseling. This emphasis on well-being contributed to a healthier, happier, and more engaged team. n Fostering a culture of adaptability : Acme Corp also introduced several and development programs aimed at equipping team members with new skills and encouraging a growth mindset. They celebrated adaptability and flexibility as valued traits within the organization. n Implementing effective change management : Finally, Acme Corp established a robust change management process. Changes were introduced in a structured, phased manner with clear communication and ample support provided to the team throughout the process. This approach helped to reduce the stress and uncertainty often associated with change. In the months following the implemen tation of these strategies, Acme Corp saw measures to foster a culture of adaptability. They offered training

company faces. In the following section, we will look at a fictitious corporation which has effectively used these tactics to overcome business continuity fatigue with revealing outcomes. It’s helpful to witness these methods in action to properly comprehend their power and potential. Let’s delve into a theoretical case study that showcases how these inno vative approaches can breathe new life into fatigued business continuity efforts. Acme Corp: Turning the Tides of Fatigue Acme Corp, a leading tech company, found itself under siege from a series of cyberattacks over a short span of time. Despite their robust cybersecurity mea sures, the relentless onslaught began to take a toll on the team responsible for managing these crises. Signs of business continuity fatigue were evident – a dip in productivity, visible exhaustion, declin ing morale, and even increased turnover within the team. Recognizing the urgency of the situa tion, the leadership at Acme Corp decided to take a proactive approach. n Enhancing communication : The first strategy they implemented was enhancing communication within the team. Leaders started sending out

10 DISASTER RECOVERY JOURNAL | FALL 2023

Could your third-party suppliers take you down?

Vendors and other third-party suppliers are critical to the success of most organizations – but they also pose considerable risk. Riskonnect’s business continuity software helps you prepare for threats and minimize disruption from anywhere. • Instantly access dynamic business continuity plans. • Identify hidden vulnerabilities that could derail your business. • Effectively respond to a disruption .

Riskonnect.com

a remarkable improvement in their team’s engagement and morale. Productivity rebounded, turnover decreased, and the team demonstrated improved resilience in the face of subsequent disruptions. This theoretical example of Acme Corp gives an example of the powerful potential

of these strategies in combating business continuity fatigue. It also highlights the importance of keeping your team engaged, energized, and prepared to tackle any dis ruption that comes their way. Remember, leadership’s proactive role is crucial in making these strategies a success.

It is obvious business continuity fatigue is not an unavoidable side effect of deal ing with ongoing or recurring disasters. Instead, it is a strategy which can be com pleted successfully by combining aware ness, inventiveness, and tenacity. The key to success is to keep our employees engaged, motivated, and ready to face any disruption with grit and tenacity. These innovative strategies – enhancing com munication, encouraging resilience, pri oritizing employee well-being, fostering a culture of adaptability, and implementing effective change management – provide a practical roadmap to combat business continuity fatigue. As demonstrated by Acme Corp, these strategies, when tai lored to your team’s needs and diligently implemented, can turn the tides of fatigue, boosting team morale, productivity, and the effectiveness of your business continu ity efforts. However, it’s crucial to remember the onus to combat business continuity fatigue lies squarely on the shoulders of leader ship. It is the leaders who must recognize the early signs of fatigue, understand its implications, and take decisive action. By doing so, they not only ensure the robust ness of their business continuity manage ment but also demonstrate a genuine care for their teams, a trait which fuels trust, loyalty, and ultimately, higher engagement. So, as leaders navigating the complex seas of business continuity, let’s remain vigilant against the silent enemy of fatigue. Let’s commit to keeping our teams engaged, nurtured, and motivated, ensur ing our business continuity plans not only survive but thrive, no matter what chal lenges we face. In this quest, remember: a resilient team is your most potent weapon against disruption, and an engaged team is the most resilient of all. v

James Lodge has 25 years of experience within business continuity, resilience, and disaster recovery in the banking and legal sectors. Throughout this time, he has imple mented global continuity and integration

solutions, managed crisis situations, and pioneered tech nology enhancement programs. He also has a keen inter est in managing best practice resilience solutions both in and out of the workplace.

12 DISASTER RECOVERY JOURNAL | FALL 2023

Your North Star for Resilience

Take a Di erent Approach – Move From Reactive to Proactive

Fusion provides easy, visual, and interactive ways to analyze every aspect of your business so you can identify single points of failure, key risks, and the exact actions you need to take next to mitigate impact.

Get started on your resilience journey today! Visit fusionrm.com

“Our team is able to visualize complex relationships and dependencies between lines of business in our organization. This alone is worth its weight in gold!” – Fusion User in the Financial Services Industry

Adapting Weather Response Plans to Handle Compounding Disasters By SHANNON COPELAND O ver time, it has become increas ingly clear the climate is chang ing. In recent years, hurricanes have made landfall along the Gulf Coast as Category 4 (Harvey, Laura, Ida, and Ian) or 5 (Michael). In the past, hurricanes would weaken as they approached land; now, they intensify. In addition to intensified tropical events, supercell thunderstorms and strong to violent tornadoes are becom ing more common over the southeastern United States. Not too long ago, a seem ingly routine thunderstorm ripped through The Woodlands, a suburban area north of Houston, knocking down trees and leaving

people without power for days. These are just some examples of how our climate has continued to change and challenge current response efforts in recent decades. Hurricanes Laura & Harvey are just two examples Business continuity and safety pro fessionals have carefully implemented response plans for each disaster affect ing their organization, but what about the unexpected risk of two or more threats? It is essential that response plans not only account for the ever-changing cli mate but also compounding disasters – disasters which coincide or in succession, exponentially increasing the intensity of the associated impacts and recovery time. This scenario was seen in Lake Charles, La., in 2021 when Hurricane Laura made landfall with winds of 150 mph, causing widespread severe damage. Then, just six weeks later, Hurricane Delta devastated

14 DISASTER RECOVERY JOURNAL | FALL 2023

From Wargame to Gameday

Harness Business Agility for Resilience Building

Learn more at iluminr.io

the already-damaged infrastructure. The compounding effect of two events in close proximity led to long-lasting power out ages and more severe structural damage to entities in the area. Another example is Hurricane Harvey, which slammed into Southeast Texas in 2017. Before Hurricane Harvey, many businesses had response plans which only considered the increasing threat of wind and tidal surges to determine if they should move into the next phase of their response effort. These plans were developed mainly after Hurricane Ike in 2008. Prior to Ike, many plans were either based on the storm category, the proxim ity of the storm to a given site, or if there was a hurricane watch or warning issued. Post-Ike, the response plans focused on the probability of certain winds, often 58 mph winds, as well as the expected height of the tidal surge. These plans improved upon the previous standards by escalat ing objectively based on the rising threat to one’s location. However, they did not consider freshwater flooding. In Harvey, there was never a signifi cant threat of strong winds or tidal surges to the Houston and Beaumont areas. Most phases of hurricane response plans were not triggered. This resulted in many busi nesses, including major oil refineries, not initiating the necessary precautions before the storm. When the catastrophic flooding affected these sites, many refiners were forced to perform immediate shutdowns, which can lead to additional costs upon restarting. One chemical plant in Crosby, Texas, exploded as the flooding ren dered the refrigeration system inoperable. Unrefrigerated organic peroxides end up self-igniting as a result. After Harvey, many businesses, includ ing major chemical plants and oil refin eries, decided to escalate their response plans if significant flooding was expected from a tropical storm or a hurricane. This means they may advance to a higher phase than warranted due to the predicted wind and surge threat. The flexibility to escalate despite the defined criteria not being met allows businesses to shut down operations ahead of the storm safely. This permits

most workers to be released from duty before any risk threatens their safety. In addition, it dramatically reduces the likeli hood of a significant accident during the storm and cuts down on costs to restart operations. Why dynamic vs. static plans are necessary The two examples above demonstrate why dynamic response plans, as opposed to static plans, are necessary. A static plan is less flexible and can lead to challenges in response and recovery. Businesses should consider modifying their response plans to include weather hazards, not weather phenomena when shifting from static to dynamic ones. An example of a weather hazards plan would include individual plans for light ning, damaging wind, hail, flooding rain, tornados, and not just one blanket plan for thunderstorms. Thinking of each element as a separate threat and how to respond to each is a best practice. A starting point for creating a dynamic response plan is understanding the histor ical weather patterns and types of severe weather for which each location could be

at risk. The next step is breaking down each extreme weather event into differ ent hazards and risks to develop plans for each. Once the plans are developed, run through various scenarios, includ ing compounding disasters, to ensure they can run concurrently. In addition to the dynamic response plan, contingency plans are also recommended to provide the highest level of safety for assets and employees. Overall, the importance of having a dynamic response plan considering com pounding disasters has become increas ingly apparent. Organizations can set themselves up for success by considering each of the changing and varied climates when creating response plans. v

Shannon Copeland is an industry man ager for StormGeo and a graduate of the University of Oklahoma’s School of Meteorology. During her tenure, she sup ported numerous research initiatives

focused on severe weather, emergency management, and disaster preparedness and recovery, including con tent review for FEMA’s National Hurricane Program train ing series. As an industry manager, Copeland supports StormGeo’s outreach strategy and aids in identifying weather-related risks to businesses and their employees.

16 DISASTER RECOVERY JOURNAL | FALL 2023

Protect Your People and Operations

Industry-leading mass notification and AI-powered risk intelligence to identify risks and communicate quickly in one unified platform.

OnSolve® proactively mitigates physical threats, allowing organizations to remain agile when a crisis strikes.

Check out these DRJ sessions:

Make Better Risk-Based Decisions, Drive Better Outcomes with the Power of Historic Threat Data Sunday, September 10 at 4:00 p.m.

Operational Resilience: Putting Theory into Practice Wednesday, September 13 at 9:15 a.m.

Don’t forget to visit the OnSolve booth #500.

onsolve.com

EDITOR’S NOTE : DCIG empowers the IT industry with actionable analysis that equips individuals within organizations to do supplier and product evaluations. DCIG delivers informed, insightful, third-party analysis, and commentary on IT technology. As industry experts, DCIG provides comprehensive, in-depth analysis, and recommendations of various enterprise data storage and data protection technologies. The views, thoughts, and opinions expressed in all Disaster Recovery Journal articles belong solely to the author. The information, product recommendations, and opinions in this article are based upon public information and from sources DCIG, LLC. believes to be accurate and reliable.

Disk-based Backup Targets Up Their Game to Meet Ransomware’s Challenges

O

By JEROME M. WENDT

rganizations may consider their backup prob lems solved. Having replaced tape with disk as their primary backup target over the past 20 years, they no longer view backup as a chal lenge. However, new threats have entered cor porate environments which specifically target backups hosted on disk. Disk-based backup targets still need to facili tate fast backups and optimize stored backup data. But these features only represent the base

primary backup target addressed two longstanding backup chal lenges. It shortened backup windows by reducing backup times and increased the success rate of backup jobs. Further adding to disks’ appeal, many storage providers intro duced compression and deduplication technologies into their disk based backup appliances. These two technologies helped lower disk prices. They made its cost equal to or even lower than tape. Finally, these storage providers tested and certified their target backup appliances with leading enterprise backup software solu tions. These certifications minimally ensured the backup software recognized and supported them as backup targets. Some backup software and storage providers even went the extra mile to integrate their respective products. The disk-based backup appliances may support cloud storage, data encryption, replication, and snapshots. If it did, organizations could then potentially use the backup software to manage these features on the backup appliance.

line functions these appliances must perform. Disk-based backup targets should now accommodate fast and easy storage growth, facilitate fast restores, and protect backups from ransomware attacks. Decades-old Backup Forces Still in Play Many viewed the arrival of disk-based backup appliances about 20 years ago as a godsend. Using disks in lieu of tape as a

18 DISASTER RECOVERY JOURNAL | FALL 2023

Drive growth, manage risk, thrive in adversity. One platform to build resiliency

See Exonaut in action at DRJ STAND 300 4cstrategies.com

n The backup appliance itself to access its management console and/or its backups. The latest disk-based target backup appliances offer multiple features to make them more resilient against these attacks. These resilience features include the following: n Data immutability . The data immutability feature can prevent anyone or any task from changing or deleting backups stored on a backup appliance. This feature has become almost a prerequisite for backup appliances. Storing data in an immutable format addresses two specific challenges. Should ransomware locate the shared folder with backups on the network, it cannot delete or change. Also, should a hacker compromise and access the backup appliance, the hacker cannot change or delete backups through the management console. Almost all legacy and new disk-based backup appliances now offer data immutability. However, some disk-based backup appliances implement it with an option that allows someone with administrative permissions to still delete backups. Organizations should verify which options a specific disk-backup backup target appliance supports. n Data encryption . Organizations should also take care to encrypt their backups. While data immutability protects backups from being changed or deleted, hackers can still potentially access and read the backups. If they can read them, some ransomware strains may copy the data to their site. Once copied, they still demand a ransom or else they threaten to publicly release the data. Encrypting backups as they get stored ensures even if ransomware copies them the hackers can do nothing with them. n Role based access controls (RBAC) . Disk-based target backup appliances may require a username and password combination to log into the appliance. Unfortunately, organizations may never change an appliance’s default username and password combination or use a simple username and password combination. These approaches made it easy for hackers to guess the combination and log into the appliance. To counter this, the latest disk-based target backup appliances offer role-based access controls. These appliances may still require individuals to use a username and password to log in. However, they integrate with an organization’s implementation of Active Directory. These often require the use of complex passwords and assign a specific administrative role. Once logged in, the individual can only perform tasks according to the permissions assigned to their role. On some appliances performing a task such as moving or deleting backups on the appliance may require a second administrator to approve the execution of the task.

This combination of technologies proved so successful, inno vation in backup appliances slowed over the past two decades. Disk-based backup providers continued to introduce new and larger disk drives, faster network interfaces, and appliances in various form factors. However, 20 years later, these backup appli ances still primarily serve as tape replacements, the same role they originally fulfilled. Shortcomings of Legacy Backup Appliances Today using many existing disk-based backup appliances as tape replacements may no longer meet current organizational backup requirements. Organizations have new requirements that disk-based backup appliances may fail to, or only partly, address. Ransomware attacks represent the primary new threat for which organizations must specifically account. Disk-based backup appliances, when first introduced decades ago, made no provisions for ransomware attacks. This threat simply did not exist, so there was no reason for providers to account for it. However, the threat of ransomware exists today. This requires disk-based target backup appliance providers to minimally account for it in two ways. n First, they must account for ransomware potentially attacking the appliance itself. This requires the appliance to protect itself and the backups it hosts from ransomware attacks. n Second, these appliances must position organizations to rapidly perform restores and do recoveries. These two modern-day requirements represent shortcomings of many disk-based target backup appliances. When developed, providers focused on and optimized them for ingesting backups and minimizing their data storage requirements. Even today, pro viders still promote their appliances’ backup throughput rates and deduplication ratios. While backup throughput rates and deduplication ratios still matter, they no longer suffice. Organizations now need these appliances to deliver additional capabilities. These features should minimally ensure the appliances can withstand ransom ware attacks. Ideally, they should also position organizations to restore and recover their data. It Begins with Resilience Many organizations report foiling ransomware attacks using a combination of their perimeter cybersecurity defenses and recov ering from their backups. This has led hackers to now create ransomware strains which specifically attack the backup infra structure. Once initiated, the ransomware may attack an organization by scanning its network for: n Shared folders and then looking for backups in them.

20 DISASTER RECOVERY JOURNAL | FALL 2023

n Multi-factor authentication (MFA) . Finally, many appliances now offer multi-factor authentication. As an individual attempts to log into an appliance, they must provide a separate authentication code to verify their identity. This code may be in the form of a text, email, or authenticator application. These four features ensure an appliance and its data remain secure if a ransomware attack occurs. In that vein, both legacy and new disk-based backups target appliances and support these features in some capacity. However, these features only serve to guarantee the resilience of the appliance and its data. They do not, however, necessarily better equip organizations to perform faster data restores and recoveries. Here a distinct separation in feature functionality exists between legacy and new disk-based backup targets. New appliances offer faster, more robust restore and recovery capabilities with options to scale to much larger capacities. The Restore and Recovery Differentiators The need for more comprehensive data restoration and recov ery functionality surfaces after an organization experiences a large-scale ransomware attack. If ransomware encrypts the pro duction data of a few servers or tens of GBs of data, almost any disk-based backup target appliances can handle the restore work load. However, some ransomware attacks compromise the data of dozens or hundreds of servers or tens or hundreds of TBs of data. In these scenarios, organizations often need to quickly perform large-scale restores and recoveries. These situations require one of the current generations of disk-based backup target appliances designed to handle these workloads. Features that help set this newer generation of appliances apart include the following: n Use of flash . Disk-based target backup appliances have typically avoided using flash media due to its cost. Driven by customer demand and a lower price point for flash, this no longer holds true. Many of the next generation of disk-based target backup appliances support flash in some capacity. Some only use it as a disk cache to store recent backups (less than 30 days) to facilitate rapid data restores and recoveries. A few now even offer all-flash models and store all backup data on flash regardless of its age. n Can perform instant restores . The introduction of flash into these backup appliances has made it possible for organizations to restore data much more quickly. By hosting it on flash, data can be accessed and restored to production machines very quickly. More robust disk-based backup target appliances even give organizations the option to host restored production applications and data on them. n Minimal or no performance impact when restoring deduplicated data . Storing backups in a deduplicated format

always represented a bit of a two-edged sword. It reduced storage requirements but contributed to lengthy restores and recoveries. Today’s disk-based backup target appliances address this concern. They use new algorithms which run on more powerful processors. As a result, restore times approach or even match restores and recoveries of raw (non-deduplicated) backups. n Availability as virtual appliances . Almost all enterprises operate in hybrid cloud environments. Some applications and data run and reside on-premises while others run and reside with various cloud providers. To accommodate this new requirement, more next generation disk-based backup target appliances may run on any hardware or in the cloud. This gives organizations the flexibility to perform backups and recoveries using the same solution anywhere in their infrastructure. n Scale-out architectures . Hosting backup data while potentially also hosting data running in production can cause capacity and performance bottlenecks. To address these challenges, more disk-based backup target appliances offer a scale-out architecture. Using this feature, organizations can start with the capacity and performance they initially need. Then as their environment grows, they can more easily add on additional capacity and performance without needing to replace their existing solution. Ransomware Has Changed the Backup Game Years ago, many organizations replaced tape with disk and, in so doing, largely solved their backup challenges. Ransomware changes the backup game again. Organizations can no longer assume daily successful backups guarantee they can recover from a ransomware attack. If any thing, organizations may only find out after a ransomware attack it has also compromised their backups. By then, it is too late. To avoid this scenario, organizations need to take a hard look at any disk-based backup target appliances they currently use. Minimally they need to examine what resilience features their appliance offers and if they use them. If it lacks immutability or security features, the appliance and/or backups on it may suc cumb to a ransomware attack. Even if it survives the attack, the backup appliance must still be prepared to restore and recover production applications and data. It may need to quickly, and at scale, perform restores and recoveries of production data. How well the backup appliances perform all these tasks may well determine if the organizations survive and recover from the attack or end up paying a ransom out of pocket. v Jerome Wendt, an AWS Certified Solutions Architect, is the president and founder of DCIG, LLC., a technology analyst firm. DCIG, LLC., focuses on providing competitive intelligence for the enterprise data protection, data storage, disaster recovery, and cloud technology markets.

22 DISASTER RECOVERY JOURNAL | FALL 2023

Maximize Exercising Preparation By MARGARET J. MILLETT T he business continuity manage ment (BCM) profession contin ues to grow and evolve. With an ever-changing workplace, regula tions, employees, leadership, etc., are companies as prepared for an incident as they should be? Now may be a good time to evaluate what is needed for your exercise program to be successful today, tomorrow, and in the years to come. Executive sponsorship is critical. Review your company BCM policy to ensure it defines their requirements to 1) select/review BCM team leadership, 2) provide funding to support BCM initia tives, 3) review key performance indica tors (KPIs), and 4) create a BCM culture. If executive management, board of directors, or internal audit ask the BCM team to classify the organization’s readi ness state, how would you respond? How would employees respond? 1) well pre pared, 2) moderately prepared, 3) slightly unprepared, and 4) very unprepared. Do you have the right tools in your tool kit? Determining what exercise templates are required depends on the results of the risk assessment. Here are some top threats to consider 1) severe weather, 2) power outages, 3) IT, 4) natural disasters, and 5) epidemic. Saying there are BCM exercise tem plates on file is great! Annually, take the time to determine 1) what new templates are required, 2) does a template need more details, 3) should any templates be retired, and 4) what templates should be in a park ing lot for the future. Having a business continuity plan on

to improve metrics, 2) executive mandate to create standardized approach, 3) execu tive support to champion company-wide effort, 4) flexible tools and templates, 5) annually documented BCM plans, 6) flex ibility since a real-life world event will be different from an exercise, and 7) systems which are used in daily operations which have been exercised. Work within your organization to ensure your company remains resilient and not a statistic. We have all read articles about the percentage of small businesses closing each year due to the inability to recover from an event. After number of events X number of business out of Y number of businesses never reopened. Exercise annually to find the gaps which could make your company a statistic. v

paper and making it work in a real event are not one and the same. Conducting exercises is critical for 1) validating plan effectiveness, 2) team training, 3) break ing down silos, and 4) exercising tools. Annually, take time to determine if your exercise framework is effective based on your program. Ensure the framework includes 1) creating the plan, 2) design and development, 3) conduct exercise, 4) post exercise report, and 5) updating plan. Determine if you have the right exer cise tools to support the program and the organization. BCM has gone virtual for good reasons: 1) redundancy/systems access key in an incident, 2) geographic dispersion of BCM teams and employees, 3) automation of tools, and 4) better deci sion-making and communication tools. Exercise KPIs do matter. BCM pro grams which track and report on key per formance indicators may reach maturity faster. Some KPIs to consider tracking are 1) number of exercises completed, 2) clear objectives and completion, 3) exercise issues, and 4) success rate. The keys to a successful exercise pro gram are 1) regulatory driven requirement

Margaret J. Millett, MsBC, FBCI (Hon), MBCP, has held board-level positions with business continuity organizations, written publications, and spoken at business con tinuity management conferences in North

America, Europe, Asia, and the Middle East. Margaret received the BCI Americas Award for Continuity and Resilience Contributor 2022. She was a 2023 DRII Lifetime Achievement Award nominee and a 2023 CIR Lifetime Achievement Award nominee.

24 DISASTER RECOVERY JOURNAL | FALL 2023