Natural disaster recovery is the process of recovering data and resuming business operations following a natural disaster. Natural disasters include hurricanes, tornadoes, floods and other severe storms that can impact a data center and cause data loss.
Natural disaster recovery requires its own type of planning, since natural disaster scenarios can involve unpredictable circumstances unlike man-made disasters caused by malicious or accidental incidents such as cybercrime or human error. Disaster recovery (DR) planning may differ by region, and businesses in locations prone to tornadoes or hurricanes may take such storms into account from the start. However, even if severe weather events aren't a frequent occurrence in your region, you should still consider them when crafting a natural disaster recovery plan.
Why natural disaster recovery preparedness is important
Natural hazards like hurricanes and floods vary in severity, but when it comes to disaster preparedness, it's best to prepare for the worst.
If a location is prone to a certain type of natural disaster, working that disaster into the DR planning process is imperative. For example, if one data center is in a known hurricane zone, that data can be backed up to a location outside of that area or in the cloud. That way, if the primary data center is hit, data backups are not only protected but can be used for a swift recovery.
Protocols must also be put in place for displaced workers, damaged facilities and injured employees. That is different than preparing for an event such as a ransomware attack, which does not include physical damage that renders workspace unusable.
Types of natural disasters
According to the Centers for Disease Control and Prevention, there are 11 primary natural disasters: earthquakes, landslides/mudslides, volcanic eruptions, lightning, wildfires, floods, tornadoes, hurricanes, tsunamis, extreme heat and extreme winter weather. All of these disasters could damage or destroy a data center, and many could render the data center unsafe for employees to enter.
In 2017, hurricanes Harvey, Irma and Maria caused extensive damage in the United States, Caribbean and Dominican Republic. While agencies such as the National Hurricane Center can forecast the severity and path of hurricanes, preparation for these events remains difficult. After Hurricane Maria hit, the Federal Emergency Management Agency, American Red Cross, Cisco Tactical Operations and NetHope, a nonprofit that focuses on repairing communications services following disasters, compiled a series of DR lessons learned from the storm.
Key elements of preparing to recover from a hurricane include triaging DR strategies, having equipment reserves, building redundancy into a DR plan and using cloud technologies. By prioritizing elements of a DR plan, order is determined in chaotic situations. Redundancy, equipment reserves (backup generators, satellites) and cloud-based technologies can provide backup security and resources that can get an organization back on its feet.
A major takeaway following the category 5 Hurricane Katrina in 2005 was not only to embrace DR sites outside the same weather zone, but to run regular drills and tests of recoveries and perform regular maintenance.
While discussed with hurricanes in mind, these principles can help in other natural disasters as well.
Natural disasters vs. man-made disasters
Man-made disasters can be the result of deliberate actions, as well as negligence or error. Malicious acts such as arson and bombings are intentional, while oil spills and chemical plant explosions are unintentional man-made disasters. Like a natural disaster, these types of hazards can cause physical damage to facilities and are unpredictable.
Similar preparedness activities for natural disasters can apply to man-made disasters, and vice versa. However, ransomware and other types of malware are also considered man-made disasters, and come with their own requirements and threats.
In a thorough disaster recovery plan, all of these disasters should be taken into account so an organization is not caught off guard. While they may not be preventable, recovery is possible with preparation.
Risk assessments for natural disasters
A key step in emergency management is conducting a risk assessment. A risk assessment can identify situations, both internal and external, that could negatively affect an organization and its recovery efforts.
Ideally a risk assessment takes all threats -- natural and man-made -- into account, listing the damage they could cause, the time it would take to recover, and any measures that can be taken to prevent or reduce the severity of the threat. With a risk assessment, an organization can consider defensive responses, such as mitigation measures, recovery activities and contingency plans.
Knowing the probability of a risk and the impact it can have can help weigh the likelihood of different risks an organization may face. These differ by company, and can be gleaned from company records of previous disruptive events, employee recollection of these events, media records and National Weather Service data, among other available resources.
Another helpful tool when preparing for natural disaster recovery is a business impact analysis (BIA), which identifies an organization's most critical processes and how a disruption could affect them. Prior to conducting a risk assessment, a BIA can help prioritize certain aspects of the business when considering possible risks.
Creating a natural disaster recovery plan
After conducting the necessary assessments, there are a few other steps an organization can take in establishing a natural disaster recovery plan. Taking the stages of natural disaster recovery into account, a plan should include both direct and indirect losses. Direct losses are the immediate effects of a disaster, such as structural damage and facility closure. Indirect losses are just as important, because they make up the losses that can occur over time following a disaster. Indirect losses can include lost income due to services not running and loss of reputation.
Social media has become an important element of any natural disaster response. Communication following a disaster can keep employees and the public informed of the status of an organization. Call trees and other communications protocols are tools that can be used to quickly and efficiently inform employees and essential personnel of a disaster, but if the public is a concern, social media is available to send out updates and possibly preserve good will while services are down.
Securing and testing offsite data backups and resources must be done to ensure business continuity. Cloud disaster recovery should be explored as an alternative to other physical data centers in the area in case of a wide-reaching disaster. Tape backups, while not the most current medium for protection, are reliable and keep data secure in a different location, ideally out of reach of potential natural disasters.