How to avoid data loss in a natural disaster

Design for on-site and off-site backups

Location plays a major role in disaster risk levels. If relocating offices to a safer region isn't possible, then organization leaders should focus on hardening on-premises systems and placing backups in lower-risk areas.

Some organizations keep both primary data and backups on-premises. However, on-site backups require specific conditions: secure storage areas, redundant power, optimized HVAC systems and hardened networking. Other technologies that will help secure on-site storage include hard disk drives, solid state drives, NAS, SAN and RAID.

Storing data off-site does not mean natural disaster risks are no longer an issue. Data resilience will require diversification. The common secondary options for redundant storage include:

• Cloud service providers - Vendors who offer dedicated backup platforms.
• MSPs - Partners who handle the management of the backup infrastructure and recovery process.
• Alternate data centers - Colocation facilities in different regions with fewer potential environmental risks.
• Internal remote sites - Other company offices with secure, climate-controlled equipment rooms.

Running workloads on major cloud providers -- AWS, Microsoft Azure and Google Cloud -- gives access to native backup services to replicate data across their infrastructure. To protect against natural disasters, customers can select a specific region or availability zone to meet redundancy and data-residency requirements. A multi-region design further reduces the risk of disruption from a catastrophic event.

Cloud backup service providers offer multiple storage plans, so it's essential to identify current and long-term needs. The minimum criteria for evaluating off-site backup options include the following.

• Scope. Determine how much and which types of data need backups.
• Cadence. Determine how frequently the organization will create backups to meet recovery objectives.
• Consumption. Define how often teams will retrieve backed-up data, whether it is daily, weekly or archived for future use. 

Use secure networking to transfer the backups to off-site locations. Encrypt the data both while in motion and at rest. If the organization uses tape backups, store them in a climate-controlled location.

Digitize paper records

Many organizations still produce, use and store physical records. Severe weather events, such as floods, wildfires and earthquakes can damage or destroy these paper-based archives. Scanning documents and converting them into digital files ensures the data remains accessible and reduces the need for physical storage space.

However, organizations should retain originals of critical documents for future reference. Plan to mitigate digitization risks, including privacy concerns, loss of integrity from alterations and recovery failures. Documents also need to remain in hard copy for legal reasons, such as forms of incorporation or evidence used in litigation. Hard copies can also help during an audit.

Use risk analysis to create an incident response plan

Organizations operating in disaster-prone areas -- or those planning ahead -- should perform regular risk analyses. This helps validate known threats and uncover hidden ones that might get overlooked.

Use historical weather and disaster datasets to identify potential risks and threats, then assess vulnerabilities, such as facilities in or near a floodplain or major waterway. Other vulnerabilities are less obvious and are only evident when analyzing historical weather data. These insights help produce an incident response plan.

Some hazards provide advance warning. Real time tracking gives early alerts about the path and severity of hurricanes, tornadoes and wildfires to determine when to activate data backup arrangements. If backups are already scheduled, teams should change the window to account for the impending disaster.

Incident response plans should also launch emergency notification measures. All relevant parties -- employees, senior management, stakeholders, first responders, vendors and regulators -- should receive updates about the situation and its effect on operations.

Ensure that data management includes data protection

Organizations should develop data management initiatives to protect all data from unauthorized access and unexpected disruptions. Data protection plans are often part of data management programs and should include provisions for managing data backups.

Additionally, policies should govern data backups and other data protection activities to define the organization's response to specific risk events. These policies establish standards for backup creation and storage, and the frequency. 

Use AI to strengthen backups

Considering AI's influence on IT infrastructure, its integration can enhance the overall data backup process. The following methods outline how AI improves backup capabilities, especially when preparing for natural disasters.

1. Analyze relevant data to identify potential events. AI systems can use predictive analytics to analyze vast amounts of data, such as feeds from weather satellites, to forecast potential disasters. These insights help teams reconfigure backup arrangements before the threat occurs.
2. Support risk assessment and threat modeling. AI can enhance the risk modeling process by linking potential events to operations, supply chains, infrastructure and cybersecurity. AI can recommend adjustments to data protection protocols to mitigate the risks.
3. Automate incident response and backup processes. When integrated into incident response and data backup systems, AI can autonomously launch specific incident response playbooks, such as assessing weather data, issuing alerts and backing up mission-critical files and databases to cloud-based storage.

Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.