What is natural disaster recovery?
Natural disaster recovery is the process of recovering data and resuming business operations following a natural disaster. Natural disasters include hurricanes, tornadoes, floods and other severe storms that can affect a data center and cause data loss.
Natural disaster recovery requires its own type of planning, since disasters can vary by region and can't be restored with IT-based efforts alone. Businesses in locations prone to tornadoes or hurricanes might take such storms into account from the start. However, even if severe weather events aren't a frequent occurrence in your region, a natural disaster recovery plan should still take possible scenarios into account.
Why natural disaster recovery preparedness is important
Natural hazards such as hurricanes and floods vary in severity, but when it comes to disaster preparedness, it's best to prepare for the worst.
If a location is prone to a certain type of natural disaster, working that disaster into the disaster recovery (DR) planning process is imperative. For example, if one data center is in a known hurricane zone, that data can be backed up to a location outside that area or in the cloud. That way, if the primary data center is hit by a storm, data backups are not only protected, but can be used for a swift recovery.
Protocols must also be put in place for displaced workers, damaged facilities and injured employees. That is different from preparing for an event such as a ransomware attack, which does not include physical damage that renders workspaces unusable.
Types of natural disasters
According to the Centers for Disease Control and Prevention, there are 11 primary natural disasters: earthquakes, landslides/mudslides, volcanic eruptions, lightning, wildfires, floods, tornadoes, hurricanes, tsunamis, extreme heat, and extreme winter weather. All these disasters could damage or destroy a data center, and many could render the data center unsafe for employees to enter.
While agencies such as the National Hurricane Center can forecast the severity and path of hurricanes, preparation for these types of events remains difficult. After Hurricane Maria hit in 2017, the Federal Emergency Management Agency, American Red Cross, Cisco Tactical Operations and NetHope -- a nonprofit that focuses on repairing communications services following disasters -- compiled a series of DR lessons learned from the storm.
Key elements of preparing to recover from a hurricane include triaging DR strategies, having equipment reserves, building redundancy into a DR plan and using cloud technologies. By prioritizing elements of a DR plan, order is determined in chaotic situations. Redundancy, equipment reserves such as backup generators and satellites, and cloud-based technologies can provide backup security and resources that can get an organization back on its feet.
A major takeaway following the Category 5 Hurricane Katrina in 2005 was not only to embrace DR sites outside the same weather zone, but to run regular drills and tests of recoveries and perform regular maintenance.
While discussed with hurricanes in mind, these principles can help in other natural disasters as well.
Natural disasters vs. human-caused disasters
Human-caused disasters can be the result of deliberate actions as well as negligence or error. Malicious acts such as arson and bombings are intentional, while oil spills and chemical plant explosions are unintentional human-caused disasters. Like a natural disaster, these types of hazards can cause physical damage to facilities and are unpredictable.
Similar preparedness activities for natural disasters can apply to human-caused disasters and vice versa. However, ransomware and other types of malware are also considered human-caused disasters and come with their own requirements and threats.
A thorough disaster recovery plan considers all these disasters so that an organization is not caught off guard. While they might not be preventable, recovery is possible with preparation.
Risk assessments for natural disasters
A key step in emergency management is conducting a risk assessment. A risk assessment can identify situations, both internal and external, that could negatively affect an organization and its recovery efforts.
Ideally, a risk assessment takes all threats -- natural and human-caused -- into account, listing the damage they could cause, the time it would take to recover, and any measures that can be taken to prevent or reduce the severity of the threat. With a risk assessment, an organization can consider defensive responses, such as mitigation measures, recovery activities and contingency plans.
Knowing the probability of a risk and the impact it can have can help weigh the likelihood of different risks an organization might face. These differ by business and can be gleaned from company records of previous disruptive events, employee recollection of these events, media records and National Weather Service data, among other available resources.
Another helpful tool when preparing for natural disaster recovery is a business impact analysis (BIA), which identifies an organization's most critical processes and how a disruption could affect them. Prior to conducting a risk assessment, a BIA can help prioritize certain aspects of the business when considering possible risks.
Creating a natural disaster recovery plan
After conducting the necessary assessments, there are a few other steps an organization can take in establishing a natural disaster recovery plan. Taking the stages of natural disaster recovery into account, a plan should include both direct and indirect losses. Direct losses are the immediate effects of a disaster, such as structural damage and facility closure. Indirect losses are just as important, because they make up the losses that can occur over time following a disaster. Indirect losses can include lost income due to services not running and loss of reputation.
Social media has become an important element of any natural disaster response. Communication following a disaster can keep employees and the public informed of an organization's status. Call trees and other communications protocols are tools that can be used to quickly and efficiently inform employees and essential personnel of a disaster, but if the public is a concern, social media is available to send out updates and possibly preserve good will while services are down.
Securing and testing off-site data backups and resources must be done to ensure business continuity. Cloud disaster recovery should be explored as an alternative to other physical data centers in the area in case of a wide-reaching disaster. Tape backups can keep data secure in a different location -- ideally, one that is out of reach of potential natural disasters.