Fight Cybersecurity Vulnerabilities by Writing a Business Continuity and Disaster Recovery Plan

Civil Defense Disaster Requires an EMP Thumb Drive and a Good BCDRP

How to Write a Business Continuity and Disaster Recovery Plan

To counter cybersecurity attacks for your business (and they are increasing exponentially, unfortunately) among other software and hardware security tools, you need two things.

1. An electromagnetic pulse (EMP) hardened and waterproof thumb drive. Most small businesses go out of business due to data loss now, not the fire, earthquake, hurricane, flood, riot, or other manmade or natural disaster. Purchase one for you and all your staff here. Backup your data daily so you can get restarted after a disaster event.

2. A Business Continuity and Disaster Recovery Plan (BCDRP).

Every small- and medium-sized business needs to have a BCDRP. I know. You cannot afford to hire professionals to write one for you and you have neither the time or the money to create one yourself.

The Fortune 500 companies can afford first-rate BCDPRP’s and hire pros to do so. Therefore, they all have sophisticated BCDRP plans. I know because I have helped write them. To help those without those large corporate resources, please consider using the information below to write your own.

Keep in mind these are just suggested guidelines. Your business is unique. Your BCDRP should be as well. Create one that is useful for you and your business.

Several supporting documents create and fold into the BCDRP. I will cover those in future Substacks.

NOTE: In all of these sections, in the original, I have beautiful tables that list categories along with their supporting information (what/description columns, for example). Unfortunately, these tables will not copy into this Substack so you will have to create your own tables.

Watching my sons Josh (guitar) and Eamon (violin, guitar, mandolin, piano, banjo) and Billy (drums) of Billy and the Curley Brothers has always made me happy over the years. We have an American culture to preserve along with our American Way of Life. I thank them for their Irish, country, rock, bluegrass, and American folk music that gets families up and dancing.

As a BCDRP plan is often tedious to write, make sure to take time out to enjoy live music or one of the other muses as you do. The ideas you need to write it will arrive by the inspiration of the Holy Spirit.

One writer’s trick that has worked for me over the decades is to not stare at a blank page or screen until I become suicidal. Don’t waste your time just staring. Instead, take a long walk. I guarantee at some point the answer you needed while staring at the screen arrives unexpectedly along the way by the Spirit.

Why create BCDRP Plan

For the same reason you have a health plan, a car insurance plan, or a home owner’s policy...to prepare for, respond to, and successfully overcome a disaster.  If you experience a major disaster, and man-made and natural disasters happen daily, having a BCDRP may make the difference between your business surviving or going out of business.  

As importantly, having one may mean the difference between who lives and who dies. Think of it as life insurance YOU write that helps ensure that you, your loved ones, your employees, and your business go on.

What follows are some of the major parts of any BCDRP. It is only a guide. Every BCDRP must be custom written and tested to your unique needs and circumstances. Use this for ideas of how to create your plan, but make sure you create a plan that reflects your needs.

Disaster Management Plan Purpose

The purpose of the BCDRP is to ensure that a clearly define BCDRP structure and accountable and responsible Disaster Management Team (DMT) is in place to quickly, efficiently and effectively recognized and respond to any business disruption to:

• Ensure the safety of our employees and the security of our property

• Coordinate continuity of high quality service to customers

• Coordinate communication (both external and internal)

• Prioritize recovery efforts

• Activate  the BCDRP

• Invoke emergency authorization to procure and allocate resources and support

  

What is a Disaster

• Anything that causes harm to people or significant damage to property

• Anything that adversely affects the value or financial survival of the company

• Anything that disrupts routine business operations or wastes significant management time or financial resources

BCDRP Guiding Principles

Any good BCDRP includes the following tested and proven principles:

• Describe the business impact

• Identify impacted stakeholders

• Identify who does what and when

• Do not use overly technical information

• Provide an escalation point for issues and concerns

• Test the plan and incorporate lessons learned for future plans

• In addition, here are some fundamentals your basic plan should cover:

• Develop and practice a contingency plan that includes a succession plan for your leadership.

• Train backup employees to perform emergency tasks. The employees you count on to lead in an emergency will not always be available.

• Determine offsite disaster meeting places and disaster communication plans for all your employees.

• Practice disaster communication with employees, customers, suppliers and the outside world.

• Invest in an alternate means of communication in case the phone networks go down.

• Make sure that all employees are involved in the exercises so that they get practice in responding to an emergency.

• Make business continuity exercises realistic enough to tap into employees' emotions so that you can see how they'll react when the situation gets stressful.

• Form partnerships with local emergency response groups (firefighters, police and EMTs) to establish a good working relationship. Let them become familiar with your company and site.

• Evaluate your company's performance during each test, and work toward constant improvement.

• Conduct twice yearly continuity and disaster recovery exercises to reveal any changes and weaknesses. Technology, personnel and facilities are in a constant state of flux at any company and new employees must be trained.

  

BCDR Plan Outline

The most important fact about the BCDRP is that those who need the information can get it quickly, efficiently, and easily. One way to accomplish that goal is to separate the plan into two major sections:

• The BCDRP itself

• The material that supports the plan that goes into the appendix

Here is a suggested outline that has worked well for many companies.

Disaster recovery planning is the process of creating a document that details how your business will recover from a catastrophic event. These steps include:

1. Create a List of Jobs: Know all the office jobs that would have to be relocated to an alternate location.

2. Create an Inventory Necessary Office Equipment:  For each employee, list only the essential office equipment and furniture that they need to perform their jobs. Remember, in the event of a disaster, space, time and money will be at a premium.

3. Create a Catalog of Supporting Software and Computer Equipment: Create a catalog of the essential office computer software and equipment you use.

4. Identify an Alternate Office Space:  Now that you have a list of people, furniture and computer software, networks and equipment, you will need a physical place to put them. Find several alternative places to relocate your office.

5. Create an Insurance and Budget Document:  After you decide where to put people, you will need to start buying them the stuff they need to do their jobs. Estimate how much each piece will cost to buy or lease. The time spent up front on this task will shave days off of the recovery process because you will be able to provide a list to your insurance agent of what you need.

6. Share it and Store the Plan Off-site: Share your plan with several people and keep it in several places.

See the Recommended BCDRP Appendix Sections table below for an additional suggested table of contents that should be included in any BCDRP appendix.

Recommended BCDRP Table of Contents

1. Business Continuity Contact List: Name, phone, email, home address, home numbers. Placing it upfront makes it easier to find in an emergency.

2. Disaster Recovery Contact List: Name, phone, email, home address, home numbers. Placing it upfront makes it easier to find in an emergency.

3. Disaster Recovery Escalation Process: Clearly identify who is to be notified and who has the title and responsibility for declaring an event and activating the plan if the Disaster Recovery Plan is Activated

4. Concise immediate steps that must be taken once a disaster is declared. Goal is to preserve life, prevent injury, and protect property and to lay the foundation for restoring normal business operations.

5. Disaster Recovery Plan Major Steps: Clearly identified major steps that must be taken to resume routine business operations

6. Disaster Recovery Facilities Location: Location of the alternative recovery location along with instructions for whom to contact and what to do when there. It can be held in readiness for use during the disaster to recover technical assets and for recovery of business processes. For small- and medium-sized businesses, this can mean employees working from home using their laptops.

Resuming Daily Business Operations

Establish the goals, milestones and metrics that will indicate that the disaster recovery has succeeded and routine business operations have resumed. See below for what material belongs in the appendix to the BCDRP. By organizing your document in this way it is easier to write, organize, and update.

Recommended BCDRP Appendix Sections

1. Appendix A: Disaster Management Team Activation Guide: Rules for the activation and the Incident Commander, Coordinator and the rest of the Disaster Management Team.

2. Appendix B: Emergency Evacuation Procedure and Safe Assembly Areas: Instructions for when and how to evacuate and where to gather once out of the building.

3. Appendix C: Exit, Fire Extinguisher, Fire Alarm and Hose Locations: Description of how to exit the floor and building, and the location of the emergency equipment.

4. Appendix E: Shelter-in-Place Instructions: Instructions for when and how to shelter in place if necessary

5. Appendix F:  Reporting Disasters: Instructions for how and to whom to concisely and accurately report disaster.

6. Appendix G: Floor Plan: Drawing of each floor with employee name, phone, and email on the drawing, along with clearly identified exits.

7. Additional Appendixes

Add any sections that are necessary to your plan.

Additional Tips

• Make a list of all the software and hardware you may need to replace.

• Back up all your files.

• Put your essential files on a thumb drive. You will need them to get restarted. Again, I recommend The American Tactical Civil Defense Association EMP thumb drive.

Using Social Media to Respond to a Disaster

Increasingly, using social media correctly to respond to a disaster is one of the most critical parts of your BCDRP. To ensure your social media presence is ready for a disaster, make sure that you:

• Have a media plan with the tools, skills and resources to promptly execute your media

• Have accounts with the right social media outlets (Facebook, X, Instagram, Substack, Rumble, etc.) before the disaster

• Monitor social media before, during and after the disaster

• Designate one employee to speak for the company through social media outlets because social media is driven by trust in people, not an organization

• The audience has the tools to investigate, record, and publish, so content accuracy is critical

• A good response should include negative perceptions and address causes and facts

• With your posts, tweets, photos etc. a link with more information will always help support your message

Disaster Management Team Roles and Responsibilities

When the Incident Commander convenes the Disaster Management Team (DMT), he or she also authorizes the BCDRP and declares an emergency. Each member of that team has specific responsibilities that are listed below.

Core DMT Roles and Responsibilities

Incident Commander: Leads the DMT. Provides guidance to the team and is the final decision maker in the case of conflict or lack of consensus.

DMT Coordinator: Assembles the team at the request of the Incident Commander. Schedules meetings, assists with meeting facilities and general support, and completes additional tasks requested by the Incident Commander. Informs other levels for the Incident Commander.

DMT Member Participate in discussion and take ownership of actions to ensure resolution of issues within their area of expertise.

Note Taker: Documents all DMT meetings to capture discussion points, actions, owners and deadlines.

Social Media Liaison: Social media expert who has preexisting accounts on social media platforms who professionally and accurately communicate with external and internal customers.

Trusted Advisor: Provides detailed specialized knowledge to provide additional capacity.

Tabletop Exercise

Every BCDRP requires a test to prove that it works and to identify areas that need improvement, also known as a tabletop exercise. Each participant undertakes the actions and tasks as they would during a real disaster. After the exercise, the team members identify the plan strategies that worked and did not work. Then they identify and implement actions that improve the plan, including adding them to the plan.

Tip: At the worst time in the exercise, have a “journalist” shove a microphone into the face of the exercise leader and ask difficult questions rapid fire. When we did this in exercises in the 1980’s at the Emergency Management Institute, I never wore a suit that day as one leader got so nervous he spilled his coffee all over my suit. It is an effective way to teach leaders how to deal with the media who are present for many disasters.

BCDRP Terms

Like any field, BCDRP has its own terms used by those who work with it to communicate. To help you better understand some of those terms, a few of the more common ones are listed below.

Awareness: To create understanding of basic BCDRP issues and limitations. This will enable staff to recognize threats and respond accordingly. Examples of creating such awareness include: distribution of posters and flyers targeted at company-wide audience or conducting specific business continuity briefings for executive management.

Backup: A process by which data, electronic or paper based is copied in some form so as to be available and used if the data from which it originated is lost, destroyed or corrupted.

Backup Generator: An independent source of power, usually fueled by diesel or natural gas.

Business Continuity: Capability of the organization to continue delivery of products or services at acceptable predefined levels following disruptive event

Business Continuity Plan: Documentation that contains all alternative activities to recover and continue disrupted business activities on an acceptable minimum level, including the transition back to normal operations.

Business Recovery: Recovery steps taken to resume the business within an acceptable timeframe following a disruption.

Call Tree: A structured cascade process that enables a list of persons, roles or organizations to be contacted as a part of information exchange or plan invocation procedure. Includes a document that graphically depicts the calling responsibilities and the calling order used to contact management, employees, customers, vendors, and other key.

Communications Recovery: The restoration or rerouting of an organization’s telecommunication network so that it continues to work with few or no interruptions.

Desktop Exercise: Technique for training emergency teams in which participants review and discuss the actions they would take according to their plans, but do not perform any of these actions; can be conducted with a single team, or multiple teams, typically under the guidance of exercise facilitators.

Disaster Management: Involves the management of an event appropriate to the severity and the impact of the event. It consists of the communication that occurs within the response phase of the continuity event management scenarios.

Disaster Recovery Plan: This refers to the management approved document that defines the resources, actions, tasks and data required to manage the technology recovery effort. It is the result of the Disaster Recovery Planning effort. Documentation that defines the resources, actions, tasks and data required to manage the technology recovery effort. Usually refers to the technology recovery effort.

Emergency Evacuation: The immediate and rapid movement of people to a place of safety away from an area that is subject to a potential imminent major disruption such as natural disasters or terrorist attack.

Emergency Management: Refers to the actions taken in response to an event that has occurred, or is anticipated, and the planning that precedes those actions. This primarily includes safety of employees and security of facilities. Medical alert teams, Floor Warden programs and regular fire drills would all be considered part of Emergency Management.

Emergency Response: The response of an organization to a disaster or other significant event that may significantly impact the organization, its people, or its ability to function productively. Emergency response may include evacuation of a facility, sheltering in place, ensuring the health and safety of employees, performing a damage assessment, and any other measures necessary to bring an organization to a more stable status after an event.

Go Bag: A bag, backpack or other easily transportable carrier, pre-filled with items individuals should have with them if directed to evacuate their home or workplace. The EMP hardened thumb drive is the most critical item in this Go Bag. The data contained on it will enable the business to start over. The Go Bag should only be taken during the evacuation if it is immediately available and will not create a danger to others during the evacuation.

Loss: Negative consequence, which may be financial, e.g. loss of revenue or cash, or non-financial, e.g. loss of information, goodwill, economic value, function, natural resources, ecological systems, environmental impact, health deterioration, mortality, morbidity.

Off-Site Storage: Any place physically located a significant distance away from the primary site, where duplicated and vital records (hard copy or electronic or equipment) may be stored for use during recovery. Or, the process of storing hard copy or electronic records at a secure location removed from the normal place of use.

Tip: EXERCISE YOUR PLAN ONCE CREATED AND TWICE A YEAR AFTER!!! When I travelled to county Emergency Operations Centers (EOCs) in the 1980’s and requested to see their Emergency Operations Plans (EOPs), years of dust always fell off it as it had not been exercised in 20 years. (The one exception was Austin, Texas.) Do not make the mistake of writing a plan and thinking your job is done. Only a plan that is exercised can be useful in a disaster situation.

Comments

[Dear Rest Of America]

Excellent idea!