How to Respond to a Disaster

In the Uptime Institute’s annual outage analysis, 60 percent of responding managers and data center operators say they have experienced a significant or severe outage in their organization in the past three years. The survey also found that cyberattacks and ransomware have become a growing cause of outages, meaning downtime. 

But it doesn’t really matter whether the cause is an earthquake or a malicious attack because any downtime is expensive. 

That’s why your organization must develop a disaster response plan that spells out every action required for fast, complete recovery regardless of the cause. 

For many organizations, that currently isn’t the case. An Arcserve independent global study found that businesses are still losing mission-critical company data because, while 95 percent of respondents said their company had a disaster recovery plan, only 24 percent have a mature plan that is well documented, tested, and updated.

With that in mind, the following is a detailed guide for preparation, response, and disaster management that ensures a faster, more effective recovery and ongoing improvement in your response to disasters.  

1. Analyze the Incident

The first step in any disaster is to gather as much information about the incident as possible. The type of incident dictates your approach, but in the wake of a disaster—especially a cybersecurity breach—understanding the extent is essential for an effective response. Here are the key steps, programs, and tools you can use to achieve this. 

Initial Detection and Identification

Before responding, you must first be aware that an incident has occurred. Once a potential breach is detected, you must confirm which aspects of your organization have been impacted. 

Detection and Identification Tools

Intrusion detection systems (IDS) monitor network traffic for suspicious and unknown threats. 

Security information and event management (SIEM) systems provide real-time analysis of security alerts generated by applications and network hardware. 

Endpoint detection and response (EDR) tools, such as those available from Arcserve partner Sophos, monitor and respond to threats on endpoints such as workstations and servers.

Firewalls and antivirus software provide a first line of defense while providing valuable logs and alerts.

Scope Assessment Tools

Once a breach is identified, the next step is to determine its scope. This involves identifying which of your systems, data, and networks are affected.

Network scanning and mapping tools help you visualize network topology and identify compromised nodes.

Data tracking tools track data movement across your network so you can understand what data may have been accessed or exfiltrated.

Log analysis tools let you review server, application, and security device activity to help gain insights into a breach’s timeline and affected areas.

Impact Assessment Methods and Tools

Risk assessment frameworks, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, help you evaluate impacts based on data confidentiality, integrity, and availability.

Business impact analysis tools, such as those available on Ready.gov, help you assess a breach's potential financial and operational impacts.

Compliance assessment tools—Cornell University’s Compliance Program Assessment is one example—compare a breach against industry and regulatory requirements. This is especially important when confidential data is involved. 

Continuous Monitoring and Updating

Regularly update your security tools to detect and mitigate known vulnerabilities.

Institute ongoing employee training and awareness programs that empower your people with the knowledge they need to identify and report potential breaches quickly.

Appoint an incident response team as part of your disaster recovery plan. This team must be trained and ready to respond to security incidents and armed with clear procedures and the necessary tools for a fast response.

2. Gather Evidence

Following a disaster—especially a cybersecurity incident—collecting evidence, including the existing state of your systems, is a critical step that should be approached methodically. Here is a detailed guide for effective evidence collection:

Quarantine compromised systems using network segmentation tools to isolate them from your network to prevent further data or data loss (find a list of the top 10 tools here).  

Create digital forensics images, including all hard drives and other storage devices, using digital forensics tools like EnCase or Forensic Toolkit to create accurate digital copies of data.

Collect and analyze digital evidence from servers, security devices, and applications using log analysis tools, data recovery tools to retrieve deleted or corrupted files, and network traffic analysis tools to identify whether any traffic captured during the incident shows signs of malicious activity.

Collect physical evidence for physical security breaches or hardware tampering using photographic documentation while physically securing any compromised hardware for further examination.

Consult legal experts and use standardized procedures to ensure compliance with relevant laws and regulations and the admissibility of evidence if required for legal action.

3. Activate Your Crisis Management Plan

Your crisis management plan must be continually kept up to date. Key components of your plan should include:

Clearly defined roles and responsibilities so everyone can immediately act when disaster strikes.

Continuously updated contact lists for all critical personnel and stakeholders to ensure fast response.

Planned communication strategies for within and outside of your organization, including media and customers.

Established escalation procedures that define what constitutes a crisis and the steps that should be taken when an incident exceeds set limits.

You’ll find excellent resources for guiding your emergency response planning on the Ready.gov website.

One of the most essential components of your response is your backup and disaster recovery (BDR) plan. For help ensuring your BDR plan is effective, read our recent post, “Step-by-Step Guide to Creating a Disaster Recovery Plan.”

4. Evaluate Your Disaster Response Efforts

Evaluating your response following a crisis is essential for improving your disaster response strategy and management. A comprehensive review of how the incident was managed, identifying what worked and areas for improvement, should also be part of your disaster response. Here are some of the critical elements of your post-incident review:

Execute structured, inclusive debriefings involving all departments to uncover what happened, how it was handled, and its impacts to get a holistic view of the incident.

Employ effective evaluation methodologies and tools such as after-action reports (AAR), root cause analysis (RCA), and key performance indicator (KPI) metrics analysis related to the response, including response time, recovery time, and overall impact. 

For guidance, see these recent Harvard Business Review articles, “A Better Approach to After-Action Reviews” and “The Five Whys.” This article from KPI.org is a good resource for developing KPIs that deliver greater business value.

Gather and analyze data from sources ranging from incident logs—detailed logs that should always be kept during a crisis—to employee and customer feedback.

Assess compliance and standards to establish how well your response aligns with relevant industry and regulatory requirements.

Update your crisis response and disaster recovery plans based on what you learned and identify areas for improvement and strategies to address them. Strengthen training programs and internal communication efforts to close gaps, reduce vulnerabilities, and document and share all updates to keep everyone involved.

Invest in business continuity, data backup, and disaster recovery solutions that ensure your organization is resilient, your data can always be recovered, and downtime is kept to a minimum. 

Be Prepared: Plan Ahead

Preparation is your best insurance against damaging impacts from a disaster. Your communication strategies, evidence-collection procedures, and crisis management process must be clearly outlined and understood by everyone on your team. In a crisis, every minute counts. 

Think of a well-documented, detailed crisis and disaster response plan as your North Star, guiding you through the chaos. 

For expert help with the technology side of disaster recovery, choose an Arcserve partner. 

An Arcserve partner can guide you through everything you need to know about data protection, backup, and disaster recovery—a vital component of every effective disaster recovery plan.