Years ago, I was lucky enough to be invited to closed session at Deloitte where Adele Melek (Global Leader of Information & Technology Risk Service) talked about one of their annual global security reports.

One of the points in the report was about Business Contuinity Planning and Disaster Recovery. What was interesting was he made the very poignant observation that there was not a significant uptake of these consulting services when compared to other regions globally. I can’t remember the exact numbers but he made a point that in late 2000/early 2001 a marginal percentage, lets say around 10% (I am throwing up arbitrary numbers which sound right from memory). Post 9/11, 12 months after, that figure skyrocketed to somewhere well above 90%. Watching those two towers go down and the number of businesses and lives affected, made a significant impact for businesses. He made a point – as have many others – it will take a 9/11 (or equivalent there of) for US before we start thinking of BCP/DR a little more.

Well three years since I attended that session we’ve seen not one but TWO MAJOR tragedies I would argue would be our equivalent – the Victorian Bushfires of 2009 (aka. Black Saturday) and the Queensland Floods.

Before anyone dismisses the impact of these in relation to 9/11, let me through up some numbers/stats:

Victorian Bushfires

• Destroyed 2,030 houses, 3,500+ structures in total and damaged thousands more.
• The following townships utterly destroyed: Kinglake, Marysville, Narbethong, Strathewen and Flowerdale.
• The fires affected 78 individual townships in total and displaced an
• Displaced an estimated 7,562 people.
• Total death toll: 178
• The Black Saturday bushfires were the 8th deadliest singular bushfire/wildfire event in recorded history.

Queensland Floods

• At least 70 towns affected to date.
• Over 200,000 people were affected.
• Damage initially was estimated at around A$1 billion.
• The estimate of lost revenue from Australia’s GDP is about A$30 billion.
• Many state that the factual losses cannot be calculated but can be readily counted in the billions of dollars.
• (These numbers could increase as of this time of posting btw).

Even if your business or livelihood was not directly impacted by these events, chances are you had a business interruption as a result if you did business with anyone in these areas – or had friends and family who did.

These incidents teach us that the Availability in information security goes beyond having data recovery and backup. It’s about an understanding of your true assets – your buildings, your equipment, phones, desks, software, hardware and of course, your people. Sound business continuity planning relies on thinking in terms of business processes and functions (not just IT infrastructure) and absolutely defining what is critical and what isn’t. What can you afford to run at a reduced capacity? Who are the key staff in your business and what happens if you lose them? How is knowledge transferred to prevent loss of critical corporate intellectual property? This isn’t just useful in a crisis either. A lot of it just good corporate governance.

Also, sound strategy here goes beyond thinking in terms of fires and floods. What is a real disaster for YOUR business? What are the likely risks you could face? Have you done a threat and risk assessment for your business? Few people could have anticipated the planes hitting the towers in 9/11. But some did predict the possibility of losing access to a building and developed strategies to ensure that the loss of their sites (and in some csaes their staff) to ensured they had a measure of redundancy continue operation – even if it was at a reduced capacity – in the case of such an event.

Real contigency plans can be constructed around a number of scenarios. For example:

• Loss of buildings,
• Loss of people,
• Loss of critical services (gas, water, power, telecommunications).

These could be trigged by anything (fire, flood, even acts of violence such as shootings, etc).

While it is impossible to have a scenario for everything, developing even a single strategy is simply the beginning to a wider strategy. Having a process (even an imperfect one) means that you have something which can tested annually and improved it over time. This already puts you ahead of the pack.

I’ve personally worked with businesses that have fully accepted the risk of not having a DR or BCP strategy based on their estimation of likelihood. I think these incidents have well highlighted that such short sightedness can be damning.It doesn’t have to be a fully redundant cutover. You just need to be realistic. Your BCP/DR strategy may only allow for limited or even reduced capacity based on cost constraints. But hey, something is better than nothing.

I don’t want people to think that I am trying to milk these tragedies for chalking up posts ont his blog. My intention is the opposite infact. My point is that there is a greater tragedy here – that these incidents have occured and yet, we still don’t seem to be learning.

– J.

*** This is a Security Bloggers Network syndicated blog from /dev/null - ramblings of an infosec professional authored by Jarrod. Read the original post at: http://jarrodloidl.blogspot.com/2011/01/what-did-we-learn-from-floods-and-fires.html