A Post-Hurricane Sandy Disaster Recovery Analysis

Its been two weeks and the Northeastern US is still trying to recover from the effects of Hurricane Sandy. The reports of damage and residual effects are well known by now. Large areas along the East Coast have been shutdown without power since the hurricane hit on 10/30. Communications networks have been disrupted. Fuel shortages are effecting all modes of transportation.
Are we in at risk? Even though we are over 100 miles inland, Hurricane Sandy was 1000 miles wide. A storm of that size would affect large parts of Texas up to several hundred miles inland with torrential rains, tornadoes, and winds.

OK, so if there were a big storm we need to be ready, What do we do? First the things you can do now. Make sure your key employees are briefed on your company’s emergency plans and on what you expect them to do during and after the storm. Make sure you have all current employee cell and land-line phone numbers. Also, document your critical functions and cross train your employees. If one of your employees isn’t available you still need to make sure that your key business processes still function. If you have employees who absolutely must be at a work then find a way to get them there and if you really want to have an effective and motivated employee, make sure you have a way to take care of their families.

Next, make sure you test your system backups. If you employ 3rd party off-site backups then make sure these are tested and you know how to recover your business from them. Also, make sure you have something and someplace to restore to. If you have alternate networks, then test them. Storms like Sandy don’t come out of nowhere so we’ll always have a lot of warning leading up to this storm. If you absolutely have to be functional then you should have a backup generator, and always remember to monitor your fuel levels and test the generator periodically.

Determine the likelihood that your office will be adversely affected. Never ever have a window in your server room. Make sure your server room isn’t in the basement or on the 1st floor.

Do you have any key cloud services? Even if a storm isn’t nearby you could still be affected. Where are these services located?  What does their disaster recovery plan look like? How will they recover if they are effected. To make sure that they are covered ask for a SAS 70 report or its replacement, SSAE16. These reports certify that your cloud vendor’s data center security is high and that they have a disaster recovery plan in place.  Don’t be afraid to ask them for a copy of it. This is not an unusual request. All banks and credit unions required it of their larger key vendors that are critical to the success of a disaster recovery.
If your business depends on the Internet to access data and send and receive messages then be sure to let your customers and vendors know that there may be communications issues. A large portion of the network traffic passes through major metro areas in the US. While these network centers are well protected against failure, that doesn’t mean that the networks they feed are equally well connected. You could find major network outages during and after the storm. Fortunately the Internet was built to bypass network damage even if it’s extensive but the chances are good that if this happens, you’ll be routed on slower more complex routes.

Whether you’re in the affected area or simply watching from afar, Hurricane Sandy can be a great lesson. First, it explains the necessity of geographical diversity when it comes to looking for cloud or co-location services. New York and Philadelphia or even Boston are just too close to each other to be safe from the same natural disaster. Second, Sandy demonstrates the necessity of backup power and off-site data backup as well as the necessity of testing both of them regularly. Finally, this event demonstrated that a catastrophe can happen anywhere, even where you are. You can’t afford to ignore the possibility.