Create a Super(hero) Disaster Recovery Plan
If you’re like me, you often “marvel” at the large-scale destruction wrought on major cities during the epic fight scenes in superhero movies. But if you’re also an IG professional, you may wonder how businesses in places like Gotham and Metropolis recover from the aftermath. If you think mega-disasters are the stuff of science fiction, consider the following: with an estimated 10 billion habitable planets in the Milky Way, it’s only a matter of time before someone with a hammer, cape, or gold bracelets (and a perfect physique) appears to rescue us from impending doom. Of course, they’ll also leave behind a dreadful mess for disaster recovery experts to clean up.
By now, companies in places like New York, Chicago, and Los Angeles (aka Gotham, Metropolis, and Angel City) have come to understand that catastrophic alien invasions, natural disasters, and villainous plots occur at least once per summer. Although the scenes of terror and destruction are more impressive and creative with every movie, the movies fail to show how companies deploy their disaster recovery plans after the terror stops. Yes, the scene at the end of the credits is entertaining, but it always foretells of more destruction next summer.
Given the frequency of epic destruction in these major cities, disaster recovery plans need to be designed to help enterprises quickly recover substantial amounts of data and records and get back to business before the next calamity strikes.
Assume a typical file cabinet holds about 36,000 pieces of paper, one terabyte of information is equivalent to 75,000,000 pieces of paper, and an average small to medium business has 15 file cabinets and 5 terabytes of data (hopefully all classified and structured according to a record retention schedule!). This amounts to about 540,000 physical pieces of paper and the equivalent of 375,000,000 digital pieces of paper. If a typical skyscraper has thirty floors and five businesses per floor, then each skyscraper has about 81,000,000 physical pieces of paper and 56,000,000,000 pieces of digital paper.
If you have trouble envisioning this amount of paper, consider this: one terabyte can hold the digital equivalent of 2100 four drawer file cabinets. Put another way, if a single piece of paper is .004 inches thick, the amount of physical paper in a skyscraper would be stacked over five miles high. The equivalent of digital paper in each office building would stand over 3500 miles high (the distance a plane travels from New York to London). Given the amount of records and data housed in a skyscraper, “epic destruction” may be a dramatic understatement.
Imagine you work for a company that leases an entire office building in Metropolis, and it was rendered uninhabitable when Superman knocked it off its foundation. How do you recover 81 million pieces of physical paper and 56 billion pieces of digital paper? Enter, the Super(hero) Disaster Recovery Plan.
Your Super Disaster Recovery Plan, as it’s become known to your IG and IT teams, focuses on the recovery and reconstitution of your company’s records and data. This plan is tailored to the company’s specific risk profile and does the following:
- Outlines the company’s essential operations—those necessary to carry out your company’s core functions.
- Identifies the mission-critical systems, data, and records the business needs to recover to restore essential operations.
- Identifies an alternate operations site with a plan to transfer the necessary systems, data, and records if the company’s main location is inaccessible.
- Prioritizes the restoration activities based on the data or record’s impact on essential operations.
- Includes a full restoration plan with a target objective for restoring all data and records necessary to resume normal business functions.
- Ensures the confidentiality, availability, and integrity of all data and records during the recovery and reconstitution process.
Luckily only 15% of data is considered critical and necessary for business operations, so only 112 terabytes of data and 12 million physical pieces of paper will have to be recovered from the ruins of each skyscraper. This won’t be a problem because the mission critical data and records were properly classified, stored, and prioritized for backup in accordance with the disaster recovery plan. The mission-critical records were incrementally backed up to the minute and there are redundancies in place to ensure the backups were backed up (to a different location no doubt).
If you transfer records offsite for storage, great, but keep in mind that the damage radius from a super hero fight can easily cover an area the size of lower Manhattan. If the hero and villain both fly the radius expands exponentially. In these instances, cloud backup is your best bet, but do you know where the data in the cloud is located? In addition to the incremental backup and redundancies for the backups, your disaster recovery plan should ensure that the data centers are located in another state. Maybe somewhere in the middle of the country, underground if possible!
But what about those physical records that weren’t transferred offsite for storage? Luckily, your disaster recovery plan accounted for this scenario and includes a digital inventory of the physical records you had onsite. Depending on the program you use, it could just be a list of the records or it may include metadata identifying the author, department, and scope of content. Either way, you’ll be able to sort through the inventory and identify the records that you’ll need to recreate. If you know who managed the original record(s) this should be pretty easy. Based on the nature of your company, your disaster recovery plan probably focuses first on HR records, customer financial information, and accounting records.
Oh, you don’t have an inventory of physical records somewhere? Fret not, this may not be an issue if you diligently converted physical records to digital data and have backup redundancies in place. At the very least you probably have enough digital data to recreate mission critical documents.
Oh my, you don’t have an inventory of physical records, you hadn’t gotten around to converting those physical records, and you’re not sure how often you back up data to the cloud?! Well, I really hope you’re not subject to any records retention and cybersecurity regulations that require you to have systems and processed that account for disasters! For instance, if you’re in New York, the Department of Financial Services requires you to maintain records for five years that are necessary to “reconstruct material financial transactions sufficient to support normal operations.”
If your company is a covered entity under any of the numerous records retention regulations be prepared for fines and sanctions! Although you probably won’t get sanctioned for failing to account for an alien invasion, regulators could very well slap you with fines for failing to take reasonable precautions to backup and safeguard records and data. Although laser eyes, alien robots, and flying heroes may not be accounted for in your disaster recovery plan, they seem to be commonplace in large cities and are extremely efficient at destroying records.
You better hope your records were ready for disposition.
 This may be a gross underestimate of the amount of data maintained by an average company. According to IDG’s 2016 Data & Analytics Survey, “the average company manages 162.9TB of data, the average enterprise has 347.56TB of data, seven times as much data as the average small-medium business with 47.81TB.”
 23 NYCRR 500.06(a)(1), (b)