IT Lessons Learned From Hurricane Sandy

By Samuel Greengard

After years of discussion about disaster recovery (DR) and business continuity (BC) best practices—with events such as Hurricane Katrina in 2005 and the massive Tohoku earthquake and tsunami in Japan in 2011 serving as exclamation marks—prevailing wisdom would dictate that businesses would adequately prepare for disruptions and ensure that IT systems are designed to avoid downtime, as well as security breaches.

Unfortunately, human nature combined with the complexities of IT preparedness serve as a formidable barrier to effective DR and BC. Hurricane Sandy, which struck the Northeast with a vengeance at the end of October, caused somewhere in the neighborhood of $50 billion in damage and rendered many office buildings and IT systems unusable or without power. At the same time, the hurricane, dubbed Frankenstorm Sandy, magnified the risk of security and data breaches.

Here are a few key points IT executives should consider when building a disaster recovery/business continuity plan:

  • Know your infrastructure. Oftentimes, organizations have legacy systems that are easily forgotten or neglected … until a disaster occurs. Businesses also operate in IT silos and haven’t adequately integrated systems.

    “It’s critical to map out the entire IT infrastructure to view all the different components,” says David Sarabacha, global leader for resilience services at Deloitte & Touche.

  • Have an emergency power source available. It’s impossible to operate IT systems without electrical power. Many business affected by Sandy weren’t physically damaged, but they couldn’t operate for days because power remained off.

    Many companies, particularly SMBs, have no generator or backup power supply available and no contingency plan for power outages. Unless the business can switch over to another data center, this renders the company and its IT systems useless.

  • Ensure backup Internet connections exist. It’s critical to have multiple Internet connections in place. This might include any combination of fiber, cable, T1 lines, satellite and DSL. That way, if one or two connections fail, another is likely to work and provide baseline service. The ability to stay online can determine whether a business muddles through the disaster or stumbles.
  • Develop a communication plan as part of business continuity. Many organizations have a business continuity plan in place, but in a disaster, everything goes out the window, notes Sarabacha. It’s vital that people, particularly IT staff members, can reach one another.

    Cloud-based and hosted communications systems may prove particularly valuable. However, it also means maintaining a current phone directory and phone tree, as well as having a system in place to send group messages and alerts. It might also involve using GPS and social media tools to locate people, Sarabacha adds.

  • Beware of the risk of data and security breaches. As businesses come back online after a disaster, it’s crucial to guard against data breaches. “Executives must not let their guard down,” warns Lisa Sotto, a partner at the law firm of Hunton & Williams. “Scammers, data thieves and others may use weak links in security and business practices to grab private data.” This includes social security cards, credit card numbers and other records that may be sent to insurance companies, government entities and others.

    “In many cases, practices are more lax after a disaster, and outside organizations with weak security practices may have access to these records,” she adds. Sotto recommends vetting other organizations and understanding their policies and processes before handing any data over. It’s also important to remain vigilant and use all possible protections.