Natural disasters happen all the time, wherever you are in the world. And whether or not you realize it, floods, hurricanes, earthquakes, tsunamis, and thunderstorms are a nightmare for any business' IT landscape. That's because — whether traditional brick and mortar, online or click and mortar — all businesses depend on a healthy, fully functioning IT infrastructure.
When disaster strikes, can your IT Infrastructure survive?
Modern IT Infrastructures are complex but can be architected to survive the unthinkable. While no one can predict the specifics of a disastrous event, natural or artificial, or know exactly what aspects of your IT infrastructure will be impacted, there are some general steps you can take to protect your IT infrastructure and ultimately maintain your business's viability.
These steps fall under your Disaster Recovery Planning (DRP). Ideally, your DRP should be put in place before a disaster strikes. Unfortunately, though, many organizations are not adequately prepared to handle the rigors of an unexpected catastrophe. By taking the proper measures ahead of time, you can minimize or even eliminate the severity of an event and the resulting consequences.
IT Infrastructure Options and definitions
Before diving into the ways you can protect your business's IT infrastructure in the case of a natural disaster, we'll need to lay out some basic terminology:
- On-Premise Infrastructure: An enterprise IT platform infrastructure housed within an organization's owned buildings.
- Hybrid Infrastructure: A combination of on-premise infrastructure and cloud infrastructure.
- Colocation: A data center facility that houses remote enterprise IT resources.
- Colocation with Private Cloud: A combination of colocation and cloud. Data is physically collocated within a Tier One colocation facility with resources for cloud access.
- Managed Cloud Service Provider: A third-party company that provides a dedicated cloud computing environment on a private or public cloud. The Cloud Service Provider (CSP) manages and maintains this environment.
Some enterprise companies will even consider off-site colocation as their primary data storage location while maintaining onsite copies of data as backup. Remember that whatever option you choose will be based on your risk appetite and budget constraints.
Now, here are 10 ways to prepare your business IT for a natural disaster:
1. Prioritize People First
Employee safety is paramount at all times, but during an event that can potentially endanger life, you want to ensure first and foremost that all your staff is accounted for.
You should have already set up and tested emergency response routines. You can communicate important updates to your team, who can respond via SMS to acknowledge receipt. It may also be a good idea to plan for backup methods of communication in the case that servers are down or SMS becomes otherwise unavailable.
Communication with key stakeholders — including employees, other staff members, clients and customers — matters most to protect any business in emergency situations like natural disasters. You should put plans in place to communicate with both internal and external stakeholders before a disaster occurs.
2. Leverage FEMA's National Risk Index
If you haven't set up your business yet or are considering relocating your existing business, you will want to consider its location carefully; this is where the Federal Emergency Management Agency (FEMA)'s National Risk Index can help with your decision process.
FEMA's National Risk Index is an online mapping application that helps businesses and communities in the United States understand and reduce risks from nature-related tragedies. The index has been developed with attention to increased risks from climate adaptation and the need to create new approaches to reduce risks. Using FEMA's National Risk Index as a baseline, businesses can identify critical locations with a higher risk for natural disasters.
Countries outside the U.S. have their versions of the National Risk Index. For example, Canada's Canadian Disaster Database (CDD) contains detailed disaster information on more than 1,000 natural, technological and conflict events (excluding war) that have happened since 1900 at home or abroad and have directly affected Canadians.
These tools are handy for, for example, sourcing locations for a new or relocating business. You can use them to check out your preferred location to ascertain the likelihood of being affected by a natural disaster in that area. You might discover your preferred location is subject to some localized flooding; armed with this information, you would be advised to place your server room on the second floor rather than in the basement.
3. Implement Disaster Protections Into Your Data Center
Disaster preparedness is a critical component of any data center design. Good disaster planning starts with a well-architected framework and documented risk assessment process.
The first step to disaster preparedness is gathering a list of potential disasters or threats to your data center. Next, identify priority risks by severity and likelihood of occurrence. Then, analyze each risk for impact on your business. Finally, prioritize the risk assessment results based on the impact on your business.
Important aspects of disaster preparedness to consider include:
- Proper Fire Suppression. Choosing a system that won’t damage the computer equipment within the data center is essential. Many solutions are available on the market for server room fire protection.
- Advanced Physical Security. Physical security helps to minimize the risk of terrorist attacks, prevent damage caused by disgruntled employees and improve overall safety. Advanced security systems notify the data center staff of fires or other emergencies. Additionally, cameras should be installed in secure areas both inside and outside the building to monitor any activity that is taking place without revealing specific information to the intruder. For high-security implementations, installing an eight-foot fence around your perimeter, and three strands of barbed wire, would be advised.
- Seismic Server Rack Shelves. In areas where earthquakes are highly likely, specially designed server rack shelves help to keep the servers, routers, switches and other equipment in place. Ceramic insulators will also help to reduce the vibration that reaches the equipment, which can minimize the risk of injury.
- Flood Management Systems. Installing raised floor in data centers, as well as allowing cool air to circulate, can prevent water from soaking into the equipment. This kind of system will also include pumps that can quickly remove and drain water outside the data center.
- Multiple Data Circuits. If a facility has multiple data circuits, they can provide redundancy if one of them is cut or damaged due to a disaster.
- Redundant Power Sources. An uninterruptible power supply (UPS) will allow a data center to continue to run its servers for a given period to enable the controlled power down of those servers. Investing in a large-capacity generator would be recommended if you want to maintain power, especially if the area is prone to power outages caused by electrical storms.
- Disaster Recovery Location. There are times when a company may need to operate multiple data centers in geographically dispersed locations to avoid downtime. (Also Read: 5 Essential Things That Keep a Data Center Running.)
4. Back Up Your Data In Advance
For operational resilience, multiple server configurations can be spread across several geographic locations. Depending on your business' location, these data centers might be located on the other side of an island, city, jurisdiction or even another country.
You would expect that most businesses have backups of their data, kept in a safe place in an off-site location. Backups can be transported via secure courier or electronically transmitted to the cloud or other off-site location. (Also Read: Cloud vs. Local Backup: Which Do You Need?)
5. Review Your Insurance Policy
Read through the finer details of your policy thoroughly — they're essential!
It's worth mentioning that companies domiciled in the U.K., with a turnover under $23 million and with the basic level of Cyber Essentials certification are entitled to Cyber Liability Insurance. CISA.gov has its own version of Cyber Essentials. Check your geographical location for details.
6. Test Your Incident Response Plans
Testing incident response plans should be a regular part of your operations, as should keeping your playbooks up-to-date.
As a minimum, most of the areas mentioned so far are basic contingencies a business should have.
7. Make Use of Data Center Colocation
When properly implemented and with well-thought-out data center colocation (aka “colo”), colocation facilities ensure business continuity during natural disasters or outages. Your business location could lose power, but using these centers will not affect your network traffic. (Also read: Why Business Continuity Belongs in the Cloud.)
With the importance of business continuity, the data center colocation option offers companies the peace of mind that comes with knowing their data is always secure, always accessible, and always protected — good news for your remote workforce, business, and e-Commerce customers.
8. Comply With NEBS Standards
The Network Equipment Building System (NEBS) has a standard for the performance of telecommunications equipment and network products. Complying with it indicates your infrastructure performs at optimum capacity.
There are three levels of NEBS compliance:
- NEBS Level 1: Basic, most general-purpose services aimed at non-critical systems.
- NEBS Level 2: Intended for failure-tolerant services, which means the equipment will work well in a controlled environment such as a data center.
- NEBS Level 3: Designed for stringent performance requirements.
All Tier 1 telecommunications service providers in North America require NEBS Level 3-compliant equipment for residency in their central office or critical infrastructure facilities.
Equipment certified to be NEBS Level 3-compliant must undergo a series of tests conducted and confirmed by a certified Third Party Lab.
Examples of NEBS Level 3 GR-63 tests that are conducted include:
- Shock and vibration tests.
- Earthquake test of up to a 7.5 seismic event on the Richter scale.
- Temperature and humidity testing from temperatures of negative five degrees Celsius (23 degrees Fahrenheit) to 55 degrees Celsius (131 degrees Fahrenheit) for 96 hours with a humidity range of 5% to 95%.
- Transportation and storage environment testing.
- Fire resistance testing of all plastic parts, cables, labels, PCB, and connectors.
- Altitude testing of up to 2,000 meters at 40 degrees Celsius (104 degrees Fahrenheit) and up to 4,000 meters at 30 degrees Celsius (86 degrees Fahrenheit).
- Temperature margin test, which increases the temperature from five degrees Celsius to 30 degrees Celsius (86 degrees Fahrenheit) every hour and increases the temperature from 30 degrees Celsius (86 degrees Fahrenheit) to 55 degrees Celsius (131 degrees Fahrenheit) every hour.
- For fan-cooled equipment, the ability for the system to continue operating after a single fan failure.
9. Invest In Extreme Hardware
You've probably heard of rugged laptops and tablets built to withstand the elements, like those found in the mining industry, where mines constantly face extreme heat or cold conditions. Many prominent manufacturers even offer service plans with these ruggedized devices in challenging environments for prevention and corrective actions. Designed to survive temperature, humidity, vibration, immersion, acoustic noise, gunfire shock, solar radiation and even fungus. (Also read: 7 Steps to Developing a Hardware Refresh Strategy.)
Several server brands explicitly aim to protect data and provide increased uptime. For example, Sun/Oracle, IBM and Dell offer hardened servers or servers with optional software that can help safeguard against data loss resulting from hardware faults and environmental failures. These include data protection options, such as RAID error-checking and data recovery software. In addition, a data center colo provider can install systems that withstand earthquakes and flooding to ensure optimum uptime during natural disasters.
10. Maintain Multiple Data Center Locations
Having at least two separate data center locations at effective distances apart ensures they don't fall victim to the same event. Two virtualized data centers can provide resilience and protect resources against an outage caused by natural events, malicious intent, human error or bad luck.
This method is an alternative to legacy data centers, which have traditionally stranded IT resources during disasters. In an age where the value of big data is measured in zettabytes, any lost compute resource represents a loss of millions, if not billions, of dollars due to non-recoverable lost revenue.
Think of those years when your basement server room flooded, your air conditioning stopped working and you didn't even have an uninterrupted power supply (UPS)! That's the kind of situation you want to avoid with your business IT infrastructure.
How Can Natural Disasters Impact a Business' IT Infrastructure?
Disaster can strike without warning. This looming threat affects companies of every type and size and creates challenges for efficient IT operations, particularly regarding business continuity and disaster recovery.
The impact natural disasters have can be devastating to critical systems, infrastructures, and applications. Due to the complexity of IT infrastructures, recovery times can be extremely long and complex and will depend on the type of disaster that occurred. For example, hurricanes can rip up critical infrastructure and knock power out for weeks. Fires can raise entire buildings to the ground, while flooding can destroy equipment and hamper a company's ability to ship goods.
Essentially, violent weather changes pose a threat to businesses every day. And organizations ranging from large corporations to small retailers should be prepared to deal with unpredictable disasters of any kind. Even localized events can pose severe threats to your IT systems, –from power outages to broken water pipes that can flood a data center or office building. This type of disaster can affect whole cities — think Critical National Infrastructures (CNIs).
Natural disasters can also make your business unable to trade; and this can affect more than just your immediate business.
Every customer you rely on also depends on your business. Even if the product or service you provide is not mission-critical, your ability to deliver it is. Your customers need to be assured you can fulfill their expectations. If your business has been affected by a natural disaster, then your customer base would have some initial understanding. But eventually, customers will seek alternative suppliers if you remain unable to trade.
How Likely Are Natural Disasters?
Depending on your business's location, disasters can result from either natural or artificial causes. Natural causes include things like earthquakes and fires, while artificial causes include sabotage, carelessness (your server room door left ajar), cyberattacks like ransomware, insider threats and intellectual property (IP) theft.
According to the National Center for Environmental Information (NCIE) in the U.S., 332 weather and climate disasters have occurred since 1980, resulting in damages costing more than $1 billion overall. (including CPI adjustment to 2022). It is estimated that the total cost of these 332 events is over $2.275 trillion.
Even if your business is far from any potentially catastrophic natural disaster, there's always a risk that something could impact your internal data center or server room. Even domestic issues, such as fires, floods, or civil unrest, can be troublesome.
What Is the Cybersecurity Impact of Natural Disasters?
Cybercriminals will always take advantage of situations, and natural disasters offer many opportunities. In 2012, hackers used confusion as part of a social engineering scheme in the aftermath of Hurricane Sandy.
According to Risk Management Monitor, "When defenses are down and attention is elsewhere during a natural disaster, critical data and intellectual property is just as vulnerable to looting as the shopping center down the street."
When considering your IT architecture, consider the security control mitigations available to protect your organization against cyberattack. To provide the best protection, a layered defense is the best strategy. For example, strong firewalls, encryption, and intrusion detection should be layered to protect against known threats. In addition, internet-facing applications should be segregated by origin. Sensitive or valuable information should be encrypted while in transit and at rest. With strong authentication measures in place, you can ensure unauthorized users and access attempts are blocked or reported.
Key ways to protect your business when disaster strikes include:
- Cloud storage. This offers an efficient and cost-effective way to store business data, and provides a cost-effective backup strategy. Storing data in the cloud also provides a secure method for recovery when needed.
- Eliminating SPOFs. Ensure your IT applications, infrastructure and facilities are fault-tolerant and free of single points of failure (SPOF).
- Validate your IT applications. This ensures proven resilience and recovery capability.
- Leverage proactive monitoring and alerting.
- Safeguard against BAU changes. Ensure business as usual (BAU) changes do not affect your IT applications or infrastructure's confidentiality, Integrity, and availability (the CIA Triad).
Without a well-designed IT architecture, your organization might not survive a disaster. However, with the proper IT hardware, network connectivity, cloud or colocation options in place, and business continuity and disaster recovery plan tested and working, your business can continue to operate and turn a profit even during and after a disaster.
On the other hand, failing to put safeguards in place can result in infrastructure damage, from which it can take weeks to restore your systems and get things back to normal. This can lead to permanently lost customers, lost revenue, and potentially even bankruptcy.
Don't leave the survival of your IT infrastructure to chance: The importance of planning for disaster avoidance can't be overstated!