By Michael Boccardi, president, CEO , Cervalis
Keeping clients’ sensitive personal data safe and secure is a priority for all businesses.
Recently, conversations around data security have focused heavily on security breaches at Target, eBay and Lowe’s, which exposed credit card numbers, encrypted passwords and identifying personal information such as security numbers.
Whether protecting one’s data against cyberattacks or natural disasters, banks and financial institutions, in particular, need to take proactive, precautionary measures to ensure their data — and that of their clients — remains secure.
These data security and disaster recovery policies, procedures and practices are vital to the longevity and profitability of businesses and should be carefully documented in a comprehensive and up-to-date disaster recovery plan.
What should a bank or financial institution’s disaster recovery plan include?
For starters, an up-to-date risk assessment, secure data storage and backup practices, a redundancy plan and clearly documented processes and procedures.
The key elements of any disaster recovery plan should be developed in collaboration with the firm’s chief technology officer (CTO), chief information officer (CIO), chief operating officer (COO) and chief security officer (CSO), among other key leadership team members.
It is important to gain buy-in from all parties during the plan development process to ensure its effective implementation during a disruptive incident.
How do I conduct a risk assessment for a bank or financial institution?
Effective risk assessments evaluate both internal and external threats to data security and business continuity. Each risk factor should be evaluated based on anticipated likelihood and projected significance of impact.
Representative risks may include natural disasters (tornadoes, hurricanes, floods, ice storms), man-made threats (software failure, hardware failure, electrical outages), employee security breaches and external cyberattacks. When evaluating, rating and ranking these potential risks to business continuity, ask yourself:
How would this event impact day-to-day operations?; How would this event impact employees?; How would this event impact clients?; and, How will we respond to the event?
Integrating secure storage and backup
For banks and financial institutions alike, downtime isn’t an option. Customers require 24-7 access to their critical financial information and they trust their service providers and business partners to keep that data secure.
This means that work area recovery — the ability to work out of an alternative, connected, secure facility, such as a data center, when needed — as well as diligent data backup components must be part of the disaster recovery plan.
Whether storing data in an on-site or off-site data center, uninterrupted power and cooling 24×365, 24-hour on-site monitoring of the facility and redundant connectivity are critical. Your disaster recovery plan should outline where the data is being stored; how often it is being backed up (and to what); the measures taken to ensure uninterrupted 24×365 power and cooling; and, how the facility is being secured and monitored.
For some financial companies, this may entail identifying the right data center to house the data. It is important to remember that data centers vary widely in structure and features so finding a partner who can meet your mission critical storage, resiliency and security needs is critical. When it comes to data belonging to your company and to your clients, there is no such thing as too secure.
Clearly documented processes
As business needs change, so do disaster recovery plans. It is, therefore, important that the plan is updated and that a clearly defined process for its ongoing revision and maintenance is outlined.
All staff who have roles in upholding or implementing the plan should be well-versed in its contents and procedures, which includes periodic testing.
Testing a disaster recovery plan helps to ensure that when a business-disrupting incident occurs, operating in a business-as-usual mode is not just a goal but a reality.
The plan should be tested both onsite and off so that staff are comfortable under all potential circumstances during which it may be enacted. This also allows for timely changes to be made ensuring resiliency when disaster strikes.
Failing to test a disaster recovery plan is a surprisingly common oversight that can negatively impact an organization’s clients, employees and bottom line.
Disaster recovery plans are a critical asset for businesses. In the financial services industry, in particular, 100 percent uptime must be the goal. To that end, companies need to plan for ‘what if’ scenarios that could temporarily halt business operations, placing business continuity at the forefront of their disaster recovery planning.
As we saw with Superstorm Sandy and other natural disasters in recent years, it’s impossible to predict office closures or long-term power outages.
By implementing a comprehensive disaster recovery plan, banks and financial services companies can ensure continuous operations in a 24×365 business environment and that manmade and natural disasters prove inconsequential to the company’s bottom line.