Imagine a scenario where your company’s digital infrastructure goes offline. Your servers are unreachable, the company website is offline, internal communication stops working and employees are locked out of offices because keycard security systems are down. Your entire company—literally everything it does—just stops. It’s a nightmare scenario, but if you’re prepared with a business continuity plan, it can be a short-term inconvenience instead of a company disaster. As we’ve seen just recently with the massive Facebook outage, these scenarios can happen to any organization.

Company-wide communication disruptions can be triggered from internal incidents, such as misconfigured servers or routers, cut cables and other hardware and software failures. They can also come from the outside in the form of natural disasters like wildfires, floods, hurricanes and earthquakes. And of course, there’s always the chance that disruptions are due to actual cyber attacks by hostile actors. Recognizing that both internal and external scenarios are possible is key in developing a backup communication and access plan before disaster strikes.

While a remote workforce means at least some of your staff will be out of harm’s way should an actual natural disaster strike the office, it doesn’t mean they won’t be impacted by your infrastructure downtime. Offline servers mean work-from-home employees can’t access hosted files, data and apps. If your communication infrastructure is down, too, they don’t have any way to stay on top of the incident status. Without a backup communication plan, on-site employees won’t have any idea how long they’ll be locked out of offices if the security system is also down, and off-site employees are simply in the dark.

Make a Business Continuity Plan for Disasters

A well-documented communication backup plan should be part of your company’s overall business continuity plan for disaster scenarios. If you use an in-house solution for intra-company communication, for example, employees need a fallback solution should the primary communication platform stop working. On-site employees also need a clear-cut plan should the security system fail, locking them out of rooms or even the entire building.

In both cases, your recovery plan needs to clearly list the processes for attempting to restore services, and the incident response tools to use. Be sure to define who is responsible for triggering the plan, too. For companies that need help creating a response plan, services are available to help out.

Documenting processes in detail is important because it’s unreasonable to expect employees to remember everything they need to do during what’s likely a high-stress situation. Providing team members with printed documentation is smart, too, because they won’t otherwise have access to the procedures if the files are stored on servers that are currently offline. In that way, physical or offline backups of your business continuity plans and procedures can be an essential part of cyber resilience.

Also, don’t make the mistake of assuming your response plan is etched in stone. Your plan needs to be reviewed and updated regularly to adapt to changing technology and to address evolving cybersecurity threats.

Develop a Backup Communication Plan

When your company’s communication system literally breaks down, it’s time to put your recovery plan into action. Establish a secondary internal communication system beforehand so everyone knows what to use when the primary system is down. Employees need to know when to switch to the fallback system, too. Relying on word of mouth from managers, however, shouldn’t be the primary way of relaying that information. It’s inefficient and slow, ensuring all on-site employees are notified is difficult, and employees working outside the office might be excluded from the communication chain.

For some companies, a simple time limit to move to the backup communication system is enough. A company that relies on an internal chat platform, for example, could set a 15-minute threshold for downtime. After hitting the time limit, everyone moves to the backup platform until they get an official order to return to the primary system. Documenting this time limit in your business continuity plan can help make needed transitions seamless.

If employees are issued company smartphones, pushing a message to everyone with an alert to switch to the backup communication platform is an option. That’s assuming, of course, cell service is working and the system to send messages en masse is operational. Regardless of the system used, the process for knowing when to move to the fallback communication system needs to be reliable since there’s a good chance many employees will be working remotely.

For companies where system downtime is newsworthy, a plan for handling media and other public-facing communication is necessary, too. Prepare general statements ahead of time, and make sure those are accessible outside of company servers so authorized employees can make public statements. If access to company servers isn’t possible, any prepared statements stored there won’t be available.

Plan for Physical Building Access

Employees locked out of their offices, or the entire building, when the security system goes offline is more than just an embarrassing news story. It’s also a big obstacle to getting the downed systems up and running again. If the team that needs hands-on access to servers and networking gear can’t get inside, they can’t work on fixing the issues that took communication and security offline.

Many companies use some sort of authentication system to manage building and room access. If that system is offline, designated key holders who can manually unlock doors need to be available and on-site as quickly as possible. They also need a process for verifying who gets in the building or offices to prevent potential security breaches.

Training and Practice Scenarios for Business Continuity Planning

Time is money, and that definitely applies to system downtime incidents. Each hour during an incident can cost a company thousands—or even millions—of dollars. Testing your incident response plan can show weak points and gaps in the procedures. It’s also much easier to address those problems outside of an actual incident situation.

Ongoing training is key, too. Team members responsible for managing an incident response should participate in practice events so they’re prepared when a crisis actually happens. Backup communication systems need to be tested regularly, too.

It’s also important for all employees to know what to do during a system failure. Company-wide training and detailed business continuity plan procedures make it much easier for everyone to know how to respond to the situation.

Preparing a recovery plan ahead of a communication or security system failure is critical for a fast and effective response. Training and practice scenarios are important for making sure everyone in the company knows what to do during an incident. That can save your company from hours or days of downtime and lost revenue.

More from Incident Response

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today