The business continuity manager, Loretta, spoke solemnly to CEO Tom. “All our information and communications systems and services are under cyber attack. All our data and information files are locked by ransomware.”

Tom replied curtly, “But how can this cyber disaster occur? I was given assurances by the internal and external IT experts that our setup is extremely resilient, with the latest state-of-the-art cybersecurity protection and detection systems and services?”

Nathan, the chief risk officer interjected, “The organization took a prudent approach to implement an IT disaster recovery center (DRC), housing all critical servers and databases; including two or more data feeds to ensure critical data are regularly replicated to the DRC.”

Loretta chimed in, “Unfortunately, this allowed the attack and ransomware to infect the DRC systems and databases. We do not have an independent IT disaster recovery set up and no secondary back up storage media. The decision was made on the advice that the risk of such a scenario is very low. Our business continuity, crisis management, and communications plans—developed to enable us to recover at an alternate site when the primary site and data center activities are disrupted for a significant period—do not provide the processes and procedures to deal with this cyber disaster.”

Good International ...