Here are some of the books on Business Continuity and Disaster Recovery we have found interesting and / or useful:
A good introduction to the process of Disaster Recovery Planning, explaining the key activities involved. Apart from the occasional introduction of irrelevant supporting tables and statistics (does the fact that flooding cost $32 billion dollars of losses in 1900 in Galveston, Texas really help you?) quite a readable book.
Don't let the title The Backup Book fool you (like it nearly did me). This isn't a boring guide on how to backup your computer: it is a good guide to modern techniques in a data center to ensure effective and cost-effective recovery from hardware or software failures.
Backup is no longer a question of racks of tape. Modern techniques, enabled by reduced disk and communication costs, make recovery with minimum disruption or data loss possible (if you have the budget).
Topics covered include making hardware more reliable (RAID, clustering, power conditioning), basic rules for network services (always have two ISPs!) , asynchronous and synchronous replication, recovery sites, internet backup and more.
Although this book strays a little from its main subject area (into areas such as network design), and gives perhaps a little too much weight to the authors' favorite products, there is little here that anyone responsible for running a server farm or a data center will not find interesting or relevant. A good read (and reference) if you need to understand modern backup and data recovery techniques.
Even if you're not a security professional studying for CISSP exams, this study guide gives a broad overview of computer security ("a mile wide and an inch deep") which is useful background for anyone concerned with business continuity or disaster recovery planning.
Myers has plenty of good advice about how to generate a good disaster recovery plan at low cost. He draws an important distinction which is rarely emphasized enough: there is a difference between recovering a business system and recovering a computer system. It is the business system that ultimately matters. Too much emphasis on computer systems can lead to plans which are expensive to develop and maintain, and give little advantage over less comprehensive plans if the probability of a disaster is taken into account.
I'm not normally a fan of "prepping" books. The scenarios described are too unlikely and the proposed mitigations are often unrealistic and disproportionate.
A Mad Max style dystopian future won't occur next week, and before you prepare to fend off gangs of armed marauders attacking your underground nuclear bunker there are more mundane risks you should be prepared to survive.
Zalweski takes a wide view of risk, looking at disasters from personal to global. He assesses their likelihoods, and looks at what the practical measures are that we can take to prepare for them. I like the coverage here. There's everything from unexpected unemployment and falling off a ladder to hyperinflation and nuclear war. Each is treated thoughtfully with the respect it deserves.
In risk management everything is about trade-offs, and this book covers some trade-offs I had never considered. For example, every emergency plan suggests stockpiling some food to cope with disruption to supply. Food doesn't last forever, and whether its a one week supply or a one year supply your stockpile needs to be managed so that it is still edible when you need it. One approach is to continually eat through and replenish your stockpile, thus ensuring it has a certain level of freshness; the other is to eat nicer (but more perishable) and food discard your stockpile at regular intervals. I've tried both by accident rather than design, and when the presented as a choice, I know which I prefer.
Ultimately how likely you believe various threats are and what efforts you should personally take to mitigate them is your own decision. This book provides a good basis for clarifying those risks and making that decision.
Before the SARS-nCov-2 outbreak in 2019/2020, most government (and business) contingency planning was based around the idea of a novel influenza pandemic. The history of the flu pandemic in 1918 (which left tens of millions dead) is well known, and it's widely recognized that there is little to prevent a similar outbreak happening in future. There have been many less severe influenza pandemics (with perhaps a few million killed), but the annual seasonal flu epidemics (which kilsl around 400,000 people) tends to make it easy to accept the risk.
Although the risks from influenza are generally accepted (if not always fully understood and planned for), the possibility of other pandemics has always been there. This book, written two years before the Covid-19 pandemic, looks in detail at the risks from all the major families of infectious diseases, as well as of diseases yet to be discovered. It is based on the author's in depth experience working on the prevention and management of infectious diseases since the first cases of HIV / AIDS were noticed through to the SARS and MERS outbreaks. As a result the author can explain clearly not only the characteristics of the diseases themselves, but also the public health measures required to identify outbreaks before they get out of control, and the subsequent steps needed to prevent the outbreak from spreading.
This book should be an essential read for anyone involved in public health policy or planning. It includes some key policy lessons which were learned "the hard way", and which are easily forgotten. In addition, anyone involved in business continuity or emergency planning would do well to consider the detailed scenario provided for a full scale flu pandemic: it includes many second and third order effects which are easily missed and have real consequences for government, businesses, and individuals. Did you fail to predict what would happen during the Covid-19 epidemic? You might not if f you had read this first.
I found this a fascinating read during the Covid-19 epidemic. Normally when I read this type of book I have to ask myself how good the author's predictions are likely to be. But when reading this with the benefit of hindsight the answer is easy: pretty damn good.
Ransomware is one of the most common threats faced by any company. While malicious software has always been a threat, the advent of cryptocurrencies gave criminals a viable means of cashing-in once access to a system or network has been obtained. The threat from ransomware is both loss of data and exposure of data: pay us and you get your data back; don't pay us and we publish your data for all to see.
Backup helps, but recovering data and systems takes time and money. Recent ransomware cases have put companies and organizations out of action for weeks or months. In addition a common strategy of the attacker is to attempt to disable or corrupt backup tasks.
Roger Grimes' book is a comprehensive guide to ransomware. It covers methods of reducing and mitigating the risk, from prevention and cyber-insurance, through to detection, planning, response, and recovery. It also covers some legal aspects associated with paying ransomware - albeit from a US perspective.
Particularly useful is the short section "What Not To Do" which gives advice on common mistakes companies make when responding to a ransomware attack. It's worth having this book on hand and re-reading this chapter before making any response to a ransomware demand - particularly the reminder that the attacker may have been in your system for some time. Keep ransomware discussions offline where the attacker can't see them. Consider employing a professional negotiator who has handled ransomware incidents in the past. And never lie or insult your attacker: they may know more about the current state of your backups and your insurance policies than you do.