Traditional disaster recovery plans are no longer sufficient
Most disaster recovery strategies were built for a world where people worked in centralized offices, with data centers close by and leadership all under one roof. That world’s gone. Today, over a quarter of U.S. workers with remote-capable jobs are working remotely full-time, according to a November 2024 Gallup poll. The model has shifted, physically and operationally. Leaders need to stop seeing disaster planning as a localized strategy. Business continuity needs to scale to individual employees, who now work from homes, shared spaces, and sometimes mobile setups, all over the world.
The problem is clear. A weather-related disruption at HQ used to be the worst-case. Now, the risks are everywhere and much more personal. In 2024 alone, the U.S. faced 90 major federally-declared weather disasters. That’s about one every four days. Over 137 million Americans, around 41% of the population, were in disaster-affected zones that year, based on data from the International Institute for Environment and Development. That figure doesn’t even count disruptions from cyber outages, infrastructure failures, or geopolitical events.
Your workforce isn’t in the building anymore. They’re in fire zones, flood-risk areas, blackouts, and political hotspots. So, if your recovery plan stops at your main office, you’ve already lost half the battle.
Reevaluate your continuity scope. Your real system now includes your employees’ laptops, their local internet providers, and their proximity to danger. You need systems that prioritize decentralized safety, connectivity, and flexibility, not just server uptime in your HQ basement. If you’re not protecting knowledge workers where they actually are, then business continuity is just a theory.
Simulated disaster scenarios help organizations identify gaps
Most companies won’t spread significant resources on something that doesn’t show an immediate return. That’s human nature, and it’s a weakness in strategic planning. Disasters don’t give you a calendar alert. If you’re not simulating them enough, you’re reacting too late.
Dr. Oliver Schlake, disaster prep expert and director of the BSE Scholars Program at the University of Maryland, called this out directly, people want heroes, not maintainers. You celebrate the firefighter, but forget about the guy who changed the smoke detector battery last month and kept the fire from spreading in the first place. In business, that means backup systems and prep work are constantly underfunded or cut.
You can’t build strength in a crisis. You train for it ahead of time. Schlake’s recommendation is straightforward: simulate unpredictable environments. Shut down your intranet in a test. Force teams to work without their usual Wi-Fi. See what fails, and fix it now. One enterprise took that advice and realized their VoIP system had a single point of failure. They deployed 100 pre-programmed burner phones as a backup. When a real-world event hit months later, those phones saved their client communications.
Schlake also introduced the “Rule of Three.” It breaks disaster response into simple time-based brackets, what matters in the next three seconds, minutes, hours, days, and so on, up to three months. This isn’t about ticking boxes. It’s a framework for decisive action under constraint.
Executives should look at simulations not as compliance drills, but as dry runs for safeguarding core business functions. These aren’t tech exercises. They’re leadership training. Done right, simulations expose blind spots in communication, infrastructure, and human readiness. They give you a live test of resilience.
Most importantly, simulations help you realize how unprepared you really are, and give you the time and data to fix it before the real thing hits. You’re not aiming for perfection in the drill. You’re aiming to reduce failure in reality.
Protecting remote employees’ devices from cybersecurity threats
When disaster strikes, people adapt fast. Remote employees need to stay connected, and if their home office is offline, they’ll head to the nearest public place with Wi-Fi. Cafés, libraries, fast-food chains, that’s what happens. But in doing so, they expose company assets to environments where cybersecurity is almost nonexistent. That’s a major blind spot most executives ignore until data is compromised. You can’t afford to leave protection up to chance.
Jocelyn Rhindress, Senior Manager at the Canadian Federation of Independent Business, described what happened during a major telco outage in Canada in 2022, a disruption at the infrastructure level pushed a large number of employees out of their homes and into public networks. That exposed them and their companies to the kind of vulnerabilities you don’t hear about until there’s a breach.
These aren’t theoretical risks. Public networks often lack basic encryption and leave endpoint devices wide open. If a remote employee logs into your systems over one of these, every file they touch is now part of your risk profile. And if they’re dealing with client data, you’re not just risking internal failure, you’re stacking up legal and reputational fallout.
Kris Lahiri, Chief Security Officer and co-founder of Egnyte, makes the point clear: protections like VPNs and endpoint encryption shouldn’t be an optional add-on given to a few “high access” users. They should be standard. They should be installed long before any crisis hits, part of your default device setup. No one should be scrambling to secure endpoints when the lights are already out.
As a C-level decision-maker, ensure your IT protocols account for worse-case scenarios, not the best-case assumptions of a static home setup. Push your teams to go beyond reactive fixes. The solution to uncontrolled variables isn’t control, it’s intelligent preparation.
Employee support should extend to personal disaster recovery planning
Most companies think they’re doing enough when they back up employee work data. That’s not enough. Disasters don’t just damage devices, they hit human lives. Photos, financial documents, tax records, passports, employees don’t stop being people when their homes are flooded or burned. If these things are lost, the psychological toll becomes another barrier to getting back to work, even when the network’s back up. And most companies either don’t get that, or they ignore it.
Kris Lahiri from Egnyte is pushing others to address this. He argues that IT should move beyond the corporate bubble. Help employees plan not just how to access a shared drive, but how to store critical personal documents, protect their physical data, and back up their home systems. That may sound out of scope for a lot of tech leaders. It’s not. Your systems now live in employee homes. That makes home resilience your problem.
When employees don’t have continuity in their personal lives, even basic work tasks become complicated. People can’t work effectively when they’re spending hours contacting banks, replacing tax forms, and trying to recover lost years’ worth of data. Supporting their home recovery shortens downtime in real ways. It’s not about being generous, it’s about operational continuity.
If you’re serious about building a resilient culture, this is where it starts. Support the individual, and the work will follow. Your policies and strategies should reflect that. Most disaster plans assume systems are all digital and under company control. They aren’t. The scope has changed, and if your support systems haven’t changed with it, you’re underprepared.
Geographic risk mitigation is invaluable
As your company scales, your risk exposure spreads. Remote workforces are no longer clustered near headquarters. They’re operating across multiple time zones, infrastructure grids, and disaster zones. If you’re not actively tracking where your employees are and what external risks those regions face, you’re running your operations with a major blind spot.
Dr. Oliver Schlake from the University of Maryland points out the obvious but often ignored solution: monitor locations and prepare accordingly. If a typhoon is forming in the Philippines, and 5% of your engineering team is based in that region, you should already be executing your contingency plan, not waiting until systems go down. Regional awareness gives you a tactical advantage. But too many organizations rely on generalized protocols and miss the opportunity to develop precise, localized strategies.
Kenny Kamal, CIO at Oxfam International, outlines how it’s done at scale. His team tracks key operational zones and prioritizes assembling mission-critical hubs that can function independently. These hubs are pre-equipped with alternate power, internet, and resources like satellite connectivity and solar-powered chargers. Oxfam uses these systems daily, in real-world crisis settings.
This level of planning is crucial for business reputation and deliverability. Kamal emphasizes categorizing incidents by impact level, localized, regional, or wide-scale, with scalable response protocols. That gives teams the structure they need to act quickly and effectively without waiting for executive authorization during every new disruption.
If you’re global, your recovery strategy shouldn’t be monolithic. It should be modular, with response systems shaped by geography, infrastructure stability, and employee concentration. Leadership teams need to stop assuming every region can be managed with the same recovery tactics. That assumption slows response and increases risk. Build systems that adapt at the regional level to protect uptime at the global scale.
Employee well-being and mental health should be central
It’s easy to focus on tech infrastructure after a disaster. Most companies prioritize bandwidth, access, power, and data recovery. Those things are important, but they’re not enough. Your people are the foundation of your operations, and if you’re not factoring in the mental and emotional impact of a crisis on them, you’re ignoring the biggest variable in recovery: human capability.
Jocelyn Rhindress at CFIB brings up a critical point, communication doesn’t stop at email or VPN access. During a disaster, especially when people are displaced or cut off, they need direct contact. Sometimes, that means leadership giving personal cell numbers, or unlocking alternate communication channels to ensure no one is left in the dark. It’s not about micromanaging; it’s about being reachable when it matters.
Mario Jabbour, Chief Finance & Admin Officer at Project HOPE, makes the case for codifying this care into policy. Training, flexible expectations, clear disaster guides, and real mental health resources are core infrastructure. If your employees aren’t given room to recover physically and psychologically, productivity plummets, turnover spikes, and the organizational culture fractures under pressure. Jabbour’s view is simple: recovery can’t just mean systems rebooting, it must include people rebuilding.
Oxfam’s Kenny Kamal takes that further by emphasizing retrospectives post-disaster. His teams consistently assess what worked and what didn’t after every major crisis event. That ongoing refinement process sharpens protocols and ensures that flexibility and responsiveness are always improving.
The priority here is sustainability. If disasters are increasing, and the data says they are, then resilience needs to be baked into culture, not just infrastructure. That means supporting employees as humans, not endpoints. If your disaster recovery plan doesn’t support mental health, it’s incomplete, and your long-term performance will reflect that gap.
Key takeaways for leaders
- Remote work changes disaster risk exposure: Leaders must extend business continuity planning to cover remote teams dispersed across geographies, where natural and infrastructure-related disasters are increasingly common.
- Simulations expose overlooked vulnerabilities: Conduct regular, hands-on disaster simulations that include remote workers to identify weaknesses in communication, access, and operations before a real crisis occurs.
- Cybersecurity must scale with connectivity risk: Equip all remote employees with secure tools like VPNs and endpoint encryption in advance to reduce exposure when workers shift to public or unreliable networks during outages.
- Personal recovery impacts operational continuity: Encourage IT and HR teams to support remote workers with personal disaster recovery planning, including advice on backing up critical personal documents and securing home setups.
- Geographic risk tracking enables faster responses: Monitor where employees are located and build region-specific contingency plans that prioritize backup resources, communication, and cross-trained substitute staff.
- Mental health is core to resilience: Embed mental health resources, flexible policies, and clear crisis communication into your disaster response strategy to maintain team stability and reduce burnout during high-stress events.
