Let me guess, you clicked on this because floods and cybersecurity sounded like a weird combination. After all, what does setting up firewalls have to do with rising water levels?

The answer is always the same.

Cybersecurity isn’t just about firewalls, it’s about keeping the business safe and operational. And if your office is under water, your business operations aren’t going to thrive.

Disaster recovery and business continuity deserve more than one article, so today we’ll focus on just one key piece: Recovery Site Strategies.

Key terms

As always, we need to go through a couple of definitions first to be able to discuss the whole topic. The good news is, it isn’t going to be long today.

There are three key terms to understand:

• Nondisaster: A disruption in service that has a significant but limited impact on business processes at a facility.

• Disaster: An event that renders the entire facility unusable for a day or longer.

• Catastrophe: A major disruption that destroys the facility altogether.

Excellent, now we are on the same page. The Recover Site Strategies only deal with situations such as disasters and catastrophes. So today, we will take a look on how to prepare for rare but realistic situations where things went really wrong.

Recovery Site Strategies

So what happens when your facility is unusable for a day or longer?

You need an alternate processing facility, restoration of software and data from offsite copies.

There are three types of alternate facilities that an organization can choose from: Hot Site, Warm Site, and Cold Site.

Hot Site

A hot site is a fully configured facility that can take over business operations within a few hours. It has all necessary hardware, software, and network connections already in place, so downtime is minimal.

• Advantages:

  • Fastest recovery time (minimal downtime)

  • Fully operational, with all systems ready

  • Ideal for mission-critical operations

• Disadvantages:

  • Most expensive option

  • Requires ongoing maintenance and updates

  • High operational costs even when not in use

Warm Site

A warm site is partially equipped with hardware and network connectivity. Some setup is required before it can become fully operational.

• Advantages:

  • Faster recovery than a cold site

  • Lower cost than a hot site

  • Suitable for businesses with moderate downtime tolerance

• Disadvantages:

  • Not immediately operational. Some configuration is needed

  • May not have up-to-date data

  • Some staff intervention required to bring systems online

Cold Site

A cold site is an empty facility with basic infrastructure like power, cooling, and network access. It has no pre-installed hardware or data.

• Advantages:

  • Most cost-effective option

  • Minimal ongoing maintenance

  • Suitable for non-critical operations

• Disadvantages:

  • Longest recovery time (can take days)

  • Requires complete setup before operations can resume

  • Higher risk of prolonged downtime

I think you get the idea now. The “warmer” the site is, the more ready it is to be operational and the more expensive it is.

Which one is the best?

I know exactly what’s going on in your head. I just gave you three options and you started wondering which one is the best.

And as always, it depends..

It all comes down to business impact, downtime tolerance, and budget. In other words:

• Recovery Time Objective (RTO) – How quickly must systems be restored before the downtime becomes unacceptable?

• Recovery Point Objective (RPO) – How much data loss (in terms of time) is acceptable? Minutes? Hours? Days?

• Business Criticality – Are you running a hospital system where downtime costs lives, or a small design agency that can afford a few days offline?

• Budget and Resources – Can you sustain the ongoing cost of a hot site, or is a warm/cold site more realistic?

Example:

• A stock trading platform might choose a hot site because even seconds of downtime can cost millions.

• A regional manufacturing plant may use a warm site — a short outage is tolerable, but not days.

• A small local business could opt for a cold site, accepting slower recovery to save on costs.

Ultimately, the “right” choice isn’t just a technical decision.

It’s a business decision.

The site strategy must align with the organization’s overall risk appetite and continuity plan.

Where do I get one?

Okay, now we know what types of sites we have and how to choose the right one for our use case.

But how do we get one? Should we just build new facility?

Well, that’s one option. You can have a mirrored site, that is equipped and configured exactly like the primary site and is owned by your organization. However, the investment and operational cost of such facility is huge.

That’s why most organizations rent it from a service bureau. These companies specialize in providing recovery sites, whether hot, warm, or cold, and can tailor the setup to your needs.

A good service bureau will:

• Offer facilities in multiple geographic locations to reduce regional disaster risk

• Maintain the infrastructure so it’s ready when you need it

• Provide flexible contracts so you only pay for the level of readiness you require

And remember, just because you’ve paid for a recovery site doesn’t mean you’re ready. You must also test your disaster recovery plan regularly to ensure that, when the water rises, your team knows exactly what to do.

Summary

I hope you enjoyed this short break from the purely technical side of cybersecurity. Make no mistake, business continuity and disaster recovery are not “nice-to-have” extras.

They’re essential, and their importance is only growing as more regulations require organizations to implement them.

I chose this topic to show you that cybersecurity is no longer just about firewalls and password management. If you want to succeed in this field, you need to broaden your perspective: protecting the business means keeping it operational, no matter what happens.

Both business continuity and disaster recovery are major topics for the CISSP exam, and for real-world organizational resilience.