Freaking out because you have just had a disaster and you don’t have a disaster recovery plan?
OR you are planning ahead as you know that 67% of small businesses will incur a disaster related to their IT in the next 12 months.
What is a Disaster Recovery Plan?
A disaster recovery plan (DRP) is a documented, structured approach that describes how an organization can quickly resume work after an unplanned incident. A DRP is an essential part of a business continuity plan (BCP). It is applied to the aspects of an organization that depend on a functioning IT infrastructure.
What does a Disaster Recovery Plan Include?
A disaster recovery plan (DRP) is a documented process or set of procedures to execute an organization’s disaster recovery processes and recover and protect a business IT infrastructure in the event of a disaster. It is “a comprehensive statement of consistent actions to be taken before, during and after a disaster”.
Although there is no one-size-fits-all plan, there are three basic strategies:
- Prevention, including proper backups, having surge protectors and generators
- Detection, a byproduct of routine inspections, which may discover new (potential) threats
What is a good Disaster Recovery Plan?
Your disaster recovery plan should include a list of company assets in priority order based on which equipment and services have the greatest impact on your organization. This list should include both digital and physical assets (software and hardware).
5 Top Elements of an effective Disaster Recovery Plan
- Disaster recovery team: This assigned group of specialists will be responsible for creating, implementing and managing the disaster recovery plan. This plan should define each team member’s role and responsibilities. In the event of a disaster, the recovery team should know how to communicate with each other, employees, vendors, and customers.
- Risk evaluation: Assess potential hazards that put your organization at risk. Depending on the type of event, strategize what measures and resources will be needed to resume business. For example, in the event of a cyber attack, what data protection measures will the recovery team have in place to respond?
- Business-critical asset identification: A good disaster recovery plan includes documentation of which systems, applications, data, and other resources are most critical for business continuity, as well as the necessary steps to recover data.
- Backups: Determine what needs backup (or to be relocated), who should perform backups, and how backups will be implemented. Include a recovery point objective (RPO) that states the frequency of backups and a recovery time objective (RTO) that defines the maximum amount of downtime allowable after a disaster. These metrics create limits to guide the choice of IT strategy, processes and procedures that make up an organization’s disaster recovery plan. The amount of downtime an organization can handle and how frequently the organization backs up its data will inform the disaster recovery strategy.
- Testing and optimization: The recovery team should continually test and update its strategy to address ever-evolving threats and business needs. By continually ensuring that a company is ready to face the worst-case scenarios in disaster situations, it can successfully navigate such challenges. In planning how to respond to a cyber attack, for example, it’s important that organizations continually test and optimize their security and data protection strategies and have protective measures in place to detect potential security breaches.
How to Build a Disaster Recovery Team?
Whether creating a disaster recovery strategy from scratch or improving an existing plan, assembling the right collaborative team of experts is a critical first step. It starts with tapping IT specialists and other key individuals to provide leadership over the following key areas in the event of a disaster:
- Crisis management: This leadership role commences recovery plans, coordinates efforts throughout the recovery process, and resolves problems or delays that emerge.
- Business continuity: The expert overseeing this ensures that the recovery plan aligns with the company’s business needs, based on the business impact analysis.
- Impact assessment and recovery: The team responsible for this area of recovery has technical expertise in IT infrastructure including servers, storage, databases and networks.
- IT applications: This role monitors which application activities should be implemented based on a restorative plan. Tasks include application integrations, application settings and configuration, and data consistency.
While not necessarily part of the IT department, the following roles should also be assigned to any disaster recovery plan:
- Executive management: The executive team will need to approve the strategy, policies and budget related to the disaster recovery plan, plus provide input if obstacles arise.
- Critical business units: A representative from each business unit will ideally provide feedback on disaster recovery planning so that their specific concerns are addressed.
What are the types of Disaster Recovery?
Businesses can choose from a variety of disaster recovery methods, or combine several:
- Back-up: This is the simplest type of disaster recovery and entails storing data off site or on a removable drive. However, just backing up data provides only minimal business continuity help, as the IT infrastructure itself is not backed up.
- Cold Site: In this type of disaster recovery, an organization sets up a basic infrastructure in a second, rarely used facility that provides a place for employees to work after a natural disaster or fire. It can help with business continuity because business operations can continue, but it does not provide a way to protect or recover important data, so a cold site must be combined with other methods of disaster recovery.
- Hot Site: A hot site maintains up-to-date copies of data at all times. Hot sites are time-consuming to set up and more expensive than cold sites, but they dramatically reduce down time.
- Disaster Recovery as a Service (DRaaS): In the event of a disaster or ransomware attack, a DRaaS provider moves an organization’s computer processing to its own cloud infrastructure, allowing a business to continue operations seamlessly from the vendor’s location, even if an organization’s servers are down. DRaaS plans are available through either subscription or pay-per-use models. There are pros and cons to choosing a local DRaaS provider: latency will be lower after transferring to DRaaS servers that are closer to an organization’s location, but in the event of a widespread natural disaster, a DRaaS that is nearby may be affected by the same disaster.
- Back Up as a Service: Similar to backing up data at a remote location, with Back Up as a Service, a third party provider backs up an organization’s data, but not its IT infrastructure.
- Datacenter disaster recovery: The physical elements of a data center can protect data and contribute to faster disaster recovery in certain types of disasters. For instance, fire suppression tools will help data and computer equipment survive a fire. A backup power source will help businesses sail through power outages without grinding operations to a halt. Of course, none of these physical disaster recovery tools will help in the event of a cyber attack.
- Virtualization: Organizations can back up certain operations and data or even a working replica of an organization’s entire computing environment on off-site virtual machines that are unaffected by physical disasters. Using virtualization as part of a disaster recovery plan also allows businesses to automate some disaster recovery processes, bringing everything back online faster. For virtualization to be an effective disaster recovery tool, frequent transfer of data and workloads is essential, as is good communication within the IT team about how many virtual machines are operating within an organization.
- Point-in-time copies: Point-in-time copies, also known as point-in-time snapshots, make a copy of the entire database at a given time. Data can be restored from this back-up, but only if the copy is stored off site or on a virtual machine that is unaffected by the disaster.
- Instant recovery: Instant recovery is similar to point-in-time copies, except that instead of copying a database, instant recovery takes a snapshot of an entire virtual machine.
7 Steps to Take When Creating a Disaster Plan
When you’re in the middle of a disaster, it’s hard to think about long-term issues. Focus gets narrowed to finding a way to get through each day as it comes. Fortunately there are simple steps that you can take to prepare for a catastrophe.
- Have a plan. Government websites like ready.gov can help you formulate a family plan in advance. Where will you meet if there is a catastrophe while your kids are at school? Who can you contact that is not in your local calling area? (After Katrina, so many people were trying to reach loved ones that the phone lines were jammed for several days. Calls to people living in other area codes became useful ways to relay information because you could get through.) If you’re ordered to stay indoors, simple steps like having enough bottled water for your home and non-perishable food to get through a few days can make a huge difference.
- Review your insurance coverage. You’ve got to have the basics in place that at a minimum are homeowner’s insurance, auto insurance, and depending on the part of the world you live in, insurance for specialized catastrophes like floods and earthquakes. There were flood disasters in 25 states in 2010, so don’t think because you don’t live near the ocean that you’re ok. If you own a business, add business interruption coverage to that list. It’s especially helpful to have a knowledgeable Property & Casualty Insurance agent help you structure things properly up front. In the immediate aftermath of a disaster, contact your agent and the carriers to begin the claims process. Pictures speak a thousand words, so take photos and video of your home/office and store them online so that you can access and provide them to a claims adjuster.
- Keep a list of important contacts, phone numbers, and policy numbers. It helps to have the toll-free numbers for your insurance carriers, policy and account numbers, as well as contact information for family and friends in a document that is accessible to you in the aftermath of a disaster. You can put a short list of the most important information on a laminated card and keep it in your wallet or purse.
- Protect documents. We all have important papers (like birth certificates, marriage licenses, etc.) that are sometimes irreplaceable. Do whatever you can to make sure these documents are stored safely and securely. If they’re in a safe deposit box, ask your bank about protection from flood or fire. If you store these documents at home, buy a fire-resistant, waterproof box. These don’t work in every circumstance, but they give your important papers a fighting chance.
- Have a backup. With the abundance of digital cameras, it’s so easy to take a snapshot of your documents and store those pictures somewhere online. This also goes for your family’s critical data stored on computers at home. Online backup services are a lifesaver if your home is destroyed or inaccessible.
- Have an emergency fund. Basic financial advice is to have an emergency fund that is accessible to you at all times. Claims and government assistance can take months to come through, so having readily available cash can keep you afloat and out of credit card debt if you’re paying for hotels and meals.
- Remember what is truly important. In the aftermath of the storm, people didn’t really miss a lot of the “stuff” that was destroyed. They found that beyond some photos and other irreplaceable items that as long as they had their loved ones together and safe, everything else could be handled. It’s easy to lose sight of this as we go about our daily lives. Hug your loved ones and cherish the time you have together.
If you have some concerns or need some assistance with your Disaster Recovery Plan, please give us a call today and we can help you from suffering a disaster at your small business.