As more and more businesses rely on IT, data, and technology to generate revenue and sales, the risk of data-related disasters grow. As a result, more and more businesses, large and small, started to implement a Disaster Recovery Plan so that they increase their resiliency in the event of unforeseen events. As a leading managed IT service provider, Kosh Solutions gets asked all the time, when does a business need disaster recovery?
Disaster recovery plans are best prepared early in the life of the business and constantly reviewed as the company grows. This is because the company's risks will change as it grows, and the business environment changes. Review disaster recovery plans for your business at least annually.
This article discusses disaster recovery plans, specifically when a business needs disaster recovery. It also talks about why a business needs disaster recovery.
What Is Disaster Recovery For Businesses?
Disaster recovery is a policy detailing what everyone in the business should do in the event of a disaster and how to bring the business back up and running as fast as possible. These disasters may include intentional or accidental disasters, such as terrorism, data breach, earthquakes, or server failures.
Disaster recovery for businesses may be called many different names, such as Disaster Recovery Plan (DRP), IT disaster recovery plan, or disaster recovery implementation plan.
The plan is basically a policy detailing how a business can implement steps to bring business operations back to normal after a disaster. The focus of the document may be on IT related disasters, but plans should also consider events such as fires, earthquakes, and so on.
A disaster recovery plan's main goal is to become the authoritative reference point for all business staff and vendors. If a disaster strikes, personnel can immediately look at the plan and know steps to take to restore the business. An organized response will provide a faster recovery.
A disaster recovery plan generally addresses situations such as intentional disasters, such as terrorist attacks or hacking. It should also address accidental disasters, such as power outages, and server failures.
A good disaster recovery plan should also be revised frequently to reflect the changes in the business, such as the addition of inventory and personnel. Revising the disaster recovery plan also helps keep it up to date with the general environment the business operates in. Reviewing your plan at least annually keeps all key personnel up to date.
When Does A Business Need Disaster Recovery?
Every business should prepare a disaster recovery plan as early as possible. This is to ensure the business can recover faster in a disaster. The disaster recovery plan needs to be revisited and revised frequently. Your business may face different risks as it grows and when the business environment changes.
Many business owners are so busy that they do not have a disaster recovery plan early on in their business journey. This is because it can be difficult to understand the risks. We have seen the “not me syndrome” afflict many business decision makers. “A data breach won’t happen to my business.” A recovery plan is like a very cheap form of insurance, you have it there if you need it and you position yourself to not need it. A disaster recovery plan is a simple way to understand how to protect and help your business recover after a disaster. We believe no the size of the business, it’s wise to have at least a rudimentary plan in place.
With that said, it’s important to note small and medium-sized businesses are particularly vulnerable to disasters. Forbes reported that 40% of small and medium businesses never reopen after a disaster, and 25% fail a year after reopening.
When you prepare a business disaster recovery plan, your business stands a better chance of recovering and surviving.
For good measure, a business disaster recovery should be implemented as early as possible in the business. This is because no matter what size your business is, there will always be risks. As a managed IT service provider, we have seen smaller businesses hit the hardest because they don’t have the resources to deploy when hit with a disaster. In those cases, it’s far better (and cheaper) to prepare and get in front of potential threats before they happen. In our line of work this means we help our customers fortify their cybersecurity and ensure reliable data backups are available.
After documenting, the disaster recovery plan needs to be reviewed at least annually or even once every 6 months. Hopefully your business is growing and typically with that growth your target area grows as well. You may have more locations that need to be managed and folded into your DR plan. Or you may have new technology demands that need to be accounted for. From a technology point of view, it can be difficult to see how small changes affect your DR plan, so having an IT professional walk through your plan can help identify any holes that may have cropped up.
For example, your company finally completed its data center migration from Orange County California to Albuquerque. Since having your data in California was fire and earthquake-prone, you need to update your disaster recovery plan to reflect the new disaster environment. The update may focus on removing or marginalizing what to do if an earthquake causes your data center to go offline because this is no longer as big of a threat.
Another reason to frequently update your disaster recovery plan is to reflect the changing business environment. For example, suppose there is a rising trend of ransomware attacks on healthcare businesses. This means during the review of your recovery plan you will want to include steps on what actions to take if you get hit with a ransomware attack.
What Should A Disaster Recovery Plan Include?
A disaster recovery plan includes goals, personnel, IT inventory, backup procedures, recovery procedures, and restoration procedures. Depending on the level of complexity and scale of your business, you may need some or all of these items in the recovery plan.
Generally, smaller businesses have simpler, more basic recovery plans. In contrast, large multinational companies have much more detailed recovery plans. The most important part is to begin documenting so you have a starting place. Generally, when creating your disaster recovery plan, consider having these items as part of it:
Start by defining in detail what your business aims to achieve during and after a disaster. This is commonly done by setting a measurable recovery time objective (RTO) and recovery point objective (RPO).
RTO is usually expressed as time, indicating how much time it will take you to restore operations. For example, you can set an RTO of 8 hours to recover from a server breakdown. This means you aim to get your server back up and running in 8 hours. Your need will depend on your business. Some businesses, like banks and healthcare, can’t afford to wait 8 hours to get their server back up and running. This is where Kosh has helped many customers understand and adjust their technology recovery objectives.
RPO is also expressed as time, indicating how much data or things you are willing to face from the point of disaster. Suppose you set an RPO of 1 hour for the disaster of losing a data set. In this case, you may want to set up a system where your files are backed up every hour. Not all data is created equal. Some of your data is vital to your business operations and some is just nice to have. Each type of data can have different levels of urgency in your plan.
A disaster recovery plan should include the names of people responsible for the recovery plan and what actions they should take in the event of the said disaster. This ensures swift recovery actions the moment the disaster happens.
For example, in a server breaks down, the people responsible for actions might be the chief server technician (or your technology provider) and the Chief Technology Officer.
An IT inventory lists all the IT equipment and tools available at hand. This allows the officer responsible for disaster recovery to quickly determine where to find this IT equipment and to start the recovery plan as soon as possible.
An IT Inventory can also help in the event of a disaster such as a fire or an earthquake. This allows your company to quickly assess what was damaged, whether the inventory is critical for the business, and if a replacement should be arranged immediately.
Every company has data. And that data is stored somewhere. Maybe it is stored on your business’ premises, or a data facility, or in the cloud…it is somewhere. Backups are critical to recovering from a disaster. Your backup procedures need to be documented. The documentation should mention where each data source is backed up, how they are backed up, and on which devices and folders.
On top of that, it should also list how to recover this data, in the event of a data-related disaster. This allows swift disaster recovery to begin. Solid backups are the key to your business restoring operations quickly and in line with expectations originally set by the RPO and the RTO.
To learn more about backups, here's an article about the importance of backups and roughly how much they cost.
Disaster Recovery Procedures
This is the meat of any disaster recovery plan. It should mention specific procedures when dealing with specific disasters. Depending on the procedure's detail, it may also show information about recovery sites.
For example, in the event of a fire alarm ringing, the assigned team member should immediately go to the main server, remove the main hard drive storing the most recent backup, and then point any traffic to a secondary server away from the building with the alarm.
Finally, a restoration procedure details how to recover from loss of operation. This should cover a step-by-step process to restore operations to their original state.
A restoration procedure may start with a meeting between related personnel to assess what needs to be restored before announcing issues with the service of the business, detailing the restoration time as decided by the RTO.
The personnel assigned then go to work, restoring the operation step by step as detailed in the disaster recovery procedures. The restoration procedures may end with the final check to ensure all aspects of the business have been brought back into operation.
Kosh works with our customers to document their own disaster recovery plans. We also take our customers through a Tabletop Exercise to help them determine what data is most important, risks to that data, how to protect the data, and what steps need to be taken to restore that data.
We find many companies are not very good at valuing their data (some over value and some under value). Kosh’s technical and cybersecurity experts provide guidance for decision makers.
The information contained in this communication is intended for limited use for informational purposes only. It is not considered professional advice, and instead, is general information that may or may not apply to specific situations. Each case is unique and should be evaluated on its own by a professional qualified to provide advice specifically intended to protect your individual situation. Kosh is not liable for improper use of this information.