Hurricane season on Long Island officially starts June 1st, but many of us consider the prime time to be August through October as recent storms Irene and Sandy come to mind and now Florence is on everyone’s radar. Being prepared is essential to ensure successful continuity of operations and minimize losses.
Disasters, whether they be natural or man-made, come in all shapes and sizes. And while it may be impossible to predict if/when one will attack your business, you can certainly preempt extensive loss and downtime by forging a Disaster Recovery (DR) Plan that takes into account your most valuable assets and data to ensure business continuity. Consider this: a medium-sized business can lose $216,000 per hour due to downtime from a disaster, while an enterprise-level business can lose $686,000 during the same time span. That’s why it’s imperative for all businesses, whether big or small, to design an operable DR Plan that takes into account a range of disasters and emergencies, with a specified protocol to respond to each.
What are key elements of a Disaster Recovery Plan?
Define a reasonable recovery point objective and recovery time objective
A Recovery Time Objective (RTO) is defined as the length of time a company targets to resume its services after a disaster has taken place. The purpose of setting an RTO is to determine how much money, effort, and time should be spent on Disaster Recovery planning. A worldwide tech behemoth may decide they require an RTO of 15 minutes; meaning they’d need to allocate a relatively large sum toward Disaster Recovery planning to ensure they meet such a short RTO. A furniture store, on the other hand, may set an RTO of 48 hours, in which case a smaller budget for DR planning may be sufficient. A Recovery Point Objective (RPO) is similar to RTO, but is defined by how old your data at the recovery site would be. Another way to look at it would be: What is the maximum amount of data you’re willing to lose during a disaster? If your answer is 4 hours, then your RPO is 4 hours, which means you need to be backing up your data every 4 hours. Make sure you’re realistic when setting your RTO and RPO. Sure, in an ideal world there’d be no disasters, and even if one were to occur you’d be able to get back up and running within minutes—but such results are rarely realistic. Target a sensible RTO and RPO, and derive the rest of your DR Plan from these objectives.
Define Disaster Recovery plan roles and responsibilities
DR roles should be outlined and prioritized by necessity and value to your company. Consider what’s most important, working your way down, and assign personnel roles for each. Make sure to designate backup personnel in the event that the main assignee is not present during the emergency. Make sure to assign someone the role of deciding when to officially declare a situation an emergency. This essential step will set the rest of your plan in motion. Create a list of all key people with roles and responsibilities detailed, and ensure this list is easily accessible to everyone involved. It may be wise to also set up an online group chat with all DR personnel. This will streamline communication in the event a disaster or emergency actually takes place.
Create a comprehensive DR communication plan
One of the main overlooked aspects of Disaster Recovery planning is communication, despite it being among the most important tasks on this list. Your communication plan should outline the protocol for communicating with people essential to your business, e.g. employees, vendors, and customers. Employees: All employees should have already filled out their most up-to-date information, complete with emergency contact information listed. Your protocol should include when and how to contact your employees, with backup methods in case certain modes of communication are down during a disaster. Vendors and customers: Times have changed, and the global economy is in full force and effect. That means businesses are interdependent on each other for various needs. Forge a communication plan ahead of time with vendors and partners in the event of an emergency. Social media may be the best way to get in touch with your customers if a disaster besets your business.
Outline a DR protocol for employees
All Disaster Recovery plans must include a protocol for employee safety and security in the event of various disasters (e.g. fire, storm, intruder, etc.). Assign roles for each type of disaster and ensure every employee understands the protocol intimately ahead of time. Be sure to consider employee location and priorities when assigning roles. Asking employees to assist with extended company recovery plans when their own homes and families are being impacted by the disaster is both imprudent and inconsiderate. Focus your DR protocol on getting local employees to safety, and consider the role remote employees can play in helping with more time-intensive tasks.
Incorporate disaster/emergency protocol for vendor/service agreements
Enterprises that outsource some of their business (e.g. support or part of their supply chain) should ensure a binding agreement is in effect that sets forth each party’s responsibility in the event of a disaster. Make sure your contracts feature a service-level agreement specifying maximum response time to guarantee your issues are addressed in a timely manner. Incorporating these protocols will help your company meet its RTO and RPO.
Take inventory of all assets
Your DR Plan should list out all inventory, both physical and digital Physical inventory: Keep a running log with accompanying photos handy. This will help streamline the insurance claims process. Digital inventory: make a list of hardware and software application inventory, prioritized by order of importance. Each should have the vendor technical support contract linked with pertinent contact information as well, to allow for easy reference as needed.
Back up your data off-site
Onsite backup data may either get damaged or become impossible to access in the event of an emergency. That’s why it’s imperative to back up your data according to your RPO, transfer it securely, and store it in an off-site data center with layered levels of protection. If you’re planning to employ an outside vendor to assist with disaster planning, note that offsite backup services are not the same thing as disaster recovery ones.
Install anti-spyware on all devices
One of the first preliminary measures you can take to avoid a company-wide cyber attack is to install spyware/malware detection software on all work computers. Read this article to see why, even in 2018, virus protection software is necessary.
Test your DR Plan with “fire drills”
A plan that isn’t tested isn’t much of a plan at all. You should be testing your DR Plan at least twice per year, and perhaps even more if your RTO and RPO necessitate massive DR investments. A 2016 Unitrends survey found that less than 40% of companies with Disaster Recovery plans tested them more than once per year, and 36% didn’t test them at all. A popular DR case studies on one of our previous clients illustrates the risk of not testing yours during your disaster recovery planning. Make sure that when you test your DR Plan, you’re simulating realistic disaster/emergency environments. Doing so will help uncover where your plan needs to be improved and strengthened.
Consider hiring a professional service
Before putting your DR Plan into action, you should assess how costly, physically feasible, and desirable it will be to handle a disaster or emergency yourself. Ask yourself:
- What is your appetite to take ownership of managing, monitoring, securing, and testing a proper DR setup?
- What is your recourse should it fail?
- Would you prefer to shift accountability and management to an expert third party who will provide you with a service level agreement for assurances?
Depending on your answers, and your company type and size, you may realize you lack the technical expertise or desire to deal with some disaster recovery aspects yourself. Companies specializing in disaster recovery and data restoration, called Disaster Recovery as a Service (DRaaS) providers, exist to superintend the entire process for their clients in the event they elect not to self-manage their DR efforts. Look for reputed MSPs with notable clients and capable of tailoring their DR Plans fit their clients’ RTOs and RPOs.