An increasing number of small businesses are opting to store more and more sensitive organizational, employee, and customer data online. While doing so makes the information easier to manage and access, it also makes that data more vulnerable to cybercriminals, hackers, and other unauthorized users.
With data breaches growing in number, frequency, aggression, and sophistication today, they pose a real threat to small businesses and their private information—as a result emphasizing the importance of creating a disaster recovery plan to help save time and frustration as well as the prevent of long-term data loss.
43% of cyberattacks target small businesses, and the consequences of these attacks can be devastating for your company. A data breach can result in damage to your company’s reputation, lost revenue, or the loss of your business altogether. With hacking being the most common cause of data breaches, poor data storage is a huge issue for many businesses. Given the rising number of threats, you have to start considering a breach or similar problem as an inevitability rather than a possibility.
It’s vital to be prepared for when—not if—an information technology (IT) disaster hits your organization. Even with a reliable data storage solution protecting your private information, you may still be susceptible to data breaches, natural disasters, or other threats.
As a small business owner, manager, or other professional concerned with the safety of the personal data in your care, you must develop an IT disaster recovery plan. The better prepared you are for a disaster, the less damaging it will be. A successful IT recovery plan will work to minimize network downtime; protect business, customer, and employee data; and make it that much easier to successfully recover from an IT disaster when it strikes.
What Is a Disaster Recovery Plan (DRP)?
A disaster recovery plan (DRP) is a set of instructions that explains how to respond to an unplanned incident that affects a business’s IT infrastructure in order to resume work as quickly as possible.
Simply put, a DRP is meant to help the IT department recover enough data and system functionality so the rest of the organization can successfully operate.
This may not result in complete functionality, but even minor restorations can allow a business to operate at a minimal level. In order to respond to a hiccup in a business’s IT infrastructure, the business must have a thorough, well-tested DRP.
Business Continuity Planning and Disaster Recovery Planning
Individuals can have trouble disambiguating DRP from Business Continuity Planning (BCP), since both terms are often used interchangeably. The BCP is concerned with keeping all facets of business operations running following a disaster, while the DRP is concerned with restoring the business operations normalcy following a disaster.
To explicate the terms on a more granular level, in the case that a computer crucial to success stops working, the BCP becomes concerned with how to keep the business running without the computer (i.e. backup computer, pen and paper documentation, etc.). In the same case, a DRP is more concerned with fixing the original problem (i.e. discovering the root issue, calling an IT specialist, replacing the computer, etc.).
While both plans aim to minimize downtime and maximize efficiency in a business, a DRP is essentially a cog in the wheel of a BCP.
What Is the Purpose of a Disaster Recovery Plan?
Minimizing downtime is a large facet of a DRP, but it is not the only focus. Having a DRP in place helps assess risks and implement a variety of goals. In order to create a successful DRP, you must understand all the purposes they serve and the operations they affect.
Addressing Owner & Investor Concerns
In the interest of keeping a business in line with what the higher-ups in the business intend(ed), it is important to consider the apprehensions and concerns of the individuals at the top of the organization. Some of those individuals may include:
- Board of Directors
- Chief Executive Officer
- Chief Operations Officer
Creating an understanding of the concerns of higher-ups gives a complete range of factors and liabilities that need to be addressed on a level that may be unfamiliar to a number of other employees that are outside of that realm.
Since most business operations involve transmitting data from one place to another, more often than not, an external organization (i.e. HIPAA, PCI-DSS) establishes a set of compliance standards to abide by. In doing so, the DRP is meant to diminish the occurrence of penalties that stem from compliance standard error.
One of the main goals behind a DRP is to reduce the amount of risk within an organization. In order to set disaster recovery goals that lower risk, an organization must first assess the different risks associated specifically with the organization. After doing so the organization can diminish risk by eliminating or mitigating factors that need to be addressed.
In order to create an effective DRP, the plan should be updated on a regular basis. As operations, technology, and society continually change, it becomes important to ensure that the organization’s DRP changes as well. An organization should routinely re-assess risk to ensure that the DRP is in line with the risk present within an organization.
One of the main aims behind a DRP is to minimize downtime and maximize recovery. This is emphasized by strategizing how to react to specific situations in the DRP. Just because disasters can be unpredictable, does not mean that organizations should remain ill-prepared to deal with them. One good way to reduce downtime is to test the response times routinely in order to assess and revamp the plan accordingly.
Know Your Data Backup and Restoration Options
In order to comply with legal guidelines, all businesses need a secure document management system (DMS)—whether it be internal or external—however deciding on what type of data backup and restoration to use within an organization can seem overwhelming because of the various options.
Creating an understanding of the options for data backup and restoration becomes crucial to picking the right options to align with an organization’s individual DRP.
Types of Backup
As important as choosing to backup your data is choosing the correct type of backup. There are generally four types of backup readily available, and each has their respective purposes and extent of backup. The four types include:
Full Data Backup
- Backed Data: all data
- Backup Time: slow
- Restoration Time: fast
- Storage Space: large
- Advantage: ability to restore all data quickly
Incremental Data Backup
- Backed Data: new and altered files
- Backup Time: fast
- Restoration Time: moderate
- Storage Space: small
- Advantage: minimal storage, and minimal time to backup
Differential Data Backup
- Backed Data: new data that is added after a full data backup
- Backup Time: moderate
- Restoration Time: fast
- Storage Space: moderate
- Advantage: eliminates the need to routinely utilize full data backups
- Backed Data: new and altered files
- Backup Time: fast
- Restoration Time: fast
- Storage Space: large
- Advantage: fastest in terms of backup and restoration times
Even if you don’t feel your organization needs it, a good rule of thumb to cover all of your bases is the 1-2-3 plan:
- 1 physical copy stored offsite
- 2 digital copies
- 3 total copies kept at all times
Onsite Storage vs Offsite Storage
While many organizations know they need to store and backup files, documents, and data somewhere they may not know where to store them. There are two main routes taken by organizations: onsite storage and offsite storage.
Onsite storage typically entails the use of basic storage devices such as: external hard drives, magnetic tapes, CDs, etc. to store data physically onsite. The benefits of onsite storage include:
- Immediate access
- Internet-free access
Offsite storage facilities use remote servers to store data using different cloud-based software. Offsite benefits include advantages such as:
- Access from a variety of locations – Anywhere that has wifi can access the data if granted access (i.e. remote employees, employees in different branches/departments, etc.)
- Data safety – Not only is the data preserved in case of a disaster, but other means of storage break down regardless of tragedy
- Data collaboration between employees
When choosing between onsite or offsite storage facilities, it ultimately comes down to an organization’s needs and preferences. If you are having a hard time deciding between the two, it may be beneficial to utilize both. Whether you choose one or the other, it is always easy to find offsite storage facilities near you.
Data Availability vs Data Durability
While the two terms are often used together, data availability and data durability operate on different spectrums within data accessibility. Both terms are important to consider within the realm of DRPs, but it is important to understand them as separate terms.
Data availability refers to system uptime. More specifically, system uptime is understood by how quickly the storage system is able to fully operate. Data durability refers to the protection of data long-term, i.e. the focus of protecting data from bit rot, degradation, or any attempt at data corruption.
Some organizations will be drastically affected by any amount of downtime, so it is important to have a large emphasis surrounding data availability for those organizations’ DRP. This is where data durability becomes important—even if an organization is able to recover from the downtime, it doesn’t always mean that the data will be intact and organized in the same manner.
When a fault is corrected, it is essential that the original data is restored. By and large, data availability focuses on short-term data accessibility while data durability focuses on long-term data accessibility.
As businesses strive for efficiency in all facets of an organization, they commonly are switching from physical paper file management to digital file management via cloud storage.
Aside from offering a practical means of data organization, cloud backup management services have a variety of benefits that are associated such as:
- Immediate access to data (as long as there is access to the internet)
- Cost-effective data management
- Data tiers are offered to ensure you are not getting too little or too much
- Secured data storage practices
- Data encryption
- Improved organization collaboration via files/documents
- Decreases data redundancy and replication
- Creates one single area for all data
- Cloud storage guidance
- Suggestions for choosing the right cloud storage platform specific to an organization’s needs
- Troubleshooting resources if issues arise
With such an emphasis on technology in a digital society, cloud storage is becoming more and more common.
Developing an IT Disaster Recovery Strategy
While simply understanding the importance behind an IT DRP—as well as attempting to create an IT DRP—is a great start, it’s just as important to recognize the common steps associated with successful disaster plans. Once this is achieved, the organization can then implement the steps accordingly.
Recovery Point Objectives (RPO) vs. Recovery Time Objectives (RTO)
Although the two terms look similar and both work within recovery plans, there are differences between RPO and RTO.
The difference between the two is largely the purpose behind them. While RPOs are concerned with a company’s ability to avoid the loss of data, RTOs are concerned more so with all of the factors that facilitate the amount of time that it takes to recover from a disaster.
Consider Your IT Vulnerabilities
In order to become prepared for an IT disaster, you first need to know what your IT vulnerabilities are. Your vital applications and technologies are in direct correlation with your factors of production.
If something is integral or fundamental to an organization’s day-to-day functions, it’s something that should be taken into account. Some of the common things to take into account with IT vulnerabilities are:
- Technology Setting
By understanding the areas where something can go wrong, an organization can better prepare themselves to power through those various issues. A good practice to implement is to indicate all vendor technical support information and numbers in case you need help from outside sources to put out the flames.
Devise a Communications Plan
Communication is key to recovering from some sort of IT disaster. In most cases, communication throughout an organization includes an array of individuals in a variety of departments, so the solution isn’t always as simple as just communicating verbally.
Oftentimes the emergency can affect common means of communication as well (i.e. company phones, company chat groups, or company emails) so it is important to have a multitude of communication methods. By understanding where communication boundaries arise, an organization can create a solution to overcome those barriers.
All employees within an organization should be trained regarding DRPs. Aside from allotting time during the day to inform and instruct employees on procedures surrounding the DRP, an organization needs to clearly define a few things:
- The general DRP process
- Who is involved (as well as backups)
- Roles and responsibilities of the employees involved
When an organization defines the process, who is involved, and their respective roles and responsibilities within the DRP, the organization is then providing adequate resources for employees. If the employees are provided with structure, then they are prepared to help the organization recover in a quick and efficient manner in the case of a disaster.
A good practice to implement is choosing a time (monthly, quarterly, annually) to go over and test out the DRP in order to see which employees know what to do, and which need clarification and direction. In doing so, you are ensuring that all your employees keep up to date and stay informed.
Continually Test and Revise Plan
As time goes on a company typically changes. This can be seen in a variety of ways from the company’s core values, the physical location, upgraded cybersecurity, and a surplus of other ways that a company can evolve.
As a result, it becomes necessary to continually test and revise what your plan is based on the changes within a company. For example, in the past using tape and microfilm to store data was the preferred (and practical) method for data storage, however today it’s starting to be replaced by other digital alternatives.
Although tape and microfilm can be preserved for long periods of time, we live in an age where digital preservation has taken over. If your documents are all in physical form, you can utilize document scanning services to change your data from physical form to digital form, however in doing this just like any other change it becomes important to revise and retest the DRP.
Creating an IT Disaster Recovery Plan Template
Organizations that utilize any type of technology require well-planned and well-executed DRP’s to avoid business disruptions. To do so, the company needs to not only train and verbally explain what the DRP entails, but put it into writing as well. While a DRP should be specific to an organization’s needs, it generally follows a structure such as:
- IT DRP Document Outline
- IT DRP Overview
- IT DRP Goal and Objectives
- IT DRP Scope
- IT DRP Assumptions and Limitations
- IT DRP Definitions
- Recovery Tiers and Dependencies
- Service-Level Agreements
- IT DRP Roles and Responsibilities
- IT DRP Summary
- IT Infrastructure Overview
- Data Centers, Physical and Logical sites
- IT Core Services
- Networking Services
- Storage Services
- Compute Services
- IT Applications/Databases
- IT Service Desk
- IT DRP Phases
- Impact Assessment
- Declaration and Plan Activation
- Recovery Procedures
- Recovery Validation
- Re-establishing Standard Operations and Redundancy
- Failback Procedures
- IT DRP Procedures
- Communication Process
- IT DRP Operations Considerations
- IT DRP Escalation Procedures
- IT DRP Security Considerations
- IT DRP Postmortem and Lessons Learned
- IT DRP Exercises
- IT DRP Access and Maintenance
- Establish Clear IT DRP Goals and Scope
- Obtain Executive Commitment
- Build a Cross-Organizational Team
- Assess and Update the DRP Regularly