Catastrophe can strike at any moment, often in the most unexpected of ways. Depending on your business, your IT environment, and your location, you may face disasters such as:
- Natural (tornadoes, hurricanes, fires, floods)
- Physical (power outages, hardware failures)
- Human (insider threats, data breaches, cyberattacks)
Most business owners are at least subconsciously aware that these events could happen to them—yet these concerns are hand-waved away as something that only happens to “other people.” As a result, far too many businesses are unfortunately flying blind when it comes to a disaster recovery plan.
This happy-go-lucky attitude is one reason why disasters are so devastating for so many companies. According to a report by the Federal Emergency Management Agency (FEMA), 40 percent of businesses never reopen after suffering a disaster, and another 25 percent of them fail within a year.
Of course, disasters are inherently sudden and unexpected—but that doesn’t mean that you have to be unprepared when disaster strikes. There are methods and steps you can take before, during, and after a disaster to protect the continuity of your business processes and the integrity of your organization.
In this article, we’ll discuss 4 of the most important actions to take when creating a disaster recovery plan, so that you can be as prepared as possible if and when you face a catastrophe.
1. Build a risk assessment plan
A risk assessment plan is a concise yet comprehensive summary of the various risks that you face as an organization, helping you understand your most critical vulnerabilities.
If your headquarters is located in Florida, for example, then you’re much more likely to suffer a hurricane than an earthquake. On the other hand, earthquakes and other catastrophes such as wildfires are a top-level concern for disaster-prone regions like the Los Angeles area.
Risk assessment plans should discuss a variety of possible disasters, from those that are merely inconvenient to those that could threaten the existence of your business. Many companies overemphasize the potential worst-case scenarios in their risk assessment plans, believing that this will make them more knowledgeable and prepared. However, this tendency can be dangerous: it draws attention away from less critical (yet still dangerous) events that might be far more likely to occur.
In addition, don’t forget to include an assessment of all the possible risks to your business: natural, physical, and human. While you might fear falling victim to the latest malware or virus, for example, you should more likely watch out for the insider threats posed by your employees and contractors instead. IBM reports that insider threats (both intentional and unintentional) account for 60 percent of all cyberattacks.
2. Perform a business impact analysis
Once you better understand the risks you face as an organization, you can create a business impact analysis that evaluates the potential impacts that these risks would have on your business.
Your business impact analysis should include an estimate of the costs and repercussions to your organization in the event that a catastrophe occurs. The impact of a disaster on your business is likely greater than you realize, even for relatively minor events.
According to a 2016 survey, for example, 98 percent of businesses say that an hour of downtime would cost them more than $100,000, while a full third say that it would cost more than $1 million.
To calculate the costs of downtime for your own organization, don’t forget to consider the following factors:
- Your average hourly revenue
- The number of your employees and the hours they work per week
- The number of your employees who would be affected by a disaster
- The lost productivity for each employee affected by the disaster
With the hourly cost of downtime in mind, you can then decide on two parameters which are essential to any IT disaster recovery plan: RTO and RPO.
- Recovery time objective (RTO) is the maximum amount of time that can elapse before your data, applications, and processes are fully restored. Essentially, RTO determines the level of comfort that your business has with experiencing downtime. Businesses that require a high level of availability (perhaps on the order of seconds) will have a lower RTO than businesses that can survive downtime lasting minutes or even hours.
- Recovery point objective (RPO) is the maximum age of the backups that can be restored in order to preserve business continuity. In other words, RPO determines how much data your organization can afford to lose: could you survive after losing 5 minutes’ worth of data? 1 hours’ worth?
3. Cloud backups, on-premises, or hybrid?
Speaking of backups, we all know that backing up your data and software applications is a must. It’s perhaps the most important step your business can take to make yourself more resilient and protect yourself from disaster.
By storing your IT essentials in an off-site location, you can more quickly and easily restore operations in the event of a catastrophe that could otherwise cripple your business.
Yet not all backups are created equal. The first question to answer when backing up your data: will you back up to an on-premise server, to the cloud, or to a hybrid solution that combines both options?
Cloud backups are an increasingly popular option for companies who want to preserve their business continuity after a disaster. Storing your data “in the cloud” means sending it to a secondary off-site location with a server that is managed by a third party.
There are several different types of cloud backups:
- Public cloud backups store data on a remote server owned and managed by a third party known as the “cloud provider.”
- Private cloud backups store data on a server that has been exclusively designated for your use.
- Hybrid cloud backups combine the public and private cloud, offering a more flexible cloud backup solution.
Whichever option you choose, cloud backup solutions are on the rise. In a 2019 survey, 60 percent of organizationsreport using cloud backup features such as short-term data storage, cloud archiving, and DRaaS (disaster recovery as a service). What’s more, of the remaining 40 percent, more than half are planning to adopt cloud backups in the year ahead.
Meanwhile, on-premise backups store data on a server that is under your exclusive ownership and control. This server may be located within the physical confines of your business, or off-site. Note that on-premise backups stored in the same location will be vulnerable to the same natural disasters that threaten your primary servers.
Of course, you can also opt for a hybrid backup strategy that combines the cloud and on-premises storage. Many organizations decide to use a hybrid backup strategy when they have certain data that cannot be stored in the cloud due to compliance or security reasons. A hybrid backup strategy also gives you the benefits of both options: the scalability of the cloud, combined with the speed of access of on-premise storage.
4. Document and test your plan
Just like any other emergency plan, your IT disaster recovery should be well-documented and well-tested in advance of a catastrophe. Every employee has a role to play following a disaster, and your plan should make it obvious what that role is and how to execute it successfully.
Your complete IT disaster recovery plan should include:
- A brief overview and summary of the plan.
- The contact information for executives, critical personnel, and members of the recovery team.
- Clear, comprehensive steps to follow in the immediate wake of a disaster.
- A list of the most important elements in your IT infrastructure, and the maximum RTO and RPO for each one.
- Insurance documents and contact information for your insurance provider(s).
- Suggestions for dealing with the financial, legal, and reputational repercussions of the disaster.
The more information your plan includes, the more important it is to test it on a regular basis. Full tests should run at least every quarter, and smaller-scale tests can run more frequently outside of standard business hours.
Creating an IT disaster recovery plan isn’t the easiest or the most fun part of running a business—but in a world where natural and digital disasters can strike at any second, it’s an absolute necessity.
Working with a skilled managed services provider can be a lifesaver when creating an IT disaster recovery plan. Look for an MSP with experience in disaster recovery and qualities such as:
- Fast recovery speeds
- Ease of use
- Scalability of storage and backups
- Knowledge of security and compliance issues
NetDepot’s cloud-based DRaaS (disaster recovery as a service) platform can give your business the peace of mind you need. Our DRaaS solution is flexible, scalable, and offers near-zero recovery times that can get you back up and running within a matter of seconds. To learn more about how we can help preserve your business continuity, get in touch with our team today.