How To Develop A Disaster Recovery Plan
Security breaches occur daily; it’s not a matter of if your company will be breached, but (unfortunately) when. Companies without a disaster recovery plan can expect serious consequences to business continuity. About 93 percent of companies that experience a disaster and lose data for 10 days or more file bankruptcy within a year, according to the National Archives & Records Administration, Washington, DC.
A disaster not only includes cyber attack, phishing, malware or other security breach, it may also involve natural occurrences like flood, fire, wind, or other uncontrollable acts. To mitigate the result of any disaster, natural or otherwise, companies must develop and deploy disaster recovery as part of their business continuity management strategy.
Considerations in a Disaster Recovery Strategy
Even prior to developing a disaster recovery plan, take a step back and consider the overall strategy. What are your goals? Who is in the “need-to-know” position? Should the breach be communicated externally? Is there a crisis plan? Should data be stored off-premise? These questions and more need to be thoroughly addressed to cover all aspects of disaster recovery planning. Here are some additional considerations:
The first goal in disaster recovery is to minimize risk to IT infrastructure and data and then mitigate down time. Conduct a quarterly risk assessment to uncover vulnerable areas within your IT infrastructure and identify weaknesses that need immediate attention.
Have you migrated to SaaS? Using Software-as-a-Service in the cloud quickly resolves the need for server capacity and regular upgrades. Cloud data storage ensures redundancy in the event that on-premise servers are damaged or breached. SaaS and cloud storage are two solutions that address risk to data recovery. Another is Disaster Recovery as a Service (DRaaS), and we explore that here.
The IT department’s customers include anyone touching data, hardware, apps, programs, help desk, websites, and more. Communication with owners, C-suite, investors, staff, employees, and other stakeholders is important to identify their issues of concern. Their confidence in the IT department contributes to overall company security.
Industry compliance and government regulations are top of mind in any IT department. There are privacy concerns, compliance issues and many other rules and regulations with which to conform that make data protection all the more critical and may result in financial penalty without compliance.
Develop a Disaster Recovery Checklist
Once a strategy is in place, the next step includes developing a checklist as part of overall planning. Include these eight components in your disaster recovery preparedness:
Set Your Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
Disaster recovery planning includes business impact analysis with goals for recovery time objective (RTO) and recovery point objective (RPO). Work across business units to establish and assess the business needs of the company, and then begin setting RTO and RPO goals.
Determine RTO and RPO to identify:
- The amount of time needed to recover all applications (RTO)
- The age of the files to recover for normal operations to resume (RPO)
Calculating RTO and RPO helps determine:
- Solutions to survive a disaster
- How to keep recovery cost to a minimum
- Which hardware and software configurations are needed to recover workload
- The level of tolerance for downtime
Identify Staff Roles
In any disaster recovery planning strategy, designate leaders who will deploy the plan in the event disaster strikes. The designated leader shares the responsibility of rapid deployment and guides others through the process. Anyone being considered for a lead role in disaster recovery needs to document contact and emergency contact information during and beyond business hours (including weekends and holidays); provide a back-up designee; participate in training and train others in the business unit in the event of disaster. Everyone from the help desk to the C-suite has a role in disaster recovery.
Business Continuity Planning Training & Deployment
Business continuity planning (BCP) is critical in every organization, and disaster recovery planning is a subset of this overall strategy. The effectiveness of a disaster recovery plan boils down to one thing — preparedness. The leadership team needs detailed guidelines and training for each staff member on the deployment team. In a disaster recovery training manual, be sure to add:
- Communication procedures for everyone involved
- Locations for data backup and offsite storage and recovery facilities
- Contact information for third-party vendors and providers
- The deployment plan with instructions and who’s in charge
- Managing communications around the event to external and internal audiences
- Post-event roles to reestablish operations and continued communications
Identify Sensitive Documents and Data
In every company, there are essential documents and data that require an extra layer of security. Select a designee to be in charge of this data, whether paper or digital. Know where these are stored and assign someone trustworthy to manage the safe transport and transfer of such information in the event of breach or disaster.
Inventory Hardware and Software
A comprehensive inventory of all hardware and software in use by employees and contractors needs to be created and updated every six months. For both software and hardware, record the tech support contact numbers and share the location of that list with designated leaders in IT and the C-suite.
Understand the usage of applications and software in use throughout the company and categorize them by importance. Update the list every six months or as software is upgraded. Prioritize the most critical software used in business continuity and focus more attention on these apps. Use a rating scale similar to this:
- Critical: Must-have apps for business function (perhaps sales or accounting software)
- Important: Applications that can be postponed a few days
- Unimportant: Company will survive without for several days
Set Disaster Recovery Sites
Your BCP must include secondary, off-site locations where the company’s critical assets and essential data can be relocated during a disaster. This disaster recovery site should incorporate a hot site with hardware, software, personnel, and customer data; a warm site for critical apps without customer data; and, a cold site for IT systems and data storage with no technology until after the disaster recovery plan is deployed. Each site replicates workload and automatically performs backups for quicker recovery. Explore whether to hire Disaster Recovery as a Service to mitigate data loss and downtime.
Develop A Crisis Communication Plan
Regardless of the size of a company, a public relations professional should write a crisis communications plan with the leadership team. Once a breach or disaster strikes, that plan should be easily accessible and current. The strategy in the plan includes messaging to each audience including external sources such as the board of directors, investors and media. A framework for a media kit should be included with details to share publicly when the time is right. The PR team shares approved messages on the company website, social channels and email marketing.
In addition, the plan should include how a company should communicate with regulatory bodies and the industry. When a company exhibits a professional response to a disaster, with appropriate and timely messaging, there is trust and confidence in the company’s disaster management response.
Testing, Testing And More Testing
Failure due to inadequate preparation is not acceptable. Any disaster recovery plan should be revisited twice annually and updated more frequently if IT systems and infrastructure changes. Ownership of the disaster recovery planning as part of BCP management needs to be assigned to a designated leader who deploys the strategic plan and ensures that everyone meets the criteria to safeguard company data and recovery. Company-wide simulation should be conducted annually to ensure preparedness utilizing a current disaster recovery plan.