Blog

IT Insight: Make your business disaster recovery plan a top priority

According to FEMA and the US Small Business Administration, 40% of businesses do not reopen after a major disaster, 25% will fail within one year and 90% of businesses will fail within 2 years of being struck by disaster. It is critical to your business to be prepared and protected in the case of any unexpected event that causes partial or complete data loss.

What is considered a “disaster” ? Simply put: A disaster is an interruption of business which degrades your service for a length of time. No matter what industry you are in, you have data that is essential to running your business. But did you know that your data could be at risk? Hardware failures, hackers and security threats, natural disasters, or plain old user error could potentially cause a disruptive incident that could lead you to lose important data for your business. In addition, there are several levels of disasters:

Local disaster: This occurs within a very limited area and would include, your facility becoming uninhabitable, Internet outages or possible a utility outage.

External disaster: This might be an event in another city which renders one of your vendors unable to respond to your requests or perhaps a massive product recall.

Regional Disaster: Hurricanes, tornados, Snowstorms, or floods which affects a large area and large amount of people.

Even the big boys; Microsoft, Google, Apple, and Amazon have seen significant outages. These companies utilize redundant power as well as redundant datacenters to maintain their continuity. If these players have issues, how does your small business manage to maintain continuity or a disaster recovery plan? Regardless of your business size, you need dependable data backup and recovery. Your plan will take include the following:

Recovery Time Objective (RTO) – What is your company’s time objective to recovery? In the case of a disruptive event, do you need to recover that data within 15 minutes, 1 hour, 4 hours, 1 day, or 3-5 days without significant impact on your business objectives?  This is how long it will take you to recover from a disaster.  This may be different for each disaster threat and must be thought out carefully.

Recovery Point Objective (RPO) – At what point in time and under what circumstances will you need to recover?  This is how much data you can afford to lose when you do get back up and running.  For many companies, this is one day’s data.  For others, it may be as little as five minutes.

Business Continuity – Does your business currently have a comprehensive Business Continuity Plan in place so that you experience minimal interruptions during a disruptive event.

Data Recovery – Are you currently able to recover your data in the event of catastrophic system failures and data loss?

24/7 Accessibility – Are your users at full productivity with 24/7 access to your server?

Security Encryption – Is your data encrypted and protected from being read by external intruders?

All information needs to be assessed from a high level.  Rating the risks, determining your priorities, and having an effective plan are necessary.

Threat analysis such as rating the probability that you may experience a high-risk event, such as an Internet outage of greater than 1 hour or cyber sabotage versus a burglary or local storm is necessary.  A “threat matrix” will help determine the worst-case scenarios for your business.

Next, what are your priorities regarding what to protect and to what extent?  What is your plan and the testing and maintenance surrounding it?  Your Disaster Recovery Plan is more about the people and systems in place to support them in an emergency.  How do you conduct business without your building, without your systems or without your people?

Review your Cloud providers policy should they get breached, and your data is comprised, will you be protected.  Further, confirm that your Cyber Insurance policy is clear about any data loss from your Cloud provider.

A large part of disaster recovery is the maintenance of your plan.  Even though it is complete, routine updates are needed.  Employee rosters with emergency contact information should be updated every time there is a new employee or one is let go for contact purposes and for security.

Define a recurring service template every year to update your plan.  The plan is only as good as the data within it, which must be current.  Any time there is a major change to the business network, such as a new application, the plan needs to be updated.

Every year, the plan should be tested. This may entail some serious time and you may have to pay your engineers or service provider to accomplish this.  Without testing your plan for a full recovery, you really do not know if it will work. Every time you test the plan, you will find things which did not work to your satisfaction.  Some common questions are: Can you run your systems off Notebooks or Mobile Devices? Is the system in the cloud?  Can you connect to your business network?

Update this. Even though more of your applications and data are in cloud, it is your responsibility to back it up regularly and verify it is operational. Do not just rely on your cloud vendor’s word. Take the extra time and be vigilant that you are 100% sure you can recover.

Also review the cloud provider’s policy should they get breached or go down and your data is comprised, you will still be protected.  Add Cyber Insurance and verify your policy is clear on data loss from your cloud provider.

Your Business Disaster Recovery Plan: a timely and well-planned recovery can make the difference between bankruptcy and the survival of your business.

JoAnn Hodgdon is vice president and co-founder of Portsmouth Computer Group (PCGiT) with her husband David. PCG provides comprehensive managed IT services, business continuity, security, cloud computing and Virtual CIO services to their clients.  You may reach her at joann@pcgit.com  or at www.pcgit.com.