How to craft a disaster recovery plan for your business
If you are like most businesses today, your company depends on your IT infrastructure to run. Your sales team needs access to the CRM, purchasing agents to your accounting package, customers to your ecommerce site, and engineers to their computational software. In the event of a disaster, many critical operations in your business come to a halt. Do you have an up to date disaster recovery plan, or DRP, in place to make sure you return to normal operations as soon as possible?
We have been working with customers for years, partnering with them to develop custom software solutions and helping them understand the importance of disaster recovery as part of a comprehensive business continuity plan. This post shares lessons we have learned from our customers and during our own business continuity planning.
Who needs a disaster recovery plan?
Every business is vulnerable. When we hear “disaster recovery,” we tend to think of natural disasters like hurricanes and earthquakes that impact sizable geographic areas. Planning for the more probable likelihood that part of your infrastructure will fail or that you will be the victim of a cyberattack is just as important. A fire in your building, a car hitting a power pole, or a critical file server giving up the ghost are just as devastating as an ice storm because your employees can’t get work done and your customers can’t do business with you. And if you become one of the growing numbers of hacking victims, your data could be encrypted in a ransomware attack or your network blocked through a denial of services assault.
Some industries, like financial services and healthcare, need to pay special attention to their planning. In the financial world, almost all transactions are electronic now and nearly all the information generated is stored as digital records. A few minutes of downtime can cost a financial services company millions of dollars in lost business and may result in customers going elsewhere.
For healthcare, the HIPAA Security Rule requires a plan. Federal law states that when your systems are down and during your response, you do not compromise patient care or EHR security. Beyond an IT disaster recovery plan, the same rules require data backup and emergency mode operation plans.
Other industries—from manufacturing to retail sales to entertainment—all run on digital platforms that need to get back in place as quickly as possible. Legal requirements and privacy concerns will vary, but what is certain is that it will cost you in lost business and productivity while everything is offline.
Once you get a feel for the seriousness of vulnerability in IT systems, you next need to understand what the specific parts of that system are. We like to sort things into four categories of IT assets:
Connectivity – how your software connects to other software, inside and outside of your facility.
Hardware - The servers, computers, storage devices, laptops, and mobile devices along with any other machines that connect to your network.
Software - The computer programs, including operating systems, that run on the hardware.
Data – Any information you store digitally in data centers or distributed across your locations and employees.
The last aspect you should consider before you begin crafting your DR plan is the people involved: employees, customers, and vendors. They are just as vulnerable to the repercussions of an outage as your information technology assets. And their vulnerability has a direct effect on the future success and growth of your company.
Ten essential ingredients in a well-crafted disaster recovery plan
The following is a list of components, or steps, for creating a robust and comprehensive DRP. Use them as a guide in your planning process, adding, modifying, and prioritizing to meet your unique requirements.
Commit across the organization to a DRP.
Starting with senior management, make sure that your entire company is committed to creating and following a robust disaster recovery plan. Designate someone as responsible for the plan’s development, implementation, and improvement and let them create a disaster recovery team.
Inventory your IT assets by business function.
Next, you need to go through your IT assets: connectivity, hardware, software, and data. Identify every switch, computer, program, and database and assign each to the business functions they support.
Assign recovery time objectives for each business function.
When a disaster comes, you can not get everything back instantly. Decide which business processes are the most important so you can prioritize. A good practice is to divide the functions and their assets into three tiers: within eight hours, eight to 24 hours, and within five days.
Establish a role for everyone in the organization during a recovery.
Every team member in your organization should know what they need to do during a disaster. If appropriate, assign roles to outside vendors and customers.
Develop an emergency communication plan.
An often-overlooked part of a well crafted disaster plan is to establish a way to communicate with your employees and your customers. Capture their contact information and document how you will reach people until business operations are returned.
Document a data backup plan.
Before disaster strikes, you must have a plan in place to create copies of your data offsite that you can restore securely and efficiently. Some companies keep mirrored versions of all their data at a different geographic location. Others do not have to be back as fast and may find it more cost-effective to have regular backups at another physical location or in the cloud.
Create a hardware and software redundancy plan
Determine how you will get replacement machines and programs or how you will stage additional resources at another location for use during a disaster. This could be a mirrored data center, a secondary cloud provider, or a designated recovery site.
Understand what your service level agreement (SLA) provides in a disaster.
You probably have data and software in the cloud with a third-party provider for external connectivity. Your service level agreement, or SLA, defines what they will do when the service they provide is not available or is damaged. Make sure you can tolerate what they agree to and, if it is not acceptable, negotiate better terms or find a vendor can meet your requirements.
Ensure proper handling of sensitive information throughout the plan.
Before and after a disaster, your confidential information can become exposed. You are responsible for data protection and making sure it stays secure during transmission, storage, and use.
Build a test and improvement plan.
Last, and maybe most importantly, your disaster recovery plan needs to be continuously tested to make sure it still works and fits your needs. Also, you should plan for how you will make improvements as you discover problems or new challenges arise.
Your software plays a role in disaster recovery planning
Here at Zibtek, we are always thinking about where software fits. When creating your plan, consider these three roles for your software:
Software is an asset that must be backed up and reinstalled.
When choosing software or developing custom solutions you must consider how the programs can be stored, retrieved, and reinstalled quickly and efficiently.
Well written tools can prevent a disaster by including robust cybersecurity measures.
The best disaster recovery plan is to avoid disasters in the first place. Since cybersecurity attacks are a growing cause of system downtime, make sure you include security in your development or evaluation process.
Develop software to be fault-tolerant and redundant.
When hardware or connectivity fails, well-written software can immediately adjust. Examples are switching to mirrored databases, allowing users to work offline, and automatically switching over to different network channels.
Crafting a robust and effective disaster recovery plan is a continuous process and has significant challenges. But it is also necessary and can have a substantial impact on the success of your company not if, but when a disaster knocks out all or part of your IT infrastructure. If you have questions about how your software can become a part of your plan, or want advice from one of our industry experts, feel free to contact us for a free consultation.