Close your eyes, and imagine your business five years from now, in a tight spot: the latest ransomware virus just crippled your system, a hurricane just took out your office, and John from Accounting just accidentally deleted half your database. You’ve lost all your critical information, your systems, and your ability to function. In other words, you’re toast.
Aberdeen Research estimates the average cost of an hour of downtime at $8,000 for small businesses, $74,000 for mid-sized companies and $700,000 for large businesses, and it’s quickly becoming clear to you how accurate that number is. It’s the cost of not looking ahead.
What is going through your head in this moment? What do you do? Well, first you wish that you could rewind five years. You wish that you had prepared for this. You wish that you had a Disaster Recovery Plan.
Open your metaphorical eyes. Congrats – you’re young again! Now what’s the first thing you’re going to do? (No, don’t fire John, maybe just change his permissions). That’s right! Get to work on your Disaster Recovery Plan, otherwise known as your Business Continuity Plan.
The goal of such a plan is to lay out a strategy to get your IT up and running after a disruption, so that your business can continue to function. It’s your “rainy day” preparation, ensuring that you’re not caught off guard when the near-inevitable disaster happens.
The first step is to perform a Business Impact Analysis. This involves a detailed list of your company’s critical business functions, IT infrastructure, and services supporting the organization. It outlines the consequences if these items are compromised. Your BIA should include the following:
- A list of critical hardware and software applications, so that in the case of a disaster, replacements are available and able to be installed
- The order of software and hardware most critical to your immediate recovery. This will help prioritize what losses need to be anticipated first
- The Recovery Time Objective (RTO) of each component is the maximum amount of time that it can be offline
- The Recovery Point Objective (RPO) is the maximum allowable age of data recovered – any point older than this will have major consequences for business operations
- Who will be responsible for managing the IT recovery plan
- A review of all relevant documentation, along with the plan itself, to make sure that everything is complete, current, and easily accessible
With your BIA complete, the next step is your Risk Assessment. As the name implies, your Risk Assessment is a complete examination of the threats faced by your organization, and an analysis of what those threats might look like in action. It will consider the dangers posed by Hurricane Gaston, SamSam Ransomware, by John from Accounting. Below is an example of what your Risk Assessment might look like:
Once you have developed a thorough understanding of the potential threats to your system, it is time to start thinking about how to mitigate those risks. This is a topic that merits its own post, but for now, the most important considerations include:
- Data backups. In this day and age, there is no excuse for not having them, in multiple locations and formats. Cloud storage providers, privately owned remote data centers, even external hard drives all provide means of ensuring that you’re not keeping all your eggs in one basket.
- Regular maintenance. Computer hardware is difficult to keep running – it wants to break (or so it seems). Servers overheat, disks fail, wires meet their end between the teeth of rodents. Regular inspection and replacement of necessary parts prevents situations in which you have multiple failures, which is when you really start getting into “disaster” territory.
- Responsible security. You need to be covered from ransomware to mobile malware to the human vulnerabilities in your system. With the many threats that exist today, a comprehensive security review and implementation of preventative measures is a must for any company, from a 5-person shop to the largest multinational corporations.
Always Looking Ahead
Phew, you’re done! Sort of. Your business continuity needs will change over time, and it is as important to review and update your plan as it is to create on in the first place. If your plan today doesn’t take into account cloud storage backups, for instance, you might have some work to do. The following graphic from ComputerWeekly is a great guide, providing the essential steps for your IT team to review every few months.
Because data backup and IT recovery are so crucial for business continuity, it is strongly recommended that you work closely with your IT support to ensure that a strong plan is in place and tested regularly. If you have concerns about your recovery plan, talk to your IT staff immediately.
[This post was originally published on Switchfast.com]