Hackers hijack your systems with ransomware. A data breach exposes customer data. A broken pipe floods the server room. A natural catastrophe, such as the recent deluge created by Hurricane Florence , keeps IT staffers from reaching work to attend to systems—possibly for days. These are just a few examples of IT disasters that can be disruptive to the organizations they strike.
Disasters can also be expensive. A survey by Aberdeen found that one hour of downtime can cost small businesses up to $8,600. With that number in mind, can you afford to lose your systems for a day? A week? The financial losses can mount in a hurry …
For this reason and others (including costs to solve the problem, reputational damage, regulatory penalties, employee morale, and more), disaster recovery (DR) plans are essential for every business that relies on IT to function. If and when something calamitous occurs, you must be ready to overcome the event and not freak out. Without a plan, recovery time may increase, as will overall costs.
Frightened? You should be a little, but establishing a disaster recovery plan can ease some of your fears. Here are some steps toward achieving that goal:
What Is Disaster Recovery?
On the surface, disaster recovery can mean different things to different people and organizations. But in the strictest business resilience and IT sense, disaster recovery is the steps and processes taken to recover systems, data, and functionality after a catastrophic incident. Such events include (but aren’t limited to) cyberattack, server or network malfunction, data loss, and physical damage to IT equipment. A tornado hitting your headquarters might be a disaster, but unless it takes out your server room, it might not necessitate disaster recovery.
A distinction should be made between disaster recovery and business continuity and crisis management. Business continuity is the restoration of operations following a disruptive event. It could (and often does) include disaster recovery if IT systems were affected (some business continuity plans initiate alternative IT solutions during recovery), but its ultimate goal is to get the business functional as quickly as possible. Crisis management is the overall response—possibly including public relations, employee safety, facilities cleanup, and more—to a crisis that may or may not be technology-related. For IT departments, disaster recovery is the primary resilience concern—especially in this age of ransomware, DDoS attacks, and other crippling cyberthreats.
Assess Your Systems
A basic of disaster recovery is knowing what must be recovered in case of emergency. For example, you don’t want to be scrambling after a cyberattack to find out where your data is being backed up. Look at your current IT and identify any vulnerabilities, especially critical systems that would require advanced procedures to restore. Examine your backup strategies and determine how easy or difficult it would be to recover data. Gauge your team’s skill sets to identify whose expertise will be needed to stop an emergency in progress (say, during a cyberattack) and to get your IT back to its pre-crisis state.
Build a Plan
The minutes, hours, and even days after an IT disaster can lend themselves to panic, even if you are prepared. Planning ahead lessens the impact of the emergency and reduces the time needed to return your systems—and your business—to normal. Your DR plan should include:
- Determining who is responsible for what in an emergency
- Identifying which third-party vendors you will call for help with their software (e.g., if your CRM platform goes irretrievably kaput, calling the provider for assistance)
- Details on how you will contact customers affected by the disasters, and what steps you will take to restore their ability to use/purchase your service
- Steps to take to get your systems—and possibly your entire business—up and running in the shortest amount of time possible.
Once your plan is in place, test it to see what works and what needs modification. Some organizations run full disaster drills; others simply go through the steps to, for example, restore data from backup. Being prepared means that if an IT disaster does occur, you can confidently manage the situation.
Some disaster events, such as the aforementioned tornado, are unavoidable. Most, however, can be at least mitigated, if not avoided, with proactive due diligence. The best DR plans are never needed because you’ve adopted smart IT strategies beforehand. Consider:
- Ransomware, viruses, DDoS attacks, and other digital intrusions can be prevented with strong cybersecurity. If your current software isn’t equipped to adequately protect your systems, look to quality third-party solutions the fill the gap.
- Hardware failure is always a risk, but with diligent upkeep and cloud backup, a failed server won’t be as disruptive.
- Employee error causes more disasters than it should, but with continual training of IT personnel and front-line users, the chance they will mess something up is reduced.
- Steps can be taken to prevent data loss during a disaster. For example, third-party monitoring can queue incoming email once a loss of connectivity is detected.
- Careful assessment of IT facilities can stave off many problems. For example, server room environments can be monitored so they won’t overheat or become too humid.
- Even acts of God can be mitigated. Yes, a blizzard or hurricane may cut power to your systems, but diligent businesses will have backup power on hand or be ready to initiate off-site and/or backup systems in little time. And the same diligent businesses plan ahead if they are in a blizzard- or hurricane-prone area—they don’t react to the disaster, but prepare for it.
Ultimately, the best DR plans are ones you never need to initiate. Threats are stopped before they become disasters; crises are handled before turning into catastrophes. And if an incident becomes more serious, a good plan, possibly with outside help such as the AppRiver Digital Disaster Recovery Program we offer, prevents costly chaos.