Having a good IT disaster recovery plan in place beforehand can make a big difference. Although every IT leader hopes that a disaster never strikes, it always pays to be prepared. From hurricanes to cyberattacks, all sorts of disasters can wipe out IT infrastructure. Even though any kind of major setback like that will be costly for the organisation. In this article, you’ll learn how disaster recovery planning can adequately prepare your organization.
Causes of downtime
What should an Information Technology Disaster Recovery Plan include?
It is practically impossible to form a IT disaster recovery plan without knowing what IT infrastructure the company owns. Servers, laptops, and smartphones are all IT systems that should included in a complete information technology asset inventory.
Even if the company does not own devices, like in the case of a bring-your-own-phone program, these endpoints might still be the victim of a cyberattack or other situation.
Who is behind the attacks?
Who are the breach victims?
43% of breaches were attacks on web applications, more than double the results from last year.
What actions are being used?
As such, including the inventory alongside other devices. When creating the IT Systems inventory, be sure to consider hosted services and software-as-a-service. Even if the physical machine that the software runs on is in a different location.
Once the company has a complete list of all the infrastructure it owns, the next step is to prioritize. Mission-critical servers and equipment used by top employees might be a higher priority than servers running non-critical software. The process for determining which systems are most important differs from company to company. Some organizations assign a dollar amount to each system, while others put them in order of importance within the inventory.
Aside from simply making a list of the business’s IT assets, intellectual property should also be a consideration. What data needs protecting? How should the company strike a balance between convenience and security when accessing sensitive data? Servers and devices with confidential information should be a high-priority, even if downtime is not as important.
The CIA triad frequently used in cybersecurity is; confidentiality, integrity, and availability. This forms a good basis for prioritizing the most important IT infrastructure to protect. Systems with confidential information or mission-critical server software are the highest priority. Whilst systems with less stringent requirements in one of the three CIA areas should be a lower priority for both cybersecurity and disaster recovery in general.
What is threat Modelling in cyber security?
According to a survey from The Hartford, 59% of businesses have a formal, documented business continuity plan. Yet, only a third of those plans have undergone testing. 33% have an informal plan that’s verbal and undocumented, and 8% have no plan at all.
Whether an organisation is developing a security strategy or coming up with a disaster recovery plan, understanding the most prevalent threats is one of the most useful steps. Penetration testing can help identify threats to your information technology assets.Companies that need to protect themselves against foreign governments have a significantly different threat model than those that are in an earthquake-prone area.
It is important to ensure that money is being effectively spent on disaster recovery planning. As such, it’s a good idea to know exactly which disasters pose the biggest business risks.
For non-cybersecurity-related disasters, this strategy is still useful. Simply consider the most likely disasters and the ways that those disasters could affect the company’s IT resources. Natural disasters can destroy data centers and break communications lines. Whilst disease can force the evacuation of offices with zero warning. Understanding the risks that each type of likely disaster poses to a business is the only way to come up with a cost-efficient plan to protect against them.
Cost of not having a disaster recovery plan
“Following a disaster, 90% of smaller companies fail within a year unless they can resume operations within 5 days.”
For many organizations, each minute of system downtime results in a huge amount of lost revenue. For others, preventing any amount of data loss is a higher priority. Still others must recover from a disaster as quickly as possible to avoid losing clients. Some companies cannot allocate very much money to disaster recovery as a result of their general financial situation; others see disaster recovery as a critical way of keeping the business alive.
The NIST Contingency Planning Guide visualizes the Cost for Length of Disruption demonstrating the importance of Business Continuity
Regardless of which variables are most important to a given company, it’s a good idea to calculate the lost value caused by downtime, data loss, recovery time, and excessive disaster preparation spending. From there, the company can tailor their IT disaster recovery plan to minimize the most costly concerns at an acceptable price.
The price of an hour of downtime, for example, is actually far greater than the revenue made in an average hour: be sure to consider reputation damage and other negative effects that occur with repeated failures, as well as the human costs incurred in the process of bringing the affected systems back online.
How do you perform a disaster recovery test?
Even the most detailed plan is useless if testing in a mock disaster situation has not occurred. Additionally, since implementation of the plan will occur by staff who were most likely not involved in the creation of the plan, employees should be well-trained in using it. Generally, this requires more than simply lecturing employees on what they should do in a variety of situations. Testing with mock disaster scenarios is a far better way to give everyone hands-on experience solving issues that could otherwise be disastrous.
Large tech companies sometimes employ extreme real-world testing scenarios, where a failure is intentionally introduced in some critical component of the company’s IT infrastructure. Although deliberately starting real disasters might seem excessively risky for most companies, these tech giants have honed their disaster recovery techniques so well that these intentional issues rarely cause user-noticeable downtime.
Based on KnowBe4’s 2020 Phishing by Industry Benchmarking Reporting Report, companies saw an 87% increase in security awareness. In a 3-phase study of: 0, 90 and 365 days of security awareness training. The below shows the percentage of employees that the phishing tests fooled
Regardless of how it’s implemented, some level of mock disaster training is a must. Employees have to know the plan well enough to use it efficiently in a real disaster. Plus, testing the disaster recovery plan is a great way to make adjustments to the plan using information learned from the testing experience.
What are disaster recovery procedures?
In nearly all disaster recovery scenarios, being able to reference documentation of the plan is very useful. Even if every employee with a relevant role has undergone training on procedures, it’s easy to forget critical details when working in a stressful situation. Additionally, the people responsible for developing the original plan might have retired or moved to other companies, meaning that quality documentation is the most important way to communicate the plan to others.
For these reasons, the written documentation should be sufficiently detailed to carry out the plan without any of the original people who developed it. It should contain thought processes that explain why certain procedures function the way they do to prevent second-guessing and improve efficiency down the road.
What are the disaster recovery policies?
Different industries have different compliance requirements in areas like privacy, cybersecurity, and payment data protection. Disaster recovery requirements in standards like ISO 27001 may also apply to a given organization, depending on the jurisdiction and industry in which the company operates. With many of these regulations, disaster plans must be in a format that meets some kind of standard.
When forming an IT disaster recovery plan because of a mandatory requirement, it’s important to avoid just doing the very minimum permissible by the compliance requirement. Each company is different and likely has its own specific infrastructure and considerations that affect disaster recovery. For this reason, it’s a good idea to not only meet but exceed the requirements set out in these regulations.
Disaster recovery roles and responsibilities?
Even if it’s not their primary responsibility, someone should be in charge of disaster recovery at all times. Having a decision-maker picked out means that approval of plan changes can occur faster. As a result, the plan will be able to more effectively evolve as IT systems and personnel change over the years, increasing the odds that it saves the company in a real disaster in the future.
Sample Call Tree to help employees understand who’s in charge of Contingency Planning supplied by NIST
Why is communication important during a disaster?
Being able to communicate details surrounding a disaster situation is a critical element of staging an appropriate response. Internal communication should include multiple redundant channels. This ensures that the relevant people are contactable even when the disaster wipes out the usual communication methods.
External communication, like public relations and customer relations, is equally important. On occasion, the disaster itself does not cause much harm to a company compared to its failed public relations. No matter what happens, reassuring customers and the public are crucial to protecting the company’s reputation. With the list of likely disasters compiled in the threat model, companies can come up with an appropriate generic response for each situation. When the time comes, PR teams can start with one of the premade responses and quickly release a statement that prevents further damage to the business.
Why is SLA important?
Issues started by third-party vendors are a common root cause of incidents in all sorts of companies. As software-as-a-service and hosted technologies replace in-house solutions at many organizations, the odds of an IT-related disaster caused by a third party—like significant downtime or a data breach—increase significantly. In this case, having a support contract or service level agreement with vendors allows companies to hold the vendor accountable if something goes wrong.
If it turns out that the vendor was responsible for a significant amount of downtime or another issue, a service level agreement can guarantee that the vendor provides credit or another form of payment to compensate for the downtime.
Disaster Recovery Plan Checklist
To make sure that your company’s IT disaster recovery plan has what it takes to protect your company, take a look through this checklist. All of the questions should have adequate answers:
Has the creation of an exact inventory of the company’s IT systems and intellectual property taken place?
- Are items in the inventory prioritized according to business value?
- What kinds of disasters should the plan protect against? In other words, what forms the threat model?
- How much data can the company afford to lose?
- How quickly does the company have to recover?
- What is the cost of an hour of downtime in lost revenue? Are there other costs that result from downtime?
- What is the maximum amount of acceptable downtime before the business is severely impacted?
- What is the budget allocation for disaster recovery?
- How detailed is the disaster recovery plan?
- Have staff been adequately trained to use the plan in a real disaster scenario?
- Has testing of the disaster recovery plan occurred in a mock disaster scenario?
- Is the disaster recovery plan well-documented?
- Does the plan meet the standards for ISO 27001 and/or other compliance requirements?
- Who are the decision makers for disaster recovery?
- How is internal and external communication handled in the event of a disaster? Is public relations able to protect the brand, reputation, and clients?
- Are contracts and service level agreements in place with vendors?
Importance of business continuity and disaster recovery planning
Some people think that disaster recovery is like insurance—useless most of the time but very helpful on occasion. This is somewhat true, but the steps taken to form a disaster recovery plan are also useful in other ways. Most cybersecurity guidance suggests some of the same steps, like determining a threat model, that are also used for disaster recovery. Disasters of all kinds are especially damaging to small and medium businesses with little excess capital, so spending some money on disaster recovery planning now is very important to avoiding a disaster destroying a business later on.
DC Encompass is a leading provider of reliable and secure data backup solutions. We offer fast, reliable & seamless data backup solutions for business continuity. To find out more about how our storage and back up solutions can help you and what we offer click here