How To Create An Effective Disaster Recovery Plan
Whilst the digital revolution has boosted opportunities for business growth, technology also increases the risk of disaster.
In today’s world, businesses are compromised when servers fail, suffer a data breach, or an employee makes an error.
Devising a disaster recovery plan that details all kinds of potential disruptions to your business operations helps you to respond quickly should you ever need to.
A disaster recovery plan lays out the process for getting critical operations up and running as soon as possible. It should give you a clear course of action to reconstruct or salvage data and appoint specific responsibilities to key personnel.
The key objectives of a disaster recovery plan are:
- Minimise downtime
- Prioritise mission-critical data
- How to remain function with the least amount of disruption
- Assess the potential risks
- How to best protect the sensitive data of your customers
- Maintain lines of communication with customers, remote employee and supply chains
- Prevent the potential of paying ransomware
- How to ensure you are GDPR compliant and avoid penalties
Increase in Cyber Attacks
Cybercrime is posited as one of the major threats to companies of all sizes. With an increasing number of cyberattacks disrupting operations, together with GDPR penalties issued for data breaches, companies could be financially crippled if they don’t have an effective disaster recovery plan.
In 2020, ransomware attacks were up by 150% on the previous year. Victims typically shell out between $20,000 and $40,000.
Cybersecurity firms also report an increase in attacks on proprietary operating systems used by remote workers.
Researchers reveal that malicious actors utilise social engineering techniques (phishing) which are becoming more sophisticated by the year.
Employees, applications and software pose the greatest risk for a cyber attack. Malicious actors target the weakest points of a company. It is estimated that a cyber-attack occurs every 39 seconds.
No single business is immune to cyberattacks. In the past year, household brands including Microsoft and Manchester United have fallen prey to hackers.
To put the threat of potential data into perspective, take a look at this (pretty long) list of companies that suffered a data breach in April 2021.
There were 53 brands in one single month.
Yes, you did read that right, in April 2021 alone!
How to Create A Disaster Recovery Plan in 5 Steps
Digital companies with an IT infrastructure need a disaster recovery plan. The roadmap won’t be the same for every company, of course, but generally speaking, the steps below provide some guidance for creating an effective disaster recovery plan for your business.
STEP ONE: Risk Assessment
The central focus of any disaster recovery plan is knowing how to respond to the potential array of disasters.
Before you know how to respond, you need to evaluate the potential scenarios in which a disaster could disrupt your business operations and to what degree.
In most cases, potential fault points include:
- Cyberattack
- Natural disaster (fire, hurricane, flood)
- Human error
- Cashflow
- Personal injury claims against you
- Intellectual property claims against you (copyright, plagiarising)
- A public scandal that damages your reputation
- Fraud (internal or external)
By analysing the risk and business impact of potential disruption and financial loss to your business, you will be able to identify priorities in each case and put a recovery plan in place.
Work with key figures in each of your departments to determine which risks most affect them and outline the objectives to recovery together with critical timelines.
Risk assessment is a critical step in the preliminary stages of creating an effective disaster recovery plan. Once you have highlighted the potential hazards, it’s easier to determine which assets you value most highly to ensure business continuity.
Consider these questions
- How could a particular disaster harm your business and what damage would it cause?
- In the event of a system or device failure, how quickly would you need to repair the problem? This is known as recovery point objective (RPO), the maximum amount of time you are prepared to absorb after a disaster.
- What are the risks of your business premises being damaged by fire, flood or storm and what are your options for relocating or running your business remotely?
- Can your business stay operational in the event of a government shutout like the recent coronavirus lockdowns?
- How would you recover data to stay in operations in the event of a ransomware attack?
- How will you recover data if files are accidentally wiped from the server via human error or from a malicious malware attack?
- How will you perform a public relations campaign in the event of a data breach, scandal or covert attack by your competitors that damage your brand reputation?
- What financial damage would you incur if legal action is brought against your company and how will you prevent such incidents from bankrupting your company or tarnishing your reputation?
STEP TWO: Organise Mission Critical Data
The first place to start when determining how you will respond in the event of a disaster is getting your priorities sorted.
The burning question is: What do you need to remain operational?
Your disaster recovery plan should list every asset of your business that is mission-critical. Detail which devices and applications you most need and how your employees will be able to access the ‘tools of the trade’.
The gold standard for data recovery in the technological age is cloud computing services. Migrating operational data to the cloud will mean your employees can still access files and folders in the event of an on-premise server failure or natural disaster.
You should also list critical data in order of priority so the people responsible for the data recovery process know which assets (apps, folders etc) need restoring first and which can be left until later.
The details should not only cover what you need to recover but where you will be able to recover it if your on-premise network is compromised.
The goal of this exercise is to determine the best solutions you have available to restore operations in the fastest way possible. A disaster recovery plan should be designed to minimise the disruption to operations.
Consider these questions:
- Which tools do you need to provide a service to your customers?
- How will your business stay functional?
- What equipment does your staff need to continue working and which data do you need to access?
- What sensitive data, if lost, poses the biggest threat to your business in the event of a cyberattack?
- Do you have intellectual property or proprietary business data you want to protect to maintain your position in the market?
STEP THREE: Responsibilities and Communication
No matter how disaster strikes, someone needs to sort it out, and the problem needs to be communicated to all affected parties (employees, customers, suppliers, regulatory institutions etc).
For each potential disaster, someone in your workforce should be assigned the responsibility of leading the response. Don’t list specific people because personnel come and go. Assign tasks to roles within the business.
The person in the named role will be responsible for informing all affected parties of the problem and organising the response process. In some instances, you will also need to determine which roles perform which tasks further down the line of the recovery plan.
For example, a failure with your IT infrastructure would ordinarily be appointed to the IT manager. However, there will be several actions to perform which will most likely be delegated to other members of the team.
It’s worth noting that the CEO doesn’t necessarily have to be the first person to be contacted in the event of a disaster either.
For example, if your office premises suffer fire damage, the first point of contact would ordinarily be the maintenance supervisor who would inform the CEO.
In terms of responsibility, the office manager would be responsible for finding an alternative location and the IT manager would be responsible for setting up your workforce with relevant tools and equipment. The only role the CEO would play is to handle communications to employees, customers and stakeholders etc.
STEP FOUR: Response Steps and Recovery Goals
Preparing a plan of action in writing provides each of the individuals that have been assigned lead responsibility with a step-by-step guide.
This is the hardest section of a disaster recovery plan because you need to know what solutions you have available.
However, there will be some disasters that are not obvious, or even likely, when you initially draft a disaster recovery plan.
For example, today you may need to plan what to do if credit card details are stolen, but several years along the line, credit cards may be obsolete because everyone is paying for goods and services with digital tokens.
Most industries have regulatory obligations with regards to reporting, documentation and data protection. Under GDPR, for example, companies must report a data breach to the relevant supervisory authority within 72 hours of becoming aware of the breach.
Outlining timelines is important at this point. You need to determine how long your business can survive without operations and how soon you need to rectify the problem.
We have discussed goal setting and recovery time objectives in a previous article – Understanding RPO and RTO for Disaster Recovery.
STEP FIVE: Create a Test Disaster Recovery Plan
It’s all well and good creating a disaster recovery plan, but even the best-laid plans are of no use if they do not work in practice. The final step to implementing an effective disaster recovery plan is to test it and iron out the creases.
Testing your disaster recovery plan should include:
- Potential failure points to response:
A disaster recovery plan will detail response solutions. Each solution should be tested to ensure it works, but also to determine if anything could go wrong with the solution. Are there any single points of failure that could encounter a problem?
- Actual recovery time
The estimated recovery time detailed in your RPO may not reflect the actual time it will take to recover data. Putting a plan into action will enable you to get an estimate more accurately, and if anything overstates recovery time.
- Accessing recovery points
In order to reduce the amount your business is out of action, you need to know how to start the recovery process and understand potential obstacles that could delay your business from returning to fully- functioning order.
Cloud Backup and Data Recovery Services
A key attribute of any disaster recovery process is disaster prevention. Cloud computing services have become a de facto solution to prevent data loss and help to get your business back up and running with minimal disruption.
Storing data in a remote cloud server ensures you avoid losing data in the event of a system failure, cyberattack or natural disaster. The cloud won’t solve all your problems but it does resolve priority – staying operational!
Let’s say, for example, that hackers with ransomware tools hijack your primary business network. Without a cloud backup, you would have no option other than to pay the ransom to regain control of your business networks and access mission-critical data.
With cloud-based solutions, all your data is backed up and easily recoverable. You can also set up a virtual desktop. This provides employees with a secure environment that is separate from your primary network.
Therefore, even if your database or drives are corrupted, your data can be accessed in the cloud and your staff can continue working with the apps, files, documents and tools they need to perform their job.
Likewise, if the hardware is damaged or malfunctions, you will still be able to access mission-critical data. Cloud solutions – such as the Microsoft Modern Workplace – can also help to share files and enhance communications.
IT Support Team in London
In a time of crisis, you need people – or partners – you can rely on to resolve the issue swiftly. For IT disasters, our team of IT support specialists in London will ensure your cloud computing solutions function when you need them most.
Together with cloud backup and disaster recovery services, our experienced and knowledgeable experts can even help you devise a reliable disaster recovery plan.
In addition, MicroPro has a suite of robust network management and cybersecurity solutions that can help prevent disasters from occurring in the first place.
Preparing for the worst is not pleasant but it is essential. As the saying goes, it’s better to be safe than sorry.