Organizations prepare for everything from natural disasters to cyber-attacks using disaster recovery plans that detail the process that quickly and without major losses in revenue or business rebuild critical functions.
Disasters occur in all shapes and sizes.
It is not just catastrophic events such as hurricanes, earthquakes, and tornadoes, but also incidents such as cyber-attacks, equipment failures and even terrorism that can be classified as disasters.
Businesses and organizations are prepared by developing disaster recovery plans detailing the activities to be undertaken and the processes to be followed to continue critical functions quickly and without major loss of revenue or business.
What Is Disaster Recovery?
In the IT space, disaster recovery focuses on IT systems that participate in supporting critical business functions. The term "business continuity" is often associated with disaster recovery, but the two are not completely interchangeable. Disaster recovery is part of business continuity, which focuses on maintaining all aspects of the business, despite the disaster. Because IT systems are so important these days to business success, disaster recovery is a major pillar in the business continuity process.
Economic and operational losses can ruin unprepared jobs. One hour of downtime can cost small businesses as much as $ 8,000, medium to $ 74,000, and large businesses up to $ 700,000, according to a 2015 report from the IT Disaster Preparedness Council (DRP).
Another survey by disaster recovery service provider, Zetta, found that more than half of the businesses surveyed (54%) had experienced interruptions lasting more than eight hours over the past five years. Two-thirds of respondents said their business would lose more than $ 20,000 for each downtime.
Risk Assessments Identify Vulnerabilities
Even if your company already has some kind of disaster recovery plan, it may be time to update it. If your company doesn't have one, and you're tasked with making one, don't run into it without a risk assessment. Identify vulnerabilities in your IT infrastructure and where things can go wrong. The prerequisite is to know what your IT infrastructure looks like.
Knowing where things can go wrong does not mean that you start making plans for the worst-case scenario. In a recent blog post in the Disaster Recovery Journal, authors Tom Roepke and Steven Goldman suggest that business continuity planning can be dangerous to define the worst-case scenario, as it draws attention from other significant threats:
"The natural tendency is to try to list or define what is the worst-case scenario, it becomes a fatal flaw because the entire planning is directed, at least at the subconscious level, so when we determine the scenario - pandemic, earthquake, cyber attack, etc. - we automatically start thinking and planning in terms of response/recovery for that specific and subconsciously defined incident. When that happens, not only do we lean towards tunnel vision in our planning efforts, but we are at risk of increased risk and exposure. This is because we will be too focused on just one or two specific areas in what we think is the worst-case scenario, not the actual event. "The key, Roepke and Goldman suggest, is to focus on" crisis management, recovery of critical functions and recovery, all the while communicating with other participants. "
What is a Disaster Recovery Plan?
Type "disaster recovery plan template" into Google and dozens, if not hundreds, of templates, will appear. Use them to get started and tailor them to your business or organization.
The plan itself should include the following:
• Setting, overview and main goals
• Contact information of key disaster recovery staff and members
• Description of the emergency activity immediately after the disaster
• Diagram of the entire IT network and recovery site. Remember to include instructions on how to get to a recovery location for staff who need to get there.
• Identify the most critical IT resources and determine the maximum shutdown time. Learn about the Recovery Point Objective (RPO) and Recovery Time Objective (RTO). RPO indicates the maximum "age" of files that an organization must recover from a backup to resume normal operation after a disaster. If you choose a five-hour RPO, then the system must be copied at least every five hours. RTO is the maximum time, after an accident, for a company to restore its files from a backup and resume normal operation. If your RTO is three hours, the break should not be longer.
• List of software, license keys, and systems to be used for recovery
• Technical documentation from manufacturers on system software for recovery technology
• Summary of insurance coverage
• Suggestions for handling financial and legal matters, as well as publicity.
Building A Disaster Recovery Team
The plan should be coordinated by members of the IT team responsible for critical IT infrastructure within the company. Others who need to be aware of the plan are the CEO or delegated senior manager, directors, department heads, and human resources and public relations officers.
Outside the company, vendors related to disaster recovery businesses (eg, backup software and data) and their contact information should be known. Facility owners, building managers, contacts with police and emergency services should also be known and listed (and updated frequently as names or telephone numbers change).
Once the plan is written and approved by management, test the plan and update it if necessary. Be sure to specify the next date for the disaster recovery review and / or check. Update, update, update how events (big or small) occur. Don't just put a plan in your desk drawer and hope that disaster doesn't happen.
The Catastrophe Happened - Now What?
If a disaster has occurred, it's time to start your incident response. Make sure the incident response team (if different from the disaster recovery planning team) has a copy of the disaster recovery plan.
Responding to an incident involves assessing the situation (knowing which hardware, software or system has been affected), system recovery, and monitoring (what worked, what didn't work, what can be improved).
What's Next? Cloud Or Recovery-as-a-service
Like many other IT systems that have migrated to the cloud, the same is true of disaster recovery. Cloud benefits include lower costs, easier setup and the ability to test plans on a regular basis. However, this could mean increased bandwidth requirements or reduced company network performance for more complex systems.