Malware, cyberattacks, and other online threats can destroy your business. In fact, about 60 percent of companies who experience a cyberattack are out of business within six months, simply because they never recover from the downtime and the staggering loss of data, money, and other assets a digital disaster can cause.
Indeed, research shows that IT downtime costs a company an average of $5,600 per minute — more than $300,000 per hour!
Could your business survive that?
It could, if you have a Disaster Recovery Plan.
BCP or DRP: Which do you need?
There are two types of disaster plans. They’re different but closely related. You need both.
A Business Continuity Plan (BCP) is the overarching plan to prepare for any event that may likely disrupt your business operations. Meteorites and the zombie apocalypse are unlikely, but floods, fire, hurricanes, earthquakes, and riots in the streets are all too common.
A Disaster Recovery Plan (DRP) is a detailed plan that covers your technology — computers, servers, mobile devices, applications, etc. — against cyberattacks, system outages, and other electronic threats.
A DRP is often part of a BCP, but it poses its own separate set of issues.
This article is about creating a Disaster Recovery Plan to protect your data, applications, and IT infrastructure. So that your business can live to fight another day.
RTO or RPO: What’s the difference?
Your DRP needs to address two key metrics: Recovery Time Objective (RTO) and Recovery Point Objective (RPO). These are the foundation of your DRP.
Basically, they measure how long and how much: system downtime and data loss.
The RTO is the maximum amount of time you can afford to wait to resume access to your affected systems. The RPO is the maximum amount of data you can afford to lose (expressed in units of time like the RTO).
To minimize your RTO, one good practice is to group your systems and applications into 3-4 categories. Tier 1 apps must be recovered immediately, Tier 4 can wait a day or two; the rest fall in between. Grouping your IT like this will help you prioritize your recovery efforts.
To minimize your data loss, engrave the “3-2-1 rule” into your backup plan. Make three copies of your data, on at least two different media types, and store one copy offsite. This way you have multiple copies in separate places, and also minimize the risks associated with specific media types.
Goals of an IT Disaster Recovery Plan
The main goal of a disaster recovery plan is to reduce your RTO and RPO to an absolute minimum.
In a perfect world, that’s a few milliseconds. In the real world, it depends on your actual needs and circumstances. But really, why would you even want to wait longer than .003 seconds if you don’t have to?
That’s not the only goal, however. Depending on your circumstances, your DRP should also set goals or include provisions to:
- Reduce risk. An ounce of prevention is worth a pound of cure.
- Address owner or investor concerns. Someone will lose lots of money while your business is down. They don’t want that. Their concerns matter.
- Test and update the plan. You can think up a good plan, but you’ll never know how good unless you practice it once or twice a year, identify weaknesses, and revise it. Set a schedule for testing and updating.
- Assign roles. Your entire team needs to know who is responsible for what. Few things compare to uncertainty and indecision for turning a disaster from bad to worse.
- Establish lines of communication. This goes along with assigning roles. Clear and known lines of communication need to exist throughout your company.
You’ll add to this list as necessary. The point is that technological disaster requires more than a technological response.
Elements of a Disaster Recovery Plan
A DRP needs to include certain key elements:
- Hardware Inventory. There may be more than you see at first glance. Hardware means networks, servers, desktop and laptop computers, mobile devices, and peripherals. But it also includes connectivity to your service provider, backup storage, power supplies, and your climate-controlled computer room.
- Software Inventory. Identify your critical applications and the hardware and data they need to run.
- Backup Plan. Identify all the data on all devices that needs to be backed up, and create a schedule to do that.
- Disasters List. Consider the most likely disasters, and what effect each would have on each of your systems. Obviously, ransomware and other cyberattacks are essential items in a DRP, but natural disasters count too. We don’t get hurricanes here in California, but floods and fires have destroyed hundreds of businesses — and their IT infrastructures — in recent years.
- Team Responsibilities. As noted above, you need to know who is responsible for what.
- Communications Plan. Again, how will people get the information they need, and from where?
- Legal Issues. There may be legal issues connected with downtime or data loss, including service level agreements.
- Testing and Update Schedule. Make regular testing and revision integral to your plan.
If you still want more detail on what to include in your DRP, the Gartner research and consulting firm has created a lengthy table of contents you can use as a starting point.
Final Tips and Conclusions
Some final thoughts:
- Document the plan. Your DRP is of little use in a disaster if it’s not in writing so everyone can be, literally and figuratively, on the same page. You would think this is obvious, but some people still need a reminder.
It’s not enough, however, simply to write everything down. During a crisis with everything on the line, people need to find and understand information instantly, in real time. So write in a crisp, clear, factual voice. Use short declarative statements to avoid confusion. Make the written plan easily accessible to everyone who will need it.
- With the “3-2-1 rule” above in mind, consider deploying DRaaS — Disaster Recovery as a Service — in your company.
Once upon a time, it was enough to backup all your data to hard drives beside your computer. No longer. Drives are still part of the answer, but today we have the cloud.
For instance, a hybrid cloud service like Microsoft Azure accomplishes everything the “3-2-1 rule” recommends: redundancy, separation, integrity. Its comprehensive backup and site recovery capabilities can handle most or all of it for you.
- PC Professional is a certified Microsoft Azure partner and an expert in disaster recovery, network security, and managed IT services. We have extensive experience designing and implementing disaster recovery plans for a wide range of businesses.
Contact PC Professional to schedule a disaster recovery assessment and develop a plan that could save your business $300,000 per hour or more in losses.