A recent study found that 61% of small businesses don’t have a formal disaster recovery plan. While only 10% of those surveyed said they have ever been forced to close following a natural disaster, 20% of those who did have to close never reopened. While you can’t prevent all disasters from happening, you can put plans in place that will increase your company’s ability to respond to and survive a disaster. A little proactivity can go a long way.
With 2022 just around the corner, many businesses are crafting their budgets for the upcoming year. This is a great time to re-evaluate your existing disaster recovery plan. (If you don’t have a disaster recovery plan, that should be a New Year’s resolution you start a little early!) With a fresh disaster recovery plan in hand, you’re ready to determine where you need to invest in 2022 to ensure your business can remain solvent in the face of disaster.
For the sake of simplicity, there are three key aspects your IT disaster recovery plan should cover:
- Backup solutions
- Policies & documentation
- Testing & training
Backup Solutions
The first step is obviously to ensure your data is backed up. Which data must be backed up and which can you afford to lose? How frequently does that data need to be backed up? Daily might be fine for some parts of your business, whereas for other parts of your business even hourly backups aren’t enough. With the increase in remote workers, are you ensuring critical data residing on their PCs is being backed up?
Cloud-based backup solutions have made this much easier than a few years ago. Software tools allow backups to happen in real-time, and your backups are immediately offsite.
Once you have your data backed up, you need a solution to restore that data. In our fire example, it’s unlikely you would be able to restore the data to any of the PCs or servers in the building. Purchasing new hardware, especially in today’s environment, could take weeks or months. Again, some parts of your business may be able to wait longer to be recovered while others cannot. Do you have a plan for that?
Having a cloud-based disaster recovery option would allow you quickly restore servers and critical business applications to cloud-based instances. This solution can be quick and avoids large up-front payments by giving you a pay-as-you-go secondary site, but you must have planned your infrastructure and backup solutions to support this recovery option.
Policies and Documentation
Once you have a backup solution in place, you then need to ensure it actually gets used properly. You need policies that clearly specify the different levels of data importance, assign importance levels to specific parts of your business, and document what is expected of both users and IT for each of those scenarios. It does no good to have a robust backup solution if employees are storing critical business data on a department file server that isn’t part of your backup solution.
Documenting these policies is critical to ensure compliance. As there is turnover in your IT department, good documentation helps prevent things from “falling through the cracks” and helps new technicians quickly understand how things work and what is expected of them. Similarly, documentation for rank-and-file employees that clearly spells out their responsibilities can help both new employees learning the ropes as well as veteran employees that may have slipped back into old habits.
If disaster does strike, your IT department will need to know exactly how to access the backup data, including where is it stored and how they will access it (including passwords and other authentication requirements). If part of the recovery plan is to install to a cloud instance, which cloud service provider should they use? Have accounts already been set up? If so, how do they access them? When disaster strikes, things will be more difficult than expected. You don’t want people having to figure things out on the fly…you want them to be able to follow a script that has already figured everything out in advance.
Rank and file employees will also need instructions during a disaster. If the building is inaccessible, what should they do? If on-site servers are no longer accessible, how do they access the backups running in the cloud? Will email and IM work as normal or require different settings?
Testing and Training
Once you have a solution in place and documented policies and instructions, the final (and perhaps most critical) step is to ensure they actually work. Your IT department should have a regular process to test the backup solution to ensure critical data is both backed up and retrievable. Seemingly simple software updates can sometimes have unintended consequences, and a disaster is not the time to discover that a software update a few months ago prevented critical data from being backed up properly.
Your testing and training should also simulate the scenarios you would expect to face during a disaster. For example, while your testing of backup restoration may work fine in the IT lab, what happens when your IT technicians have to do this from home? Will the IT department have access to all the information and tools they need to restore the IT infrastructure even if they can’t access the building?
Regular testing and training will help you discover gaps in your plan. This becomes a feedback loop that helps you improve your backup solution, policies, documentation, and training so they reflect present conditions rather than conditions back when the solution was first implemented. Your disaster recovery plan needs to be as dynamic as your business plan.
Pulling it all together
Disaster recovery plans are critical, but only helpful if done right. It requires expertise to properly assess current practices and potential vulnerabilities, including limitations in various solutions. Because you don’t have unlimited resources to dedicate to disaster recovery, your plan needs to carefully evaluate which areas of your business are most critical and then select vendors, develop solutions, and document procedures to minimize downtime and protect those critical parts of your company. Once the plan is created, a continuous cycle of test-evaluate-improve needs to be built into your standard operating procedure.
As you’re finalizing your plans and budgets for 2022, make sure you are proactively focusing on disaster recovery. If you already have a plan, review it and put plans in place to test and improve it in 2022.