Posts

5 business continuity planning tips for smooth sailing

Gaining peace of mind when running a business is all about preparing for the worst. Anyone can enjoy the good times, but the savviest business owners will have a contingency plan in place for when times get rough too.

And rightly so. Cybercrime damages are expected to hit $6bn by 2021, and there are a number of other situations that could cause serious downtime for businesses. This is where business continuity planning comes in. 

Take a look at our 5 tips and make sure you and your business stay protected.

Tip #1: Remember the aims of business continuity planning

When many business owners think of continuity planning, they automatically think of disaster recovery. this is understandable — after all, both concepts relate to the ways in which businesses bounce back after a catastrophe or an attack. Yet it is important to differentiate between the two.

While disaster recovery plans relate to minimizing damage and mitigating the negative effects of a disaster, business continuity is more positive. It is about absorbing the shock so that your customers and clients barely notice and your market reputation remains undamaged

So, no reduction in service, no operating at half-capacity, no disruption whatsoever. Your business continuity plan should be geared towards achieving this.

Tip #2: Risk assess and prioritize

You are dealing with danger and risk, and therefore risk assessments should be a big part of your planning procedure. 

Approach this like an audit. What are the key risks you are working against? And what are you going to do to keep your business up and running should the worst happen?

Remember that you will need to allocate resources in the right way. Particularly, you will need to prioritize your risk management.

Tip #3: Decide on responsibilities

A degree of delegation is required if you are to implement a successful business continuity plan. This way, no matter when, where, or how, the situation goes bad, your teams will be able to seamlessly roll out the plan. And your company’s reputation will be secured.

So, who will be responsible for what? Larger-scale organizations will be able to allocate responsibility at the department level. Smaller companies will likely have individuals looking after key areas. However you decide to partition your response, make sure all areas are covered, and there are no weak links in the chain.

Tip #4: Be specific

Deciding on who is responsible for what gives you a degree of structure. But you need to go further than this if you want your clients and customers to be fully protected even when the worst happens.

To achieve this, you need to get specific. Design a diagram covering the key duties of different teams and staff members. Make sure that each of these items is supporting a specific outcome

Refer back to your risk assessments, consider what your clients need, and map out the specific details in order to make that happen. 

Tip #5: Understand the emergency action plan

With the nuts and bolts in place, your plan is almost complete. However, many organizations fail to recognize that the business continuity plan will only be deployed in an emergency situation. This means high stress, high stakes, and no margin for error.

To make this emergency situation a little easier on your team, you need put an emergency action plan in place. This way, everyone will know exactly what they need to do, and in what order. 

Of course, a degree of flexibility is important. But having a rigid action plan in place will make it easier for your staff to quickly take control of the situation.

To learn more about business continuity planning and how to protect the reputation of your business even in a disaster, get in touch with the ISG technology team.

7 Signs That Say It’s Time to Consider Cloud Disaster Recovery

What happens to your business in the event of a disaster? How do you bounce back? To secure proper business continuity, whatever the weather, you need a disaster recovery plan.

Read on for seven signs that tell you it’s time to implement a cloud disaster recovery solution within your disaster recovery (DR) plan.

Your business is not prepared for disasters from within

When you think of disasters occurring in relation to your business, it’s tempting just to focus on external factors. However, this could leave you exposed to a multitude of problems from within your organization. Research published by Veritis found that only 23% of disaster incidences are actually caused by external security breaches, with almost three-quarters of incidents originating from within. Make sure that you are prepared for any issues within your own IT architecture or elsewhere within the company.

You can’t remember the last time you tested your disaster recovery plan

Putting a disaster recovery plan in place should not be cause for “resting on your laurels”. Instead, this should be just the beginning. Your field is ever-changing and evolving, which means the risks you face are changing and evolving too. Make sure to test your DR plan regularly, to make sure it is up to scratch and able to support you as you move towards growth.

You can identify too many “fair weather” elements

You can’t expect the hands of fate to be lenient in the event of a disaster, and so your plan needs to be watertight. Try this as an experiment: describe your disaster recovery plan and protocols verbally, at length. Any instance in which you need to say “unless,” “as long as,” “provided that,” or any other conditional allowance for your plan is a weak spot. Make sure that these weak spots are eliminated.

You meet the minimum regulatory requirement, nothing more

The regulations are great. They make sure that all businesses maintain a base level of responsibility and care in how they operate, and they provide protection to the consumer. However, they are a minimum standard — and we really mean a minimum standard. Make these regulatory requirements your baseline and work from there.

You rely too much on untested protocols

If the disaster recovery plan you have in place has not been means tested, it is not battle-ready. And if it is not battle-ready, you have no idea what is going to happen when it’s time for action. As many as 93% of businesses without an effective DR plan will be put out of business if they are hit by a catastrophe, so the seriousness of the situation cannot be understated. Unless you have a whole lot of resources at your disposal for developing your solutions, make sure everything you are using is tried and tested.

Your disaster recovery plans are not people-focused

It’s a cliche, but it’s a cliche because it’s true: your business needs to be people-focused. And this includes your disaster recovery plan. You might have software solutions and other disaster recovery measures set up and in place, but what about your personnel; do they know what to do? Making sure your teams understand exactly what is required of them during the recovery process, and aid them with cloud-based support.

You have no remote Plan B

It is possible that your team members will not be able to approach work in the same way, for example, if a crisis makes office-based work impossible. This is where you must embrace the potential of remote work. Without a cloud solution in place, this is simply impossible and could cost you dearly.

A disaster doesn’t have to shutter your business’s doors. Heed the warnings above, implement a cloud disaster recovery plan, and if the worst-case scenario actually happens, you’ll be capable of dealing with it. 

How Cybersecurity Fits Into Disaster Recovery

Having a disaster recovery plan is essential when you’re trying to keep your business and its reputation safe. In addition to focusing on details such as how you’ll function during adverse weather, you need to focus on cybersecurity. By learning more about the way cybersecurity and disaster recovery intersect, you can reduce the impact on your business if the worst happens.

Decide what requires your protection

The essence of a disaster recovery plan is to protect your organization’s data. To ensure your plan is extra-efficient, you need to choose exactly what it is you’re going to protect.

For example, if your business represents many clients, and you need to hold information about them to continue operating, what information is the most important? After you’ve identified the type of information that’s most important, you can move onto protecting it against one of the biggest cybersecurity threats: ransomware.

According to Business Insider, ransomware generates around $25 million for hackers each year. As it’s such a financially juicy target, it’s safe to assume that your most important information is at risk too. By gathering that data and backing it up in a safe space such as the cloud, you can lessen the impact if ransomware takes hold.

Treating all devices as a gateway for disaster

Most people in the United States own a smartphone. Many also have their own laptops and tablets. As a result, more employers are allowing employees to access company information remotely. The benefits of remote access include being able to work at home, working during a commute, and being able to contact the office while on business trips.

Unfortunately, every device that can access your business’s information is a gateway for a disaster. At the same time, those same devices can act as vital tools when disasters strike elsewhere. To prevent devices from becoming disaster gateways, ensure employees receive ample training on cybersecurity threats and identifying phishing emails. To make the most of your employees’ devices, ensure they’re equipped with everything they need for remote access when adverse weather hits.

Consider where you’ll need to mitigate impacts

It’s an unfortunate fact that disaster will hit all businesses at some point. While that may be certain, it isn’t clear just how badly the effects will be. Although you can’t predict the future, you can try to offset impacts in advance.

To offset impacts in advance, consider what the most disastrous element of a cybersecurity threat would be. For example, if a successful DDOS attack were to bring your website down and prevent customers from making transactions, how could you minimize downtime? Or, if a data breach results in highly sensitive information leaking elsewhere, what steps can you take to reduce the impact on your clients?

For most businesses, the biggest impact of a cybersecurity disaster is financial. On average, breached client records cost an organization $150 for each one. In the healthcare industry, the cost rises to $429. You may benefit from identifying potential costs to your business during a disaster and then consider ways to prevent or reduce them.

When examining how cybersecurity and disaster recovery intersect, always create a solid plan. If your business encounters any changes, ensure you update your plan accordingly. It’s always worth reviewing your plan as time goes on too, so you can make sure you’re abreast of the latest threats.

Mitigating disaster risk and downtime for hospitals

In July 2018, Blount Memorial Hospital in Tennessee had a nightmare experience. Their electronic health records (EHR) system was offline for three days. During that time, 90 doctors were unable to access patient records.

Appointments were canceled. People didn’t receive care.

When the whole thing was said and done, the hospital’s board of directors made the decision to invest in a $30,000 backup system to ensure nothing like that would ever happen again.

What’s at risk

Hospitals and other medical services businesses are in a unique position when it comes to disaster recovery and downtime readiness. This isn’t just a matter of lost profits, damage to your reputation, or inconvenience for your employees and customers. The health and wellness of people are at stake.

As a result, every kind of medical services provider has an obligation to go above and beyond to mitigate the risk of downtime and prepare for possible disasters.

Practical measures

In advising these businesses about disaster recovery, the core of our standard advice is the same for hospitals, physician practices and other medical businesses. Prepare. Don’t just wait for disaster to strike. Have a plan.

When it comes to the medical industry, there are specific forms of preparation that are uniquely important. Below are some of the things medical providers should do to lower the risk of downtime and prepare for outages.

Expect downtime

First and foremost, let go of any expectation that downtime won’t happen to you. Your hospital isn’t exempt. Your office isn’t the exception. Downtime happens to just about every business. It can (and will) happen to yours.

That’s an important step in preparation because you won’t take a disaster recovery and downtime plan seriously if you think you’ll never have to use it.

Create a communications plan

A communications plan is essential for any disaster recovery plan. Your doctors and staff need to know whom to contact, how communications will be conducted, which channels will be used for what purpose, and what communication activity is most essential in the event of downtime.

Be specific. Spell out exactly who should be in contact with whom, and make sure everyone knows the plan well ahead of time. Update it when you have changes in your system, your policies and in your personnel, if appropriate.

Develop a downtime toolkit

Downtime toolkits “contain paper copies of clinical documents and procedures to follow when their EHR is not available.” A downtime toolkit may also include a read-only database of patient records as an emergency backup system.

This is a critical resource, but one that absolutely requires the help of an IT consultant. A doctor’s office that deals in non-emergency care may not need a full downtime toolkit, but every hospital should have some kind of system for continuing to provide healthcare, even if the entire local network goes offline.

Consider an on-site fallback generator

On-site generators can help in situations where a power outage is to blame for downtime. However, power outages are only one of several things that can take an IT network offline. While an on-site generator certainly makes sense (particularly for critical care facilities), this alone will not protect your hospital from every form of downtime.

Perform downtime drills

EHR simulation drills will give you an idea of how prepared your hospital’s staff are, and they will give your staff a chance to understand and experience what to expect when the real thing strikes.

As a recent article in EHR Intelligence notes, “Strategizing to fill gaps in care that crop up during EHR downtime simulations can help to reduce the risk of slowdowns, delays, threats to patient harm, or billing problems during real instances of EHR downtime.”

Enlist some help

Finally, no hospital should be without professional help when it comes to downtime readiness and a disaster recovery plan. If your in-house IT department isn’t fully prepared to take on this crucial task, find an IT consultant with experience supporting the healthcare industry to help you and your team.

With the right preparation, downtime won’t stop your hospital or medical practice from providing the care your patients rely on.

The complete DIY disaster recovery guide for SMBs

What’s inside:

  • What your people need to know about disaster recovery
  • The essential components of disaster recovery for SMBs
  • Why you need a disaster recovery plan (even if you think you don’t)
  • How to test your disaster recovery plan

Chapter 1

Why you need a disaster recovery plan (even if you think you don’t)

When you’re a small business owner, you absolutely need a disaster recovery plan. Unfortunately, a surprising number of owners shrug off this fact. Here are a few of the most common reasons we hear:
  • Nothing bad will happen . . . or if it does, it won’t be too bad
  • Time is better spent focusing on today’s issues and not on “what ifs”
  • A disaster recovery plan is important, and it’ll get done soon (rinse and repeat)

You see where this is going. A disaster hits the business, and, just like that, months or years of hard work disappear. It’s nothing short of tragic. Particularly because there are things you can do to prepare.

But first . . . what is a disaster recovery plan?

Before we get into the nuts and bolts of disaster recovery, let’s make sure we’re all on the same page. What is a disaster recovery plan?

It’s a plan to help your IT systems get back on track after an emergency. You may sometimes hear the term “business continuity,” as well. The two are not the same thing. Business continuity addresses everything necessary to keep a business running, no matter what. Part of that is disaster recovery.

The likelihood of a disaster

Ready for some less-than-pleasant news? It’s likely your business will experience a disaster.
Oh, you may never have to endure a tornado or a hurricane, but something will eventually take your entire business offline unexpectedly. Disasters come in different forms and vary in severity.

There are natural disasters such as earthquakes, fires, floods and blizzards. And then there are technological disasters such as cyberattacks, phishing scams, internet outages, and power failures. There are even man-made disasters such as civil unrest, terrorism and explosions. Not to mention the “small” stuff, like simple blackouts.

And the more unprepared you are, the more costly downtime is. Even one hour of downtime could cost your business several thousand dollars.

Take a look at these stats

You don’t have to take our word for it about the high cost of poor preparation. The numbers tell the story just fine on their own.

40-60%

After a disaster, 40 to 60% of businesses fail to reopen. Of those that do reopen, 25 percent go out of business within a year.

Statistic Graphic

90% of small businesses close within a year if they cannot get their operations back up within five days.


Statistic Graphic

46% of businesses have incomplete disaster recovery plans or no plan at all.

Statistic Graphic

22% of businesses have declared a disaster in the past five years. The top causes were IT failures (hardware failures, network failures, etc.), power outages, floods, cyberattacks, natural disasters and human error.

How disasters affect your IT systems

And here’s where things get real. Let’s look at how a lack of preparedness could potentially affect your business.

  • A hardware or software failure could severely impact employee productivity and lead to disgruntled customers.
  • One of your employees could fall for a phishing scam and give cybercriminals access to sensitive company accounts, which are drained. Your business is then out thousands of dollars.
  • The space where your data center is stored could experience a burst water pipe that destroys the equipment housing your data.
  • A fire could burn your business down to the ground, completely wiping out your IT infrastructure.
  • A lightning strike could create a surge and fry critical equipment, forcing you to close for just a few days. In that short time, your business could get a reputation for being unprepared or unreliable.

That’s why you need a plan

A disaster recovery plan doesn’t stop the disaster. That’s not its purpose. But it does give you a way to bounce back. When you’re facing downtime, that’s what matters—how quickly you can get your network back online.

A disaster for your business won’t necessarily come in the form of a raging inferno or thundering hurricane. Rather, it may have more mundane roots, such as a power outage or human error. Whatever form the disaster takes, your hard work could go down the drain if your business lacks a recovery plan.

Chapter 2

The essential components of disaster recovery for SMBs

Now that we’ve explained why it’s important to have a disaster recovery plan, what exactly should your plan include? Here’s a look at essentials such as backups, communications and employee training.

Backups

Your business data can be lost or destroyed in many ways. Here are just a few examples:

  • Accidents, such as a liquid spill, a laptop drop or accidental deletion
  • Disasters, such as a fire, flood or tornado
  • Cybercriminal activity, such as malware, ransomware or a virus
  • Theft, even as small as smartphone theft

Part of the goal for your disaster recovery plan is to protect your data. One way to do that is to make sure everything is backed up. That way, even if something wiped out your entire office, you wouldn’t lose the information you depend on to run your business.

The 3-2-1 rule

Aim to follow the 3-2-1 rule.

3

Three backup copies

2

In two mediums such as the cloud and hard drives

1

One copy stored offsite


The cloud is an essential player in data backups because you can continue work outside of the office and retrieve data from anywhere. Think about other things that contribute to your backup plan, as well.

  • Do you have “backup vendors” (like an ISP) should you need to quickly move from one service provider to another?
  • Do you have a backup or redundant power supply source, like an onsite generator? (If you keep a backup server onsite, you may need one.)
  • Do you have backup supplies (like food and bedding) for employees who might need to stay at the office in the event of an emergency?

Most SMBs work with a managed services provider or an offsite data center provider instead of managing their own data center onsite. Before selecting a provider, ask about their plans to prevent and mitigate disasters.

Communications plan

It’s easy to focus too much on IT in a disaster recovery plan and to forget about the human aspect. Ensure that your plan incorporates the many types of communications that may be necessary. Some things to think about include:

  • Who speaks for the company to the media, emergency responders, third-party vendors and others? (It can be a different person for each.)
  • Who reaches out to clients or customers? And how?
  • Who reaches out to employees? And how?
  • How much information do you plan to reveal in the event of a disaster? And how will you reassure those who need encouragement?
  • Do you have contact numbers (work and personal) for everyone on your staff?
  • Who are the critical members of your staff and/or what are the critical roles that have to be covered to keep your business going?

Priorities

Which systems are most critical to your mission? How much time can go by before disruption to the business becomes a serious issue? How can you protect proprietary information?

Your plan should be designed in terms of priorities. There are undoubtedly normal functions in your business you could skip or go without if you had to. As you build out your plan, make it a point to attend to the necessary stuff first.
High-priority functions should have built-in redundancy.

Your “go team”

One component of your plan is to establish a “go team” that springs into action quickly in the event of a disaster. Here’s what you’ll need to do to prep your go team.

Go team prep

Tranning Icon

Train regularly so they’re prepared to act efficiently in various scenarios

Cross training icon

Receive cross-training so they can perform multiple roles

Work relationship icon

Establish relationships with third parties such as the fire department and your data center provider

It’s also important for regular employees—those not necessarily at the forefront of disaster response—to receive training. We’ll look at that more in-depth in part 3 of this ebook.

In addition, disasters aren’t necessarily in the form of fires or hurricanes. For example, a phishing scam or a set of weak passwords could cripple your business. Disaster recovery also includes disaster prevention and mitigation.

Educating your employees on strong passwords, ransomware, phishing and more can prevent disasters and keep your employees calm and your data secure when one does occur.

Prevention

Just like you can prevent the likelihood of disasters with good employee education, you can also minimize the odds with regular maintenance and testing of your IT infrastructure. The same goes for testing your disaster recovery plan.

Say a fire breaks out at your workplace and it’s been a while since sprinkler systems and fire detection systems were tested. Will they work? Maybe. Maybe not.

Regular testing ensures everything is operating as it should. 52 percent of businesses test this kind of thing just once a year or less. We’ll look more at what complete testing of your disaster recovery plan looks like in part 4 of this ebook.

Chapter 3

What your people need to know about disaster recovery

Training your small business employees to deal with disasters can minimize the effects of a catastrophe, and it could be the difference between a quick recovery and devastating damage.

How to stay safe before, during and after

Employee safety comes first. Being able to access business email and VOIP telephone systems won’t matter if your people are injured. And while your data is certainly valuable, your people are irreplaceable. Make sure your disaster recovery plan includes emergency safety procedures.

You’ll also want to give some thought to alternative work locations and security practices in the wake of a disaster. If your office is unusable, where will your people go? Are you equipped to work from home? And how will you maintain data security in the interim?

Why disasters wear different faces

Most people immediately think of weather and natural disasters when they hear the phrase “disaster recovery.” But disasters come in all shapes, sizes and forms. And an IT-specific disaster can be just as costly as a fire—or even more costly. Make sure your employees have a well-rounded idea of the potential disasters you face as a company. That list should include:

  • Hardware failure
  • User error (a major cause of IT disasters)
  • Power outages
  • Software problems

Some employees may not even know a disaster has occurred until after the fact. Clarifying the definition of “disaster” helps employees get on board more with prevention training.

How to prevent disasters

Use onboarding and continuing training to cover the essential topics. Any new employee should go through disaster recovery training, but don’t assume everyone will remember all those details. Be sure to do periodic refresher training sessions, as well.

Disaster prevention topics

Scam email icon

Recognizing phishing scams

Password Icon

Using strong passwords

Download icon

Downloading attachments

Laptop icon

Following the BYOD policy

WiFI moden icon

Browsing safely on public Wi-Fi while working

Mobile devices icon

Securing laptops, smartphones and other devices


Slipping up in any of these areas can lead to an IT disaster that severely harms your business. Explain the why and how so employees know why this training matters. After all, you’re not trying to dump extra work on them. You’re trying to protect the business.

Where to go and what to do after a disaster

Suppose a disaster compels your business to move to alternative offices or to switch to telecommuting for a while. Your employees need to know a few things.

How to communicate with the company

Should they wait for an email from their team leader? Or proactively call in themselves? Or something else?

Where to go

Are you prepared to work from home? Or do you have an alternative office site B? And how soon do you expect employees to check in? To be available to work?

How to get to work

If there are folks who absolutely have to come to an office, will your business provide alternative transportation? If a critical staff member cannot get to that office, what’s your secondary plan for that?

How to access company programs and equipment

If a cloud computing service is down, what’s the next option? If a laptop is at the office and that has become an unsafe site, what should your employees do?

Who to contact

Who should everyone reach out to with questions, concerns or critical information? Make sure this list is longer than one name—and you almost certainly don’t want to be the point person here if your team is bigger than 10 people.

Are there any temporary policies or procedures?

Any different data security protocols to follow? Should they make adjustments to how they work normal tasks or prioritize things differently during the recovery period?

Everything else

To make sure you’ve covered all the other topics listed above, make sure you’ve considered the following.

  • What technology will be accessible during an emergency?
  • How can the business keep its data secure during an emergency?
  • What happens if the offsite data facility is destroyed?

Looking at the last question, if your business and/or employees have been following the 3-2-1 rule, there are copies of employee data that survived the facility being destroyed. Remember, disaster recovery isn’t just about getting data back—it’s also about mitigating risk and preventing data from being compromised in the first place.

Test both your business continuity and disaster recovery plans

You never fully realize everything your employees need to know until an actual disaster strikes. That’s where testing comes in.

Testing helps everyone in the business better understand how to deal with various types of disasters and how to prevent them. It also pinpoints weaknesses in your current plan, including what employees need to know and do. Test regularly! Don’t be one of the 23 percent of businesses that leave themselves unnecessarily vulnerable.

Chapter 4

How to test your disaster recovery plan

You know the saying, “Practice makes perfect.” So it goes with testing disaster recovery plans. Companies that regularly test their plans, making necessary adjustments based on feedback, are in a much better position to get through extreme weather, hardware failures, human error, cyberattacks, and other types of IT disasters.

However, not enough businesses test their plans (or they don’t test often enough). In fact, one study shows that 23 percent of companies don’t test at all due to reasons such as plan complexity and a lack of time and resources. If this sounds like your company, find a way to address these issues or you may lose revenue or even go out of business. Here are a few tips for your disaster recovery testing.

Determine the scope

Your managed services provider, if you have one, can help you figure out the scope of your testing. If your business is small, it may be that spinning up virtual machines locally or in the cloud is sufficient for some rounds of testing. If the business is larger, testing may entail unplugging a server or intentionally causing downtime in some other way.

Consider factors such as the time and resource needs of testing plus any disruption that testing would cause your customers and how much disruption they could tolerate.

Set goals

Design each DR test with a goal and figure out the results you expect. Who is involved, and what exactly is being tested? Consider other questions such as the date of your last DR test and any IT changes since then that may require updates to the plan before testing takes place.

Document the process

There’s little point in running DR tests if no one documents the processes or acts on feedback to make adjustments. Designate one person in the business to observe and document the test.

Point person tasks

  • Record how long each step takes
  • Record any missing steps not already documented for restoration, data recovery, and emergency communications
  • Record any unexpected failures in detail
  • Record the human performance of your team

To expand on the latter point, how did your employees do when faced with a bewildering turn of events? Were there parts of the DR plan that remained unclear to some employees or that caused them undue angst? Did internal or external communications fall through due to human error?

Implement feedback

Your testing may have gone well—even perfectly. If so, congratulations. Otherwise, act on the feedback you receive to make any necessary changes.

For instance, maybe several of your employees need a better understanding of their role in DR, and they need to be trained. Perhaps your systems take unacceptably long to get back online—why? How can you shorten that time frame?

Test regularly

At the bare minimum, test your plan once a year. Even better, practice it once every quarter (four times a year). Testing every month or every week may even make sense depending on the size of your company, the IT infrastructure, regulatory requirements, and how reliant your company is on IT.

You can test different elements each time with a full-scale run once a year. Remember, a disaster doesn’t have to be a full-blown act of God to make an impact. Downtime a few times a year due to internet outages can erode client confidence over time and result in clients leaving.

It can also be a good idea to run a DR test when new people step into roles. For instance, if your lead IT employee leaves and someone new steps in, don’t wait too long before doing DR testing with this new person. Otherwise, your business could be vulnerable if disaster does strike.

For guidance putting all this information to good use in your own disaster recovery plan, get in touch with one of our business continuity professionals at ISG Technology.

How to build a disaster management plan

Computers and IT systems are integral to every part of a business, with downtime and disruptions likely to cause productivity losses and economic damage. Whether it’s a natural event, a cyber attack, or simple human error, when disaster strikes, solutions are needed fast. In the context of IT, a disaster management plan is a set of strategies and procedures that attempt to restore hardware, software, and data in order to ensure fast and effective business recovery.

Benefits of a disaster management plan

An IT disaster management plan should always be developed to ensure fast and effective recovery. While data backup is an important part of this process, additional measures need to be taken to ensure compliance and the continuity of critical business systems. When implemented alongside a continuity plan using accurate information from a business impact analysis, disaster management has the ability to reduce data losses, minimize downtime, and promote a healthy business reputation.

Actionable steps to ensure containment and recovery

Managing an IT disaster is a complex and challenging task, with many issues to consider and lots on the line if something goes wrong. Success depends on organization and management before, during, and after the disaster takes place. While being able to react effectively to a situation is crucial, proactive measures are just as important. From carrying out a business impact analysis and documenting risk assessment through to containment and recovery, let’s take a look at the steps you need to take.

1. Business impact analysis

A comprehensive business impact analysis lies at the heart of every successful disaster management plan. It’s no use waiting until disaster strikes. An impact analysis will allow you to research the potential impact of disaster events. Businesses that understand how much they have to lose are much less likely to fail when a disruption occurs.

An analysis is responsible for identifying critical business functions, measuring impact events, and defining recovery strategies. Generally carried out before a risk assessment, this analysis defines critical systems and quantifies internal and external risks that may affect business data and processes.

2. Risk assessment

Once a business impact analysis has been conducted, it’s time to carry out an IT risk assessment. While these two processes are linked, a risk assessment is more concerned with describing potential threats and measuring their likely impact on business processes and resources. A business impact analysis defines your potential losses, and a risk assessment identifies and quantifies actual disaster events. Successful disaster management requires both of these steps, with businesses able to dedicate resources more effectively when they link specific disasters with specific outcomes.

3. Respond quickly and contain

While planning and organization are all well and good, action is more important than anything else when disaster strikes. Having the ability to respond quickly and effectively is critical before additional problems develop. Check on people first if a natural disaster strikes, review physical damage to computer and network resources, and ensure open communication channels at all times. The extent of data loss often depends on how quickly you respond and contain the threat.

4. Recover and minimize downtime

When the actual threat has been neutralized, it’s important to stay calm and recover quickly according to your established plan. It’s important to stay productive if possible, with some businesses able to carry out manual operations, communicate via telephone rather than computer, or initialize cloud-based backup solutions.

According to Wikibon, enterprise cloud spending is predicted to grow by 16 percent annually between 2016 and 2026. It’s important to distinguish between internal recovery and cloud-based recovery, and get access to critical business systems as quickly as possible. Downtime represents the most significant cost of disaster events, at an average of $5,600 per minute according to Gartner.

5. Protect your business reputation

An IT disaster has the potential to adversely affect your reputation, especially if it’s linked to cybercrime or network security breaches. It’s important to be proactive after a disruption event and do everything you can to protect your reputation. Regular and ongoing communication with customers and other stakeholders plays a big role at this stage, so keep people in the loop and be honest about the situation. With the right preparation and the ability to respond quickly when disaster occurs, any business can face their challenges head-on and emerge with something resembling a smile.

Disaster recovery drill best practices (2019 edition)

A disaster recovery plan (DRP) is a great way to stay proactive about your data security. But a DRP is no good unless you test it—you have to make sure it actually works, after all.
There are some things you can do during your drill to ensure you get results—good or bad—that are reliable. The goal is to test whether the plan is effective as drafted or if something specific needs to be changed to improve it.
There are a lot of factors in play with a DRP, so it pays to be methodical.

Define your goals

First, before you conduct a test, you should define your goals.
We’re not talking about goals like “Have the server back up in 20 minutes.” For the tests they will be more like “How good are communications between departments?” or “How does stress make the IT team interact with each other?”
Your goal is to answer those questions, whatever they may be. Strategic questions that give you an idea of how prepared you really are. You want to test different variables to see how they influence your DRP’s execution.
Your IT crew will be trying to get the server up quickly, but you’ll be observing their performance through the lens of “communication.” Do they ask for help when they need it? Do they keep the other departments in the loop? Can they document what they’ve done and what worked?
You need to think of all the angles that could cause problems and test for each one.

Related: 7 typical disaster recovery plan mistakes (and how to fix them)

Get the team together

This may seem like a no-brainer but get the team together and on the same page.
If anyone is out of the loop, it creates a point where communication could break down. If everyone is on the same page from the beginning, everything will run more smoothly.
You may also want to include backup personnel, just so that they have an idea of what they are supposed to do. Running a disaster recovery plan 100% from the documentation can be difficult even without the pressure that a disaster provides.

Run different types of tests

There are all kinds of tests to you run, ranging from a simple conversation walking team members through the process to a fully simulated disaster.
Don’t rely on just one kind of test. You want a variety.
This is important because it will give you a more well-rounded idea of how your DRP  will actually function. Sometimes what makes sense in one test doesn’t make sense in the another. Or what the technicians might do to provide a hasty fix might violate compliance regulation.
You can use the culmination of all that data to make your DRP as solid as possible.

Related: Disaster recovery testing: A vital part of the DR plan

Run tests often

If it’s been more than a year since you’ve run a test, do you know if it’s still applicable? How much could change in your company in a year? Or six months? In one month?
You don’t have to test every day, but decide on an interval that makes sense based on how you do business and how often your network configuration, staff, tech tools and compliance requirements change.

Take good notes

Good documentation of these tests is a must. Not only will it help you remember what exactly happened when, but it will help anyone else who reviews the test see the results, which keeps everyone on the same page.

Post-test assessment

Of course, you want to take any new insights learned during testing into account to make your disaster recovery plan better. Valuable data does no good for anyone just sitting in a drawer.
This is especially important when things go wrong during a test.
If the downtime is double what was expected or if a new aspect comes up that no one saw before, then it is important to determine what caused the holdup and how you can overcome it in the future.
What if the disaster that you’ve been planning for happens tomorrow?

In conclusion

Communication is paramount.
Whether that means meetings with the team or solid documentation. A good DRP drill should be about setting everyone up for success so you’re well prepared for whatever the future holds.
We’ve covered a lot of ground, but everything really just boils down to the scientific method: Ask a question, perform a test, observe the results, refine your understanding.
Disaster recovery is a lot like science in many ways, so treat it like science. Reach out to experts in the field and ask for guidance if you need it.

5 straightforward disaster recovery options for SMBs

In a digital environment that’s unforgiving when it comes to downtime and outages, planning for IT disaster recovery is a critical responsibility of the modern business owner. Despite this, an astounding 75 percent of small businesses have no disaster recovery plan in place.

If your SMB isn’t prepared for a disaster, it’s important to start by understanding the basic tools that will help you navigate and mitigate a crisis.

Here are five straightforward disaster recovery solutions your SMB should consider as part of an overall recovery plan.

Cloud backups

Cloud backups can be an excellent tool for protecting your data in the event of a disaster.

A data loss event can impede a small business’s operations and drastically increase its chances of closing within six months. By performing continuous backups to the cloud, your business can safeguard its data and reduce the potential impact of a disaster.

For this reason, cloud backups are becoming increasingly popular among SMBs. Approximately 78 percent of such businesses are expected to back their data up on the cloud by 2020.

Cloud backups also have the advantage of letting you keep data geographically remote to avoid complications from natural disasters. Experts recommend keeping your backups 200 miles or more from your actual location.

Virtualization

Like cloud backups, server virtualization is useful for keeping data safe, as well as for limiting the amount of downtime that your business will experience during a disaster.

Virtual servers allow businesses to create exact copies of their data centers. If a disaster strikes, this copied version can be used to maintain essential functions while the problem is solved. As a result, SMBs can maintain high levels of availability.

Virtualization is also extremely useful for disaster recovery testing, as tests can be run in the virtual environment instead of in your business’s main system.

Mobile communication and collaboration systems

When a disaster strikes, it’s critical that your team members remain in contact. By maintaining communication through mobile devices or social media platforms, your team can coordinate its disaster recovery efforts and minimize the amount of downtime that will occur without having to be in the same place at the same time.

With good remote communication and collaboration systems in place, your business can mobilize more quickly and launch a coordinated effort to mitigate the damage.

Uninterruptible power supplies

Disaster recovery solutions tend to focus strongly on software and data, but protecting business hardware is also an important consideration. For this reason, an uninterruptible power supply (UPS) can be a very useful tool in an emergency.

A UPS is a battery device that will provide temporary power and allow you to properly power down your hardware assets.

Monitoring solutions

Disaster recovery is often a race to keep downtime to a minimum. If you are forced to deal with a disaster involving your network, monitoring software that logs changes and unusual activity can help your team identify and quickly resolve the problem. In some cases, you may even be able to head the threat off before it develops into a full-blown disaster.

With proactive security monitoring, you can keep your business safe and keep your IT systems running more smoothly.

Ready for anything

Using these five tips, your business can begin to craft a basic plan for disaster recovery.

The more you can prepare now, the less likely your company will be to experience catastrophic failures when a disaster does occur.

 

7 typical disaster recovery plan mistakes (and how to fix them)

A disaster recovery plan is just one step in an approach to keeping your business running well. Cyberthreats aren’t going away and new threats emerge all the time. Complete data protection requires a robust plan that includes everything from backup and disaster recovery to business continuity.

If you’re serious about crafting a disaster recovery plan that will protect your business, there are some common mistakes you’ll want to avoid. Here are 7 pitfalls we see businesses get sidelined by on a regular basis—and how you can overcome them.

1. Not having a plan at all

The only thing worse than a disaster is a disaster you’re totally unprepared for. If disaster recovery is totally new for you, don’t sweat it. Start by reading our guide to completing a disaster recovery plan.

2. Not clearly noting who is responsible for what

It’s natural to focus your data recovery plan on the data, itself, including the hardware and cloud storage you depend on. But what will keep your business going is your people.

If you have a managed IT services provider, they can certainly help, but it’s not all on them. That’s because this is about your business.

For each step of data recovery, you need to know who will be affected and who will be responsible. Consider management, employees, departments and sometimes even customers.

3. Not having a plan for communication (internally & externally)

An easy mistake to make is assigning roles for each task but not considering how people will be notified of the step in the process.

Your communication plan can take many forms, from modern solutions like mass notification through SMS messages to an old-fashioned phone tree. The specific tools you use doesn’t matter nearly as much as having a clearly-outlined plan well in advance.

Make sure everyone in your organization, as well as your managed IT services provider, is included and informed.

4. Not identifying critical processes

It’s easy to get stuck in the weeds. You know the systems you use, as well as the pitfalls and obstacles associated with each. But don’t forget the goal: business continuity.

Everything you do isn’t critical. Evaluate each process your company relies on and ask yourself what will happen if each of these processes goes offline. Having taken into account the risk associated with each process, decide which processes absolutely have to stay up and running.

Those are your critical processes. Your business continuity plan should focus on maintaining them.

5. Not having key buy-in

Disaster recovery plans affect the whole business. Because that’s true, it’s important to keep leadership in the loop about the plans and the risks.

If you’re not sure where to start, consider checking out this resource: 4 cybersecurity facts your company’s leadership team should know.

But don’t stop with the leadership. From there, make sure that everyone in the organization knows what your business continuity plan is and why it matters.

6. Not monitoring, testing & updating

A good disaster recovery plan is active.

You should be monitoring and testing. Monitoring your network will make you aware of potential issues before they have a chance to take your network offline. Proactive in testing also helps to identify potential, as well as giving you a better picture of overall risk. And system updates mitigate vulnerabilities and ensure functionality.

As your system updates, don’t forget to update your recovery plan to match your newly patched system.

7. Not mitigating risk

Disaster recovery isn’t just about preparing an inevitable emergency. It’s also about mitigating negative impact whenever possible.

A recent example of the power of mitigation is the MyHeritage breach over the summer. It affected a massive 92 million customers. But through smart, thoughtful systems design and preparation, the damage was minimal. MyHeritage didn’t store passwords directly, but rather in a one-way hash unique to each user. As a result, the breach did not actually compromise the passwords. Further, they didn’t store personal information (like credit card numbers or family tree information) that they didn’t need to maintain.

This kind of thorough, thoughtful systems approach lowered their overall risk well ahead of time. The breach they experienced could have been devastating. But their strategy turned it into a relatively minor inconvenience rather than a true emergency.

Why does your business need a proper backup policy?

Backing up your business information is as crucial as conducting daily business itself. Which is why you need a solid backup strategy.

With a proper backup policy, you can secure all your business data—files, documents, client and customer correspondence, and in-house or remote team communications.

No matter which industry or sector you serve, proper backup is pivotal. Data loss can seriously cripple a business of any size. A good backup strategy is the best way to avoid losing essential information due to systems failures, security breaches or plain old human error.

What can a network backup do for my company?

There are several benefits of having a backup policy for your business.

  • Any kind of data loss incident hurts. But when all your business data is backed up, you can bounce back quickly.
  • Data backups tend to lessen the impact and length of downtime. The less downtime you experience, the more you can get done . . . and the more profitable you are.
  • Backups often save you and your staff from duplicate work. Even if it’s easy to rebuild that report, do you really want to waste the time?
  • You’ll be prepared if you ever have to work through an audit or even annually when you complete your business tax preparations.

Ultimately, a well-developed backup strategy serves to protect your business by protecting your company data. That impacts your organizational efficiency, your cybersecurity and even your reputation.

Granted, the best case scenario is to never actually need your data backup. But the moment you need it, you’ll be so glad it’s there.

Related: How big data is changing the game for backup and recovery

How important are backups for my new business?

Occasionally, new SMB owners feel the need for backup isn’t as pressing. After all, there’s not as much data. A backup strategy can feel like something you can take care of later.

We strongly advise against waiting.

Network backups are of paramount importance. It’s far better to backup all your company data from the very beginning.

And if your SMB has been around awhile, it’s just as important to stay on top of backups. Don’t make the mistake of thinking that just because you haven’t needed a backup yet, you won’t need one in the future.

All about human error

Network backup plays an instrumental role in reducing human error. Think about it. How many times have you, yourself, accidentally deleted the wrong thing? Now imagine the potential for impact if the same thing happened at the network level.

Read about how backups saved Toy Story 2

Human error is a real factor. It will be for the foreseeable future. Data backups are perhaps the best way to insulate your company from the risks of human error.

Automated the process

Automation is big in the IT industry for good reason. Automation makes repetitive tasks easy, routine and consistent. It’s perfect for backup.

As you work with your managed IT services provider to set up your custom backup strategy, make sure the process is automatic. Manually saving all network files to an additional hard drive is not a thorough backup process.

Automatically backing up all files to a secure cloud server, on the other hand, is.

A word about the cloud

The cloud is a convenient location for network backups—if it’s a good fit for your business. Be sure to think through this from all possible angles. You’ll need to take the following into account:

  • The level of security provided by your cloud vendor. This is a good thing to think about for all cloud solutions—backup and otherwise.
  • Any regulatory requirements for your industry. If your cloud provider doesn’t meet your industry’s compliance guidelines for security, for example, then the cloud may not be an option.
  • How quickly do you need to be able to access backups? Cloud backups typically take a little longer to access than local backups.
  • Scalability options with your cloud vendor. If your company grows, can you easily add space?

If cloud backups aren’t an option for your business, you can back up everything locally. In some cases, this is actually preferable. We recommend a thorough, strategic conversation with an IT consultant if you’re not entirely sure which is the best fit for you.