Posts

The complete DIY disaster recovery guide for SMBs

What’s inside:

      1. What your people need to know about disaster recovery
      2. The essential components of disaster recovery for SMBs
      3. Why you need a disaster recovery plan (even if you think you don’t)
      4. How to test your disaster recovery plan

Chapter 1

Why you need a disaster recovery plan (even if you think you don’t)

When you’re a small business owner, you absolutely need a disaster recovery plan. Unfortunately, a surprising number of owners shrug off this fact. Here are a few of the most common reasons we hear:

  • Nothing bad will happen . . . or if it does, it won’t be too bad
  • Time is better spent focusing on today’s issues and not on “what ifs”
  • A disaster recovery plan is important, and it’ll get done soon (rinse and repeat)

You see where this is going. A disaster hits the business, and, just like that, months or years of hard work disappear. It’s nothing short of tragic.
Particularly because there are things you can do to prepare.

But first . . . what is a disaster recovery plan?

Before we get into the nuts and bolts of disaster recovery, let’s make sure we’re all on the same page. What is a disaster recovery plan?
It’s a plan to help your IT systems get back on track after an emergency. You may sometimes hear the term “business continuity,” as well. The two are not the same thing. Business continuity addresses everything necessary to keep a business running, no matter what.
Part of that is disaster recovery.

The likelihood of a disaster

Ready for some less-than-pleasant news? It’s likely your business will experience a disaster.
Oh, you may never have to endure a tornado or a hurricane, but something will eventually take your entire business offline unexpectedly. Disasters come in different forms and vary in severity.
There are natural disasters such as earthquakes, fires, floods and blizzards. And then there are technological disasters such as cyberattacks, phishing scams, internet outages, and power failures. There are even man-made disasters such as civil unrest, terrorism and explosions. Not to mention the “small” stuff, like simple blackouts.
And the more unprepared you are, the more costly downtime is. Even one hour of downtime could cost your business several thousand dollars.

Take a look at these stats

You don’t have to take our word for it about the high cost of poor preparation. The numbers tell the story just fine on their own.

40-60%

After a disaster, 40 to 60% of businesses fail to reopen. Of those that do reopen, 25 percent go out of business within a year.

Statistic Graphic

90% of small businesses close within a year if they cannot get their operations back up within five days.


Statistic Graphic

46% of businesses have incomplete disaster recovery plans or no plan at all.

Statistic Graphic

22% of businesses have declared a disaster in the past five years. The top causes were IT failures (hardware failures, network failures, etc.), power outages, floods, cyberattacks, natural disasters and human error.

How disasters affect your IT systems

And here’s where things get real. Let’s look at how a lack of preparedness could potentially affect your business.

  • A hardware or software failure could severely impact employee productivity and lead to disgruntled customers.
  • One of your employees could fall for a phishing scam and give cybercriminals access to sensitive company accounts, which are drained. Your business is then out thousands of dollars.
  • The space where your data center is stored could experience a burst water pipe that destroys the equipment housing your data.
  • A fire could burn your business down to the ground, completely wiping out your IT infrastructure.
  • A lightning strike could create a surge and fry critical equipment, forcing you to close for just a few days. In that short time, your business could get a reputation for being unprepared or unreliable.

But with a plan . . .

A disaster recovery plan would help with all of the above examples.
No, a disaster recovery plan doesn’t stop the disaster. That’s not its purpose. But it does give you a way to bounce back. When you’re facing downtime, that’s what matters—how quickly you can get your network back online.
A disaster for your business won’t necessarily come in the form of a raging inferno or thundering hurricane. Rather, it may have more mundane roots, such as a power outage or human error.
Whatever form the disaster takes, your hard work could go down the drain if your business lacks a recovery plan.

Chapter 2

The essential components of disaster recovery for SMBs

Now that we’ve explained why it’s important to have a disaster recovery plan, what exactly should your plan include? Here’s a look at essentials such as backups, communications and employee training.

Backups

Your business data can be lost or destroyed in many ways. Here are just a few examples:

  • Accidents, such as a liquid spill, a laptop drop or accidental deletion
  • Disasters, such as a fire, flood or tornado
  • Cybercriminal activity, such as malware, ransomware or a virus
  • Theft, even as small as smartphone theft

Part of the goal for your disaster recovery plan is to protect your data. One way to do that is to make sure everything is backed up. That way, even if something wiped out your entire office, you wouldn’t lose the information you depend on to run your business.

The 3-2-1 rule

Aim to follow the 3-2-1 rule.

3

Three backup copies

2

In two mediums such as the cloud and hard drives

1

One copy stored offsite


The cloud is an essential player in data backups because you can continue work outside of the office and retrieve data from anywhere.
Think about other things that contribute to your backup plan, as well.

  • Do you have “backup vendors” (like an ISP) should you need to quickly move from one service provider to another?
  • Do you have a backup or redundant power supply source, like an onsite generator? (If you keep a backup server onsite, you may need one.)
  • Do you have backup supplies (like food and bedding) for employees who might need to stay at the office in the event of an emergency?

Most SMBs work with a managed services provider or an offsite data center provider instead of managing their own data center onsite. Before selecting a provider, ask about their plans to prevent and mitigate disasters.

Communications plan

It’s easy to focus too much on IT in a disaster recovery plan and to forget about the human aspect. Ensure that your plan incorporates the many types of communications that may be necessary.
Some things to think about include:

  • Who speaks for the company to the media, emergency responders, third-party vendors and others? (It can be a different person for each.)
  • Who reaches out to clients or customers? And how?
  • Who reaches out to employees? And how?
  • How much information do you plan to reveal in the event of a disaster? And how will you reassure those who need encouragement?
  • Do you have contact numbers (work and personal) for everyone on your staff?
  • Who are the critical members of your staff and/or what are the critical roles that have to be covered to keep your business going?

Priorities

Which systems are most critical to your mission? How much time can go by before disruption to the business becomes a serious issue? How can you protect proprietary information?
Your plan should be designed in terms of priorities. There are undoubtedly normal functions in your business you could skip or go without if you had to. As you build out your plan, make it a point to attend to the necessary stuff first.
High-priority functions should have built-in redundancy.

Your “go team”

One component of your plan is to establish a “go team” that springs into action quickly in the event of a disaster. Here’s what you’ll need to do to prep your go team.

Go team prep

Tranning Icon

Train regularly so they’re prepared to act efficiently in various scenarios

Cross training icon

Receive cross-training so they can perform multiple roles

Work relationship icon

Establish relationships with third parties such as the fire department and your data center provider

It’s also important for regular employees—those not necessarily at the forefront of disaster response—to receive training. We’ll look at that more in-depth in part 3 of this ebook.
In addition, disasters aren’t necessarily in the form of fires or hurricanes. For example, a phishing scam or a set of weak passwords could cripple your business. Disaster recovery also includes disaster prevention and mitigation.
Educating your employees on strong passwords, ransomware, phishing and more can prevent disasters and keep your employees calm and your data secure when one does occur.

Prevention

Just like you can prevent the likelihood of disasters with good employee education, you can also minimize the odds with regular maintenance and testing of your IT infrastructure. The same goes for testing your disaster recovery plan.
Say a fire breaks out at your workplace and it’s been a while since sprinkler systems and fire detection systems were tested. Will they work? Maybe. Maybe not.
Regular testing ensures everything is operating as it should. 52 percent of businesses test this kind of thing just once a year or less. We’ll look more at what complete testing of your disaster recovery plan looks like in part 4 of this ebook.

Chapter 3

What your people need to know about disaster recovery

Training your small business employees to deal with disasters can minimize the effects of a catastrophe, and it could be the difference between a quick recovery and devastating damage.

How to stay safe before, during and after

Employee safety comes first.
Being able to access business email and VOIP telephone systems won’t matter if your people are injured. And while your data is certainly valuable, your people are irreplaceable. Make sure your disaster recovery plan includes emergency safety procedures.
You’ll also want to give some thought to alternative work locations and security practices in the wake of a disaster. If your office is unusable, where will your people go? Are you equipped to work from home? And how will you maintain data security in the interim?

Why disasters wear different faces

Most people immediately think of weather and natural disasters when they hear the phrase “disaster recovery.” But disasters come in all shapes, sizes and forms. And an IT-specific disaster can be just as costly as a fire—or even more costly.
Make sure your employees have a well-rounded idea of the potential disasters you face as a company. That list should include:

  • Hardware failure
  • User error (a major cause of IT disasters)
  • Power outages
  • Software problems

Some employees may not even know a disaster has occurred until after the fact. Clarifying the definition of “disaster” helps employees get on board more with prevention training.

How to prevent disasters

Use onboarding and continuing training to cover the essential topics. Any new employee should go through disaster recovery training, but don’t assume everyone will remember all those details. Be sure to do periodic refresher training sessions, as well.

Disaster prevention topics

Scam email icon

Recognizing phishing scams

Password Icon

Using strong passwords

Download icon

Downloading attachments

Laptop icon

Following the BYOD policy

WiFI moden icon

Browsing safely on public Wi-Fi while working

Mobile devices icon

Securing laptops, smartphones and other devices


Slipping up in any of these areas can lead to an IT disaster that severely harms your business. Explain the why and how so employees know why this training matters. After all, you’re not trying to dump extra work on them.
You’re trying to protect the business.

Where to go and what to do after a disaster

Suppose a disaster compels your business to move to alternative offices or to switch to telecommuting for a while. Your employees need to know a few things.

How to communicate with the company

Should they wait for an email from their team leader? Or proactively call in themselves? Or something else?

Where to go

Are you prepared to work from home? Or do you have an alternative office site B? And how soon do you expect employees to check in? To be available to work?

How to get to work

If there are folks who absolutely have to come to an office, will your business provide alternative transportation? If a critical staff member cannot get to that office, what’s your secondary plan for that?

How to access company programs and equipment

If a cloud computing service is down, what’s the next option? If a laptop is at the office and that has become an unsafe site, what should your employees do?

Who to contact

Who should everyone reach out to with questions, concerns or critical information? Make sure this list is longer than one name—and you almost certainly don’t want to be the point person here if your team is bigger than 10 people.

Are there any temporary policies or procedures?

Any different data security protocols to follow? Should they make adjustments to how they work normal tasks or prioritize things differently during the recovery period?

Everything else

To make sure you’ve covered all the other topics listed above, make sure you’ve considered the following.

  • What technology will be accessible during an emergency?
  • How can the business keep its data secure during an emergency?
  • What happens if the offsite data facility is destroyed?

Looking at the last question, if your business and/or employees have been following the 3-2-1 rule, there are copies of employee data that survived the facility being destroyed.
Remember, disaster recovery isn’t just about getting data back—it’s also about mitigating risk and preventing data from being compromised in the first place.

Test both your business continuity and disaster recovery plans

You never fully realize everything your employees need to know until an actual disaster strikes. That’s where testing comes in.
Testing helps everyone in the business better understand how to deal with various types of disasters and how to prevent them. It also pinpoints weaknesses in your current plan, including what employees need to know and do.
Test regularly! Don’t be one of the 23 percent of businesses that leave themselves unnecessarily vulnerable.

Chapter 4

How to test your disaster recovery plan

You know the saying, “Practice makes perfect.” So it goes with testing disaster recovery plans. Companies that regularly test their plans, making necessary adjustments based on feedback, are in a much better position to get through extreme weather, hardware failures, human error, cyberattacks, and other types of IT disasters.
However, not enough businesses test their plans (or they don’t test often enough).
In fact, one study shows that 23 percent of companies don’t test at all due to reasons such as plan complexity and a lack of time and resources. If this sounds like your company, find a way to address these issues or you may lose revenue or even go out of business.
Here are a few tips for your disaster recovery testing.

Determine the scope

Your managed services provider, if you have one, can help you figure out the scope of your testing.
If your business is small, it may be that spinning up virtual machines locally or in the cloud is sufficient for some rounds of testing. If the business is larger, testing may entail unplugging a server or intentionally causing downtime in some other way.
Consider factors such as the time and resource needs of testing plus any disruption that testing would cause your customers and how much disruption they could tolerate.

Set goals

Design each DR test with a goal and figure out the results you expect.
Who is involved, and what exactly is being tested? Consider other questions such as the date of your last DR test and any IT changes since then that may require updates to the plan before testing takes place.

Document the process

There’s little point in running DR tests if no one documents the processes or acts on feedback to make adjustments. Designate one person in the business to observe and document the test.

Point person tasks

  • Record how long each step takes
  • Record any missing steps not already documented for restoration, data recovery, and emergency communications
  • Record any unexpected failures in detail
  • Record the human performance of your team

To expand on the latter point, how did your employees do when faced with a bewildering turn of events? Were there parts of the DR plan that remained unclear to some employees or that caused them undue angst? Did internal or external communications fall through due to human error?

Implement feedback

Your testing may have gone well—even perfectly. If so, congratulations. Otherwise, act on the feedback you receive to make any necessary changes.
For instance, maybe several of your employees need a better understanding of their role in DR, and they need to be trained. Perhaps your systems take unacceptably long to get back online—why? How can you shorten that time frame?

Test regularly

At the bare minimum, test your plan once a year. Even better, practice it once every quarter (four times a year). Testing every month or every week may even make sense depending on the size of your company, the IT infrastructure, regulatory requirements, and how reliant your company is on IT.
You can test different elements each time with a full-scale run once a year. Remember, a disaster doesn’t have to be a full-blown act of God to make an impact. Downtime a few times a year due to internet outages can erode client confidence over time and result in clients leaving.
It can also be a good idea to run a DR test when new people step into roles. For instance, if your lead IT employee leaves and someone new steps in, don’t wait too long before doing DR testing with this new person. Otherwise, your business could be vulnerable if disaster does strike.
For guidance putting all this information to good use in your own disaster recovery plan, get in touch with one of our business continuity professionals at ISG Technology.

Crafting the perfect voicemail greetings (examples inside!)

In a world of unified communications, video conferencing, bring-your-own-devices-to-work policies and other cutting-edge communications, the voicemail message remains essential. It’s a unique calling card.
If your greeting is engaging, callers are liable to be impressed, perhaps at a subconscious level. If, however, you come across as fuzzy or long-winded, you may plant seeds of doubt about your professionalism.
With that in mind, here are some tips and scripts for voicemail excellence. You might even make voicemail recording lessons part of your standard employee training.

Be concise

Make your message crisp and to the point. Say hello, and state your name, your business name and, if you want, your job title. Relay that you’re out of the office or away from your phone. If you choose, provide your email address or another company phone number for urgent requests.
Then request any information the caller should leave for you. Most likely, you’ll want the person’s name, phone number and their reason for calling.
You might give the caller an idea of when you’ll return the call, but you don’t have to. It would be worse to provide a time frame you aren’t able to meet, so don’t overpromise.

Be warm

It’s best to avoid a monotone. Although you’re presenting basic facts, try to sound genial and somewhat enthusiastic. As you’re reciting your message, you might smile and think of something that makes you happy – a recent skiing trip, for example – or pretend that you’re speaking to an old friend.

Be serious

Going for voicemail humor is rarely a good idea. To those who call you repeatedly, your message will quickly lose its charm. A caller with a different sense of humor may misunderstand you. And for someone calling you in an emergency, your attempt at wit could seem dreadfully out of place.

Speak clearly

Before you record your voicemail, practice your lines a few times so the words are familiar. Find a happy medium between rushed and drawn out. And, if you trip over your tongue as you record, just start over.
When you’re done, play your message back. Is each word audible? Better yet, ask a few colleagues or friends to listen to it if you are unsure. Can they hear everything you say easily? Do they have any other useful feedback?

Sample scripts

  1. Hello, you’ve reached Jim Jimby, vice president of customer success at Winning at Life Industries. I’ll be out of the office until [date returning]. Please leave your name, number and reason for calling at the beep, and I’ll be happy to return your call when I’m back. For anything urgent in my absence, please contact our main call center. Thank you!
  2. Hi, this is Sarah Sarahson at Awesome Technologies. If you leave me your name and phone number, I’ll get back to you as soon as possible. And, if you need assistance right away, please call our main helpline at 1-800-555-1234. Have a great day!
  3. Thanks for calling. This is Willie Williams at Sweat It Out Fitness. I’ll be away from my desk today but please feel free to leave a message with your name and number. You can also email me at Willie@hugemuscles.com. We look forward to serving you.

Whether your work phone is a mobile phone, a landline or a wearable, your voicemail recordings are important. If you can do relatively simple things like voicemail messages professionally, consumers will be more likely to consider trusting you with more important things – like securing their sensitive data. Every voicemail becomes part of your brand.

Enterprise-level BYOD policy dos and don’ts

There’s no way around it. Your organization needs a Bring Your Own Device (BYOD) policy. In fact, it probably needed it two or three years ago.

You dig in and do your homework. You evaluate the options, assess the upsides, and prepare for potential drawbacks. You’ve taken in tons of advice and information. It’s time to sort through it all. Before you go into information overload, tie up your research with our handy list of BYOD policy dos and don’ts.

Don’t forget the gatekeepers

Your IT team probably has existing precautionary guardrails to protect devices and networks.

That’s a great start. But as the BYOD policy develops, IT administrators need to stay informed and involved.

Their teams are accountable for network security. And they know better than anyone the boundaries that need to be set as part of the policy.

Do be cautious yet flexible

In a post for cybersecurity authority Security Intelligence, New York Times best-selling author and award-winning journalist Bob Sullivan stands firm against opinions BYOD is another tech trend. “Neither BYOD nor IoT is going anywhere.”

“So, what should IT departments do?” Sullivan asks. “The solutions aren’t easy—and they’re going to have to evolve alongside every new gadget and application that connects to the company network.”

Is your BYOD policy putting the responsibility on IT to secure every device on your network?

Remember that this isn’t about limiting or restricting device use. It’s about empowering those entrusted to protect the company’s systems and infrastructure. Make sure these policies support your IT department’s overall BYOD objectives.

“Ensure constant monitoring of approved hardware and software,” Sullivan writes, “Just because your team decides a particular tablet or application is safe today doesn’t mean it won’t be unsafe tomorrow.”

Consider how future technologies might impact security. Is there a good possibility that IT will find itself stretched thin? Will IT end up playing “patch-a-mole” with every new OS update and firmware release? If so, you may want to leave some room in the BYOD policy for a managed IT services provider (MSP) to shoulder the load.

Don’t reinvent the wheel

Your BYOD policy needs to consider your organization’s specific technological needs. Think about the size of your company. Think about the kind of tech that benefits your employees. Identify the types of devices you can do without. Separate the must-haves from the nice-to-haves.

Now that you’ve determined who needs to support and influence your BYOD policy and what types of circumstances it needs to address, the fine folks at IT Manager Daily have done us all a solid and posted a BYOD Policy template.

Just cut it, paste it, and make it your own. Maybe put it on the good company stationary you save for special occasions or prepare to upload it to your human capital management system, but first . . .

Do make sure legal reviews the policy

The policy is ready for release after your legal department has officially vetted it. But you still need their help identifying who’s responsible for communicating what. You need their assistance defining what the company considers adequate communication.

Do you send an email to employees asking them to stay on alert for possible phishing attacks? Or is the company on the hook to provide more comprehensive education? Should employees acknowledge in writing that they understand the new policy?

Defining and enforcing the BYOD policy in these ways can make or break its effectiveness.

This is an instance where it is perfectly acceptable to assume the worst. Employees will reuse passwords. New technology will fail. Legacy tech will stop being patched for current threats. A new hire will log into his laptop at a coffee shop, hop on a free network, and access a bunch of sensitive data without thinking twice.

The legal department is a crucial ally when developing any type of company policy. They’re a key partner in making sure the BYOD policy you craft, draft, and deliver is effective and won’t leave the company exposed if a data breach occurs.

5 ways employee education can make IT support infinitely easier

IT support is an important part of any company’s technology plan, but there is another important component that should go hand in hand. Employee training is the perfect complement to strong IT support for many reasons. In fact, according to a workplace study, over 65% of employees prefer to learn at work, and more than 55% prefer to learn at their own pace.

There are options for employee training including online courses, face-to-face classes, training offered by your IT providers, and even technology classes at local community colleges or technological organizations. And for basic training, you likely have someone on staff who can lead the charge.

All of these are great ways to give your employees some additional training, which in turn makes your IT support more effective. Plus, employee education has added benefits like reducing turnover and helping employees feel valued.

Here are 5 ways employee training helps.

1. Better communication with IT professionals

Whether your IT support is provided by an off-site managed IT services partner or in-house staff who work in your office right along with other employees, employee training can help communication between teams.

Employees should have some guidelines for communicating tech problems with IT support. The better your staff is at accurately summarizing support issues, the more effectively they can explain those issues to the support team. And when IT support starts with a well-documented ticket, they can often resolve the issue much more quickly.

Less research and legwork means better network performance and faster recovery when things don’t go as expected.

2. Avoid simple issues

There’s a joke in the IT world about the most common troubleshooting suggestion: “Have you tried turning it off and back on again?” But here’s the irony. A surprising number of IT issues really can be solved by power-cycling a device.

Of course, IT professionals are more than happy to help if the problem is more complex. But there are several simple tips and tricks that any employee should know to try before contacting IT support. Power-cycling is one of them.

Training employees to check for basic issues before reaching out to IT could save resources and time on both ends.

3. Better security

Your IT team can do everything possible to secure your servers and important data, but if your employees don’t know about the latest phishing schemes, ransomware, and trends in strong passwords it can all go to waste.

Employee education is essential for securing company data, especially with the increasing prevalence of sophisticated modern targeted phishing attacks called spear phishing, voicemail phishing (vishing) and SMS/text message phishing.

4. Get into the cloud

As many businesses transition to the cloud, some employees may get left behind. Help them catch up with some education not only about your specific cloud technology but what the cloud is and how it impacts their work.

Any transitional to a new tech solution can be stressful. But proper training will set your employee’s minds at ease and help to avoid hassles. Any time your company adopts a new technology, it’s important to offer training to employees to smooth over the transition.

5. Stay calm in a crisis

With extra technological knowledge, your employees will feel more confident when things shift into crisis mode—whether it’s a natural disaster, a cybersecurity attack, employee error or a hardware failure. Employee education can lead to less downtime after a disaster, faster identification of a problem by IT professionals, and faster access to data backups to get essential information and keep things running.

Are you ready to take your IT support and employee education to the next level? Contact your managed IT services provider (MSP) for specific tips on things your employees should know about. Your MSP may even offer direct employee training assistance.