The complete DIY disaster recovery guide for SMBs
- What your people need to know about disaster recovery
- The essential components of disaster recovery for SMBs
- Why you need a disaster recovery plan (even if you think you don’t)
- How to test your disaster recovery plan
Why you need a disaster recovery plan (even if you think you don’t)
- Nothing bad will happen . . . or if it does, it won’t be too bad
- Time is better spent focusing on today’s issues and not on “what ifs”
- A disaster recovery plan is important, and it’ll get done soon (rinse and repeat)
You see where this is going. A disaster hits the business, and, just like that, months or years of hard work disappear. It’s nothing short of tragic. Particularly because there are things you can do to prepare.
But first . . . what is a disaster recovery plan?
Before we get into the nuts and bolts of disaster recovery, let’s make sure we’re all on the same page. What is a disaster recovery plan?
It’s a plan to help your IT systems get back on track after an emergency. You may sometimes hear the term “business continuity,” as well. The two are not the same thing. Business continuity addresses everything necessary to keep a business running, no matter what. Part of that is disaster recovery.
The likelihood of a disaster
Ready for some less-than-pleasant news? It’s likely your business will experience a disaster.
Oh, you may never have to endure a tornado or a hurricane, but something will eventually take your entire business offline unexpectedly. Disasters come in different forms and vary in severity.
There are natural disasters such as earthquakes, fires, floods and blizzards. And then there are technological disasters such as cyberattacks, phishing scams, internet outages, and power failures. There are even man-made disasters such as civil unrest, terrorism and explosions. Not to mention the “small” stuff, like simple blackouts.
And the more unprepared you are, the more costly downtime is. Even one hour of downtime could cost your business several thousand dollars.
Take a look at these stats
You don’t have to take our word for it about the high cost of poor preparation. The numbers tell the story just fine on their own.
After a disaster, 40 to 60% of businesses fail to reopen. Of those that do reopen, 25 percent go out of business within a year.
90% of small businesses close within a year if they cannot get their operations back up within five days.
46% of businesses have incomplete disaster recovery plans or no plan at all.
22% of businesses have declared a disaster in the past five years. The top causes were IT failures (hardware failures, network failures, etc.), power outages, floods, cyberattacks, natural disasters and human error.
How disasters affect your IT systems
And here’s where things get real. Let’s look at how a lack of preparedness could potentially affect your business.
- A hardware or software failure could severely impact employee productivity and lead to disgruntled customers.
- One of your employees could fall for a phishing scam and give cybercriminals access to sensitive company accounts, which are drained. Your business is then out thousands of dollars.
- The space where your data center is stored could experience a burst water pipe that destroys the equipment housing your data.
- A fire could burn your business down to the ground, completely wiping out your IT infrastructure.
- A lightning strike could create a surge and fry critical equipment, forcing you to close for just a few days. In that short time, your business could get a reputation for being unprepared or unreliable.
That’s why you need a plan
A disaster recovery plan doesn’t stop the disaster. That’s not its purpose. But it does give you a way to bounce back. When you’re facing downtime, that’s what matters—how quickly you can get your network back online.
A disaster for your business won’t necessarily come in the form of a raging inferno or thundering hurricane. Rather, it may have more mundane roots, such as a power outage or human error. Whatever form the disaster takes, your hard work could go down the drain if your business lacks a recovery plan.
The essential components of disaster recovery for SMBs
Your business data can be lost or destroyed in many ways. Here are just a few examples:
- Accidents, such as a liquid spill, a laptop drop or accidental deletion
- Disasters, such as a fire, flood or tornado
- Cybercriminal activity, such as malware, ransomware or a virus
- Theft, even as small as smartphone theft
Part of the goal for your disaster recovery plan is to protect your data. One way to do that is to make sure everything is backed up. That way, even if something wiped out your entire office, you wouldn’t lose the information you depend on to run your business.
The 3-2-1 rule
Aim to follow the 3-2-1 rule.
The cloud is an essential player in data backups because you can continue work outside of the office and retrieve data from anywhere. Think about other things that contribute to your backup plan, as well.
- Do you have “backup vendors” (like an ISP) should you need to quickly move from one service provider to another?
- Do you have a backup or redundant power supply source, like an onsite generator? (If you keep a backup server onsite, you may need one.)
- Do you have backup supplies (like food and bedding) for employees who might need to stay at the office in the event of an emergency?
Most SMBs work with a managed services provider or an offsite data center provider instead of managing their own data center onsite. Before selecting a provider, ask about their plans to prevent and mitigate disasters.
It’s easy to focus too much on IT in a disaster recovery plan and to forget about the human aspect. Ensure that your plan incorporates the many types of communications that may be necessary. Some things to think about include:
- Who speaks for the company to the media, emergency responders, third-party vendors and others? (It can be a different person for each.)
- Who reaches out to clients or customers? And how?
- Who reaches out to employees? And how?
- How much information do you plan to reveal in the event of a disaster? And how will you reassure those who need encouragement?
- Do you have contact numbers (work and personal) for everyone on your staff?
- Who are the critical members of your staff and/or what are the critical roles that have to be covered to keep your business going?
Which systems are most critical to your mission? How much time can go by before disruption to the business becomes a serious issue? How can you protect proprietary information?
Your plan should be designed in terms of priorities. There are undoubtedly normal functions in your business you could skip or go without if you had to. As you build out your plan, make it a point to attend to the necessary stuff first.
High-priority functions should have built-in redundancy.
Your “go team”
One component of your plan is to establish a “go team” that springs into action quickly in the event of a disaster. Here’s what you’ll need to do to prep your go team.
Go team prep
Train regularly so they’re prepared to act efficiently in various scenarios
Receive cross-training so they can perform multiple roles
Establish relationships with third parties such as the fire department and your data center provider
It’s also important for regular employees—those not necessarily at the forefront of disaster response—to receive training. We’ll look at that more in-depth in part 3 of this ebook.
In addition, disasters aren’t necessarily in the form of fires or hurricanes. For example, a phishing scam or a set of weak passwords could cripple your business. Disaster recovery also includes disaster prevention and mitigation.
Educating your employees on strong passwords, ransomware, phishing and more can prevent disasters and keep your employees calm and your data secure when one does occur.
Just like you can prevent the likelihood of disasters with good employee education, you can also minimize the odds with regular maintenance and testing of your IT infrastructure. The same goes for testing your disaster recovery plan.
Say a fire breaks out at your workplace and it’s been a while since sprinkler systems and fire detection systems were tested. Will they work? Maybe. Maybe not.
Regular testing ensures everything is operating as it should. 52 percent of businesses test this kind of thing just once a year or less. We’ll look more at what complete testing of your disaster recovery plan looks like in part 4 of this ebook.
What your people need to know about disaster recovery
How to stay safe before, during and after
Employee safety comes first. Being able to access business email and VOIP telephone systems won’t matter if your people are injured. And while your data is certainly valuable, your people are irreplaceable. Make sure your disaster recovery plan includes emergency safety procedures.
You’ll also want to give some thought to alternative work locations and security practices in the wake of a disaster. If your office is unusable, where will your people go? Are you equipped to work from home? And how will you maintain data security in the interim?
Why disasters wear different faces
Most people immediately think of weather and natural disasters when they hear the phrase “disaster recovery.” But disasters come in all shapes, sizes and forms. And an IT-specific disaster can be just as costly as a fire—or even more costly. Make sure your employees have a well-rounded idea of the potential disasters you face as a company. That list should include:
- Hardware failure
- User error (a major cause of IT disasters)
- Power outages
- Software problems
Some employees may not even know a disaster has occurred until after the fact. Clarifying the definition of “disaster” helps employees get on board more with prevention training.
How to prevent disasters
Use onboarding and continuing training to cover the essential topics. Any new employee should go through disaster recovery training, but don’t assume everyone will remember all those details. Be sure to do periodic refresher training sessions, as well.
Disaster prevention topics
Recognizing phishing scams
Using strong passwords
Following the BYOD policy
Browsing safely on public Wi-Fi while working
Securing laptops, smartphones and other devices
Slipping up in any of these areas can lead to an IT disaster that severely harms your business. Explain the why and how so employees know why this training matters. After all, you’re not trying to dump extra work on them. You’re trying to protect the business.
Where to go and what to do after a disaster
Suppose a disaster compels your business to move to alternative offices or to switch to telecommuting for a while. Your employees need to know a few things.
How to communicate with the company
Should they wait for an email from their team leader? Or proactively call in themselves? Or something else?
Where to go
Are you prepared to work from home? Or do you have an alternative office site B? And how soon do you expect employees to check in? To be available to work?
How to get to work
If there are folks who absolutely have to come to an office, will your business provide alternative transportation? If a critical staff member cannot get to that office, what’s your secondary plan for that?
How to access company programs and equipment
If a cloud computing service is down, what’s the next option? If a laptop is at the office and that has become an unsafe site, what should your employees do?
Who to contact
Who should everyone reach out to with questions, concerns or critical information? Make sure this list is longer than one name—and you almost certainly don’t want to be the point person here if your team is bigger than 10 people.
Are there any temporary policies or procedures?
Any different data security protocols to follow? Should they make adjustments to how they work normal tasks or prioritize things differently during the recovery period?
To make sure you’ve covered all the other topics listed above, make sure you’ve considered the following.
- What technology will be accessible during an emergency?
- How can the business keep its data secure during an emergency?
- What happens if the offsite data facility is destroyed?
Looking at the last question, if your business and/or employees have been following the 3-2-1 rule, there are copies of employee data that survived the facility being destroyed. Remember, disaster recovery isn’t just about getting data back—it’s also about mitigating risk and preventing data from being compromised in the first place.
Test both your business continuity and disaster recovery plans
You never fully realize everything your employees need to know until an actual disaster strikes. That’s where testing comes in.
Testing helps everyone in the business better understand how to deal with various types of disasters and how to prevent them. It also pinpoints weaknesses in your current plan, including what employees need to know and do. Test regularly! Don’t be one of the 23 percent of businesses that leave themselves unnecessarily vulnerable.
How to test your disaster recovery plan
You know the saying, “Practice makes perfect.” So it goes with testing disaster recovery plans. Companies that regularly test their plans, making necessary adjustments based on feedback, are in a much better position to get through extreme weather, hardware failures, human error, cyberattacks, and other types of IT disasters.
However, not enough businesses test their plans (or they don’t test often enough). In fact, one study shows that 23 percent of companies don’t test at all due to reasons such as plan complexity and a lack of time and resources. If this sounds like your company, find a way to address these issues or you may lose revenue or even go out of business. Here are a few tips for your disaster recovery testing.
Determine the scope
Your managed services provider, if you have one, can help you figure out the scope of your testing. If your business is small, it may be that spinning up virtual machines locally or in the cloud is sufficient for some rounds of testing. If the business is larger, testing may entail unplugging a server or intentionally causing downtime in some other way.
Consider factors such as the time and resource needs of testing plus any disruption that testing would cause your customers and how much disruption they could tolerate.
Design each DR test with a goal and figure out the results you expect. Who is involved, and what exactly is being tested? Consider other questions such as the date of your last DR test and any IT changes since then that may require updates to the plan before testing takes place.
Document the process
There’s little point in running DR tests if no one documents the processes or acts on feedback to make adjustments. Designate one person in the business to observe and document the test.
Point person tasks
- Record how long each step takes
- Record any missing steps not already documented for restoration, data recovery, and emergency communications
- Record any unexpected failures in detail
- Record the human performance of your team
To expand on the latter point, how did your employees do when faced with a bewildering turn of events? Were there parts of the DR plan that remained unclear to some employees or that caused them undue angst? Did internal or external communications fall through due to human error?
Your testing may have gone well—even perfectly. If so, congratulations. Otherwise, act on the feedback you receive to make any necessary changes.
For instance, maybe several of your employees need a better understanding of their role in DR, and they need to be trained. Perhaps your systems take unacceptably long to get back online—why? How can you shorten that time frame?
At the bare minimum, test your plan once a year. Even better, practice it once every quarter (four times a year). Testing every month or every week may even make sense depending on the size of your company, the IT infrastructure, regulatory requirements, and how reliant your company is on IT.
You can test different elements each time with a full-scale run once a year. Remember, a disaster doesn’t have to be a full-blown act of God to make an impact. Downtime a few times a year due to internet outages can erode client confidence over time and result in clients leaving.
It can also be a good idea to run a DR test when new people step into roles. For instance, if your lead IT employee leaves and someone new steps in, don’t wait too long before doing DR testing with this new person. Otherwise, your business could be vulnerable if disaster does strike.
For guidance putting all this information to good use in your own disaster recovery plan, get in touch with one of our business continuity professionals at ISG Technology.