Sometimes, no matter how hard you try, things just go wrong.
When that’s losing your keys or hitting every red light on the way home, it can feel pretty rough. But when it’s your entire business being compromised and losing every byte of critical business data? That’s a whole different ballgame.
You might think we’re catastrophising, but so-called business disasters happen more than you might imagine. In fact, statistics show that over half of small companies have experienced IT system downtime of more than a working day in the last five years. How much would that cost your business?
At this point, you’re probably thinking: Just how prepared is my business for a disastrous event? But don’t panic, there is a way to prepare for the worst of bad days – and it’s called a disaster recovery plan, or DRP.
In this article, we’ll explain what a DRP is, why you need one, and how to create one for your business.
What is a disaster recovery plan?
Whether it’s the smartphones in our pockets or the voice assistants in our homes, we all rely much more on technology today – and business is no exception. From the servers which host your website to the databases powering your CRM software, practically every company in the UK relies on digital technology one way or another.
So, where does a disaster recovery plan fit into this picture?
Well, as dramatic as the word sounds, there are many so-called “disasters” which could befall your company and lead to downtime of your IT systems or some level of data loss. How fast you can respond and recover from these disasters depends entirely on your preparedness – and that’s where a disaster recovery plan comes in.
In a nutshell, a DRP is a detailed document which outlines the precise measures which will come into effect in the event of a disaster to ensure business continuity. A DRP will usually include the immediate steps to be taken, a list of personnel assigned to those steps, a Recovery Time Objective (RTO), and a Recovery Point Objective (RPO). We’ll go into more detail on these steps a little later.
Why do you need a disaster recovery plan?
The total loss of your company’s critical data should be a scary enough prospect, but there are plenty of other reasons to have a disaster recovery plan in place. In fact, just one hour of downtime can cost thousands in lost business and productivity – so, even from a purely financial standpoint, a DRP makes good sense.
You might assume that the risk of a disaster occurring is relatively low, but they might be more common than you think. The term “disaster” certainly sounds dramatic, but the specific classification of a disaster makes things little clearer.
There are three main classifications for disasters:
- Natural risks such as floods, epidemics, and earthquakes.
- Technological risks including hardware or structure failure.
- Human-induced risks such as cyberattacks and sabotage.
It’s true that some of these are somewhat rarer than others, but with such a wide definition, it should be clear that a disaster recovery plan is practically a necessity.
4 of the most common business disasters
Before we delve into exactly how your business can created a disaster recovery plan, it’s important to be aware of the specific disasters you should account for. After all, what good is a plan is you don’t know what you’re planning for?
With this in mind, we’ve put together a list of the 3 most common business disasters which could impact your company. Bear these in mind as you’re building your DRP and you’ll stand a much better chance of having all of your bases covered.
- Hardware failure. No matter how new or reliable your IT system’s hardware is, there is always the chance of failure. While the loss of one bad hard-drive can be managed without incident, things change when entire datacentres suffer data (or power) loss.
- Ransomware attacks. These are becoming much more common in recent years, with the latest example being the so-called “Ryuk Ransomware” attack. Ransomware attacks work by targeting your IT systems and actively encrypting files with an uncrackable algorithm. The hackers then drop a text file with instructions on how to decrypt your files – provided you pay them with bitcoin first (that’s the ‘ransom’ part).
- Denial-of-service attacks (DDoS). The DDoS attack is a very common tactic employed by cyber-attackers, and while often short-lived, it can still do a lot of damage to website-reliant businesses. A denial-of-service attack essentially sends thousands of concurrent load requests to your website until the server cannot handle them and just goes down – taking your website with it.
- Fires and other physical damage. Beyond the technological and the digital, there is always a certain risk of physical disasters occurring within a business. Fire is a good example of this, and something which poses a significant threat to businesses who rely on physical premises and products. Of course, the best approach to take with a fire risk is to ensure your business and its premises are fully insured.
How to create a disaster recovery plan for your business
At this point you should have good idea of why disaster recovery plans are so important for businesses of all sizes. Statistics suggest that only 39% of businesses actually have a documented DRP, so let’s get you on the right side of that curve with a simple step-by-step process for creating your own.
Before we jump into the practical steps, let’s first review two important concepts we touched on earlier: Recovery Time Objective (RTO) and Recovery Point Objective (RPO). Here’s the lowdown on each:
- Recovery Time Objective is a target amount of time within which the affected IT system must be restored before business continuity is regarded as negatively impacted. The closer to the RTO target your DRP can get you, the better.
- Recovery Point Objective is a measure of time after which critical data (such as customer transactions) may be lost. Depending on your business, RPO may be the more important metric here, because lost data can take a serious financial toll.
While it’s not a good idea to get too obsessed with these figures, there’s no doubt that balancing your RTO against your RPO can help you resolve and mitigate the negative impact of a disaster event. Prior to documenting your disaster recovery plan, you should at least consider these metrics and decide which of them is more meaningful to you. Making this consideration will help you to tweak your DRP in a way which best achieves your RTO or RPO goals.
Okay, that’s enough of the technical jargon – let’s jump into something a little more practical and actually start creating your disaster recovery plan.
Just follow these steps:
- First, carry out a risk-assessment which is tailored to your business. This is known as a Business Impact Analysis, or BIA, and it’ll help you predict the possible results for each potential disaster. Consider your specific operations, the relative value of each one, and how a disaster would impact them.
- Next, ensure you have a plan for all of your critical assets. What these assets are will differ from company to company, but common examples include your customer book, critical reports, financial data, and so on.
- For absolute peace-of-mind when it comes to preventing cyberattacks, we strongly recommend using a backup solution which employs what’s called an air gap. In a nutshell, an air gap is created when your backup is physically separated from your server – for example, stored on a USB drive. How does this help? Well, even if someone were to gain access to that server, your air-gapped backup is still safe and sound – and untouchable by hackers. Get Support is a Veeam Cloud Connect Partner, meaning your critical offsite data backups are always in safe hands with us – air-gapped and protected from cyberthreats. Want to know more? Ask about our backup service anytime.
- With your data accounted for, it’s time to consider your staff in the event of a disaster. There’s no doubt that these events will cause some level of panic, so having assigned team members for specific jobs (e.g. checking the integrity of off-site backups) is absolutely essential to maintain control of the situation.
- Because every business is different, take the time to ensure that all of your core operations are accounted for in the event of any type of disaster. For most companies, this will be data integrity, but if there are any other considerations – such as physical assets – be sure they’re documented in your plan.
- Once the first draft of your disaster recovery plan is completed, it’s a good idea to test it. This doesn’t mean emulating a disaster, of course, but you should at least run through each step with the assigned team members so that everyone is clear on their roles.
- Finally, be sure that you set a regular meeting to review your disaster recovery plan. A DRP won’t do much good in the event of a disaster if it’s five years out of date, so this regular review will ensure everyone is on the same page.
Is your business prepared for disaster?
So, there you have it: the essential guide to disaster recovery plans for small businesses. We hope you’ve learned something useful and that you feel more prepared for whatever might come your way.
It’s easy to ignore disaster recovery planning, but should the worst happen, having a solid plan in place really can help you minimise data loss and get back up and running before you know it.
For more expert IT advice on data backup and disaster recovery – always delivered in plain English – get in touch with the team at Get Support anytime via our website or by calling us on 01865 594 000.