It’s easy to dismiss disaster recovery as something that only large businesses such as banks and multinationals need to worry about. But, if the last few years have taught us anything, it’s that that all businesses should plan for the unexpected, despite their sector or size.
The first step to developing a disaster recovery strategy is to have a plan. In its simplest form, this will be a case of documenting where your backups are and who is responsible for retrieving and restoring them.
The bigger the business, the more complex the plan will become, as you need to have provisions for finding alternative accommodation, sourcing new equipment, getting communications up and running, and more.
This article highlights the key things you need to consider when developing your recovery strategy.
1. SET YOUR OBJECTIVES
When putting your disaster recovery plan together it is important to identify your core objectives. This sets the foundation of your disaster recovery strategy and ensures you are tailoring your plan to meet your business needs.
Example objectives include:
- Minimising interruptions to normal business operations
- Limiting the extent of disruption and damage
- Minimising the economic impact of the interruption
- Establishing alternative means of operations in advance of a disruption
- Training staff with emergency procedures
- Providing smooth and rapid restoration of services
2. TAKE INVENTORY OF YOUR IT SYSTEMS AND ENVIRONMENT
Your next step should be to create a list of exactly which IT resources, including systems, hardware and software are used to run the business. You need to understand where your systems are. For example, what is run and stored internally and what is in the cloud? Just because something is in the cloud it doesn’t mean you can ignore it from a business continuity point of view.
Prioritise each application into one of three categories:
- Critical applications that you can’t operate without
- Applications you need to use daily
- Applications you don’t need for a few days or more
Once you have defined your most critical applications you will be able to see which ones you need to prioritise above all others in the event of a disaster.
3. SET YOUR RECOVERY TIME OBJECTIVE (RTO) AND RECOVERY POINT OBJECTIVE (RPO)
Your RTO and RPO are essential for helping you to determine which solutions are necessary to survive a disaster or a data breach and also help you to keep your data recovery costs low. They help you determine which hardware and software configurations you need, in order to recover your workloads as quickly and efficiently as possible.
Now you’ve prioritised the criticality of each application and system, you can work to set the most appropriate RTO and RPO for them.
4. TRAIN STAFF AND CONDUCT EXERCISES OF YOUR EMERGENCY PROCEDURES
A disaster recovery plan can only succeed if your team has the knowledge to execute the plan effectively. Determine who will be part of the disaster recovery team and define what each person’s role and responsibilities will be. Ensure that your team meets regularly to review the plan.
5. CREATE A CRISIS COMMUNICATION PLAN
In the event of a disaster, you will need a clear communication strategy between employees, customers, vendors and suppliers. Keeping them informed throughout is key to maintaining your reputation. Let them know how you are handling the situation and reassure them that you will be back up and running as soon as possible.
6. DISASTER PREVENTION
The best disaster recovery plan is one that prevents disasters from happening in the first place. While this isn’t always in the your control, you should look for ways to mitigate disasters from impacting the business.
Often simple processes can make a significant impact. For example, automated fire suppression systems could be the difference between a small, contained fire and a large-scale fire that destroys an entire data centre.
7. OUTLINE YOUR RESPONSE PROCEDURES
So far we’ve concentrated on looking at computer systems, but there are other things that your disaster planning needs to take into account. Primary among these is communication. If your business can’t operate normally for any amount of time, it’s essential that you can let your customers and suppliers know what’s happening.
If your building is out of commission, you can arrange for a service to divert incoming calls to another number so that your business contacts can still reach you. If you have a hosted telephone system, it’s relatively easy to redirect calls to other numbers or mobiles.
Of course, you need to be able to contact your staff too – whether it’s to bring critical employees in or tell others to stay at home. Make sure you have an up-to-date list of contact details with landline and mobile numbers plus email addresses.
8. ARRANGE ALTERNATIVE WORKSPACES
Another aspect of disaster planning involves arranging an alternative workplace. If you have multiple sites, you may be able to redistribute staff from one that’s out of action,among your other locations. If you only have one location, you need to look at renting alternative space at short notice or organising for your staff to work remotely.
Of course, office or production space is only part of the problem. You must make sure your teams have the right equipment to work with. This might mean sourcing new PCs; it might mean allowing some staff to work from home. In the latter instance, you need to make sure they have equipment and connectivity that’s up to the job. If you allow them to use personal equipment for business use, it’s important that there’s adequate security in place.
If you’re a manufacturing or distribution business, you need to think about what happens to your stock. To avoid losing everything you might want to consider distributing storage across different sites.
9. CHOOSE YOUR DISASTER RECOVERY SITES
When normal business IT operations are interrupted by an unexpected or unplanned event, it is essential that your business has access to a disaster recovery site. Whichever location you choose, your disaster recovery site needs to be able to support your critical hardware and software. If your primary data centre is impacted by disaster, key workloads must be able to fail over to an alternate location where they can continue to operate. This could be a secondary data centre or a location in the public cloud. It’s important that these sites automatically perform backups and replicate workloads to enable a speedy recovery.
10. TEST, TEST, AND TEST AGAIN!
You can have the best plans in the world but if you have never tested them, how do you know if they will work? More to the point, how do you know that your staff will know what to do and when to do it? Do staff know the part they play during an incident? Do they know the process to follow? Testing is one of the best ways to ensure people feel included and to help them to understand the role they must play during an incident. It helps them feel more comfortable with what is expected of them and allows them to practice their response in a ‘safe’ environment without fear of messing up. Remember, it’s far better to find out if something doesn’t work or some critical data is missing, during an exercise than during a real incident, just at the point you depend on it.