As many may have already seen or heard, Hurricane Harvey made landfall on Texas this past weekend. Our hearts go out to all the families and communities impacted by this awful path of destruction. The powerful storm has caused wide spread damage and biblical proportion flooding throughout southeast Texas practically shutting down cities and towns. In the light of the devastation, this unfortunate event has rekindled concerns amongst the business communities about its ability to recover from disasters.
Across thousands of SMBs (Small and Mid-Size Businesses), Information Technology Disaster Recovery Plan (IT DRP) is rarely discussed in full scope. Although many are aware of its importance, with exception to larger businesses, most SMBs have limited or incomplete DRP (if any). According to the Nationwide poll, only 25% of businesses have a DRP in place. Additionally, a research by the University of Texas found only 6% of the impacted businesses survive from data loss disaster. Despondently, staggering 43% will never reopen for business and over 50% will shut its door within two years after the disaster.
Many businesses shy away from IT DRP discussion either by neglect or its low position on the priority totem pole. However, the importance of a disaster recovery plan cannot be emphasized enough especially in this day in age where cyber-attacks are common and mother nature can be unpredictable. To clarify, IT DRP isn’t about just protecting against cyber-attacks and natural disasters. IT DRP allows businesses to recover from other catastrophes and incidents including property fire, data loss (by human or system error), hardware theft, machine failures, infrastructure changes, and so on. It is an essential topic that every business should (not just discuss) create and implement.
Creating an IT DRP is an extensive project, but it is a worth-while investment. If you do not have the means to dedicate a team to IT DRP, businesses can opt to hire outside DRP specialists or IT providers that can assist with their planning and strategy. There are no specific DRP formats to follow, rather each business are entitled to custom build its own IT DRP as needed. However, few basic elements should be considered with formulating a basic IT DRP.
Start With Business Impact Analysis (BIA)
A BIA is an internal study that shows the priority level of what processes are most crucial to least important based on the business workflow and operations. This would be a good starting point to list the hierarchy of each department and its operations. While considering the hierarchy/prioirty, also consider the subset of the BIA which includes the following segments:
Recovery Time Objective (RTO)
Recovery time objective is usually the maximum acceptable length of time that your system can be unavailable. This can be in conjunction with the service level agreement (SLA) or contracted agreement between you and your clients.
Recovery Point Objective (RPO)
Recovery point objective is the maximum length of time that data is unavailable from the system application (after a disaster). If your business operates with dependency of real time data, this will be a bigger part of your consideration when creating the DRP.
Hardware and Physical Inventory
Make note of all hardware and machine inventory, specs, and infrastructure. This would include onsite and offsite locations including desktop computers, printers, servers, network components, switches, telephony system, security access (credentials) and company mobile devices including laptops and phones. This information will also come in handy when working with your insurance if claim is needed. Keep in mind most insurance do not cover actual data loss of the devices/machines unless there is a special supplemental coverage specifically outlined by your insurance carrier for liability. Thus, the next element is crucial part of IT DRP.
Using Offsite Data Backup
In the event of loss, the most crucial asset (more than the machine) is the data itself. Data can be transferred to another environment during the recovery. This would entail a restore from available onsite back (if undamaged) or more preferably from offsite provider or location. If there is no back up in place, consider looking into a service using backup tape for offsite retrieval. Many cloud providers offer this service. Evaluate different level of offsite back up, duplication, virtualization and full end to end recovery models as needed according to your business needs and budget.
Invest in UPS and Surge Protectors
Although power back up sounds rudimentary, surprisingly a common cause of data loss is due to unexpected power outages. Even few seconds of power interruption can have a substantial data loss that can quickly compound across multiple users or interrupt online services requiring machine reboot and down time. Use of uninterruptible power supply (UPS) or even a onsite backup generator(s) can extend the data storing and recovery in the event of a power outage to sustain critical operations for an extended time. Consider the appropriate back up power source based on your business critical needs and focus.
Review, Update, and Test DRP
IT DRP has no value if it cannot be adhered to and executed in the event of disaster. Dedicate a team (or provider) to review and update existing DRP. If none exists, consider assigning few members to spearhead the DRP project. Something is better than nothing. Once a DRP is in place, simulate an outage and test the recovery process to ensure its integrity and feasibility. Testing should be performed every quarter (3 months) if possible at a minimum. This will ensure any infrastructure changes, workflow adjustments, and the unknowns can be identified and will be minimally impacted during the recovery. Testing the DRP deployment is probably one of the most neglected step by many businesses but a crucial one.
Just like driving a car, no one expects to be in an accident. Similarly, businesses usually don’t think about dealing with the worst case scenario until it happens. But being prepared can make the difference and expedite the recovery process. IT DRP isn’t just about having a contingency plan in the event of a natural disaster or massive hacking. It is designed to help with the hiccups that don’t make the headlines including internal data loss and human errors. Having a strategy and plan is an essential element of sustaining the business operation, reputation, brand, and growth. Regardless of what stage of IT DRP planning you may be in, it’s never too late to start one or update an existing one to ensure its effectiveness down the road.
On a closing note, as a strong supporter of the Red Cross, we encourage you to contribute and help. For those who would like to contribute and donate to the hurricane relief efforts, you can simply donate by texting the word HARVEY to 90999 (this will initiate a $10 donation to Red Cross). Alternatively, you may also visit www.redcross.org or call 1-800-RED CROSS. Always verify the charity websites and its legitimacy before making any donations to prevent scams, identity theft and misuse of your information. Thank you.