The challenges of 2020 have proven that every business needs an IT disaster recovery plan when things go wrong - which as we've learned, they will. Well thought-out procedures, documented in advance, can help protect your business. We've outlined the 10 essential elements of a disaster recovery plan to help get you started!
Many businesses, for various reasons, think they don't need a disaster recovery plan (DRP), but consider this:
The majority of IT disasters (big and small) are a result of human error.
Simply put, your employees are the number one reason your organization needs to have an IT disaster recovery plan (DRP) in place.
It’s not that one disgruntled worker decides to sabotage a critical system, although that happens.
Instead, the most common risk is an employee clicking on a bad link or opening a malware-infected file from an email.
So preventing hackers, viruses, or ransomware requires having systems in place to minimize the risk of human error, and is one of the first steps you want to take from a preventative point of view.
However, other risks can include:
- Hardware failures
- Criminal acts
- Power surge/outage
- Natural disasters
- Loss of communication systems
Before you jump into building the information technology side of your business continuity strategies, you need to have an idea of the most critical elements.
Let's get started - here are 10 essential elements in disaster recovery planning.
Top Ten Essential Elements of a Disaster Recovery Plan (DRP)
1. Do A Thorough IT Assessment and Inventory
In order to put a reliable disaster recovery plan into action, you first have to do a thorough IT asset and inventory of not only your on-site hardware and software, but all your cloud-based systems and services used in business operations.
This assessment and risk analysis is generally conducted by your IT provider and, depending upon the size of your company and the complexity of business processes, your DRP assessment can take some time.
If the DRP assessment is not done or is incomplete, an organization may find it difficult to recover critical processes or data in the event of an IT disaster.
A managed security service provider can play a key role in ensuring that your security and compliance requirements are being met, regardless of your industry.
2. Plan an IT Backup Management Strategy
Once you've done a thorough assessment of your IT assets — data, systems, hardware, cloud — it's time to get to work on an IT disaster plan.
The formal strategy generation process begins when an IT engineer takes the information from the assessment and begins to examine it to see what tools and tactics will work best for your scenario and business operations.
Every organization is unique in it's reliance upon and use of data, applications, on-site assets, and cloud-based options.
It may be cost-effective for a business to migrate to the cloud instead of maintaining physical off-site data centers for DR plans.
The strategy stage of the business continuity/disaster recovery (BCDR) process is where the IT specialists use their experience and expertise to fine-tune a program that will work for your business.
3. Proper Backup Management Requires Employee Training
In order to be effective, disaster recovery strategies must be championed by top management and adopted throughout the organization.
Each member of the management team and all staff must understand their role in keeping processes within the umbrella of protection provided by the IT disaster recovery plan.
If, for example, an employee decides to make their job "easier" by downloading software from the internet without talking to IT support, they are effectively taking a part of both the company data and operations outside the protection afforded by business continuity planning and the disaster recovery plan.
An organization must invest in training employees both in cybersecurity awareness as well as their individual roles (what they should do) if disaster strikes.
4. Create Disaster Response Teams
Best practice for a disaster recovery plan is having an emergency response team that determines to what extent the disaster recovery plan must be invoked.
Once the roles and responsibilities are assigned, this team then contacts and assembles the disaster recovery team that includes IT specialists as well as key staff from the main business departments who focus on business recovery.
It's critical to create and test the plan, along with having backup staff delegated.
Team members need to have the contact information of third parties including key customers, suppliers, insurance, media, and even family members in cases of natural disaster or injuries.
Part of the response also includes a financial assessment evaluating the costs due to the disaster and the financial needs to recover from a disaster to restore normal operations.
5. Ensure Your Backups Include Data and Workflow
Perhaps the cornerstone of any IT disaster recovery plan is data backup to prevent data loss. However, it's important to note that not all backup solutions are created equal.
For example, many consumer-grade and "business-lite" backup solutions only back up data files — not your entire system. Without access to BOTH your data and your applications and operating systems, your company could have trouble with restoration.
To prevent data loss and limit risk to operations, Ntiva uses enterprise-class, image-based cloud backup procedures that mirror (back up) your entire system — not just individual files.
We leverage the 3-2-1 rule of data backup to help make sure you always have a copy of your data available for retrieval from a recovery point.
What is the 3-2-1 rule?
- 3 copies of your data files, operating system, and applications
- 2 types of storage media for your backups (We recommend one on-site backup appliance and one cloud-hosted backup destination.)
- 1 offsite location for storage of backed up resources.
Your emergency backups need to be regular, automatic, and verified at each stage of the backup process.
6. Know What Metrics to Consider in a Disaster Recover Plan
One of the things you will discuss with your IT provider when setting up a disaster recovery plan is metrics.
- What is the recovery time objective (RTO)?
- What is the desired recovery point objective (RPO)?
- How quickly can your team transition from the failed "live" system to the recovery solution?
Often, the question we get from business management is, "Can we get up and running within XXX hours?"
The answer to that RTO-related question is always, "Yes," but with that "Yes" may come a price tag.
Price most often reflects if an organization has migrated to the cloud, the frequency of backing up digital assets and how short a recovery time is desired.
The cost versus benefit relating to metrics is a necessary conversation.
7. Ensure You're Using Air Gapped Backups
Ntiva procedures create air-gapped backups, keeping cybercriminals from jumping laterally from your live systems to your backups if they enter your network and instigate a disaster in the active data center.
We accomplish this by either having a separate backup that isn't connected to the network by LAN or we utilize a backup appliance running a different operating system (with different security access) than the one used by the server and devices on the network.
This ensures an organization can recover its data within range of its RPO.
8. Backup Encryption is a MUST
Encryption of your backups is a critical step in keeping the information in your files and applications away from prying eyes.
When data is encrypted both in transit and at rest it is useless to a criminal. Although your team can retrieve and use the data, it appears as gibberish to any unauthorized user.
9. Know Your Backup Retention and Compliance Standards
Part of the encryption conversation is compliance requirements.
Many of the industry-standard and legislative compliance protocols mandate data encryption. Disaster recovery plans detail the algorithm used for data encryption in the data center and recovery procedures to meet RTO and RPO targets.
Retention of files — especially email correspondence — is a big deal for companies in regulated industries. Part of any IT disaster recovery plan needs to be policies and corresponding IT protocols that ensure that data retention expectations are met.
10. Plan for Disaster Recovery Testing Exercises
Recovery plans are only effective if people test them and everyone knows what their role is when the plan is enacted.
At least once a year, a "tabletop" testing exercise must be performed by your IT provider and key internal stakeholders to make certain that disaster recovery processes are working as they should and that everyone knows what to do in the event of an IT disaster.
It is important that each member of your recovery team be involved each year in the testing and know what’s expected for each to do in the event of an actual IT disaster.
Answer questions for employees like:
- Where to go?
- How to log in?
- Where to get instructions and information?
All of these questions, and many more, should be answered for team members well in advance to avoid chaos, lost time, and lost revenue.
Looking to set up or revise your company's Business Continuity and Disaster Recovery Plan? The Ntiva team is here to help. Let's get started.