Don’t be caught short. Enterprise networks and data access can go down without warning. You can’t stop it from happening, but with a good disaster recovery plan you can be better prepared for the unexpected.
Expect the unexpected – always!
We know you’ve already got a disaster recovery (DR) plan in place to protect your enterprise’s data, employees and business. But how thorough is your disaster recovery plan? When was it last updated and tested? Have you taken into account new technologies and services that can make it easier to recover from disaster?
Here are a few things your IT disaster recovery plan should include.
An analysis of all potential threats and possible reactions to them
Your disaster recovery plan should take into account the complete spectrum of potential interrupters to your business.
As part of the plan you should spell out a recovery plan for each scenario. Of course, not all scenarios are equally likely to occur. So as best you can, try to anticipate which potential disruptors are most probable.
Sadly, cyber attacks are becoming a more likely scenario so, cyber attack planning might take precedence over some natural disruptors in your planning.
A business impact analysis (BIA)
To effectively determine DR priorities, put each major information system through a business impact analysis.
A BIA identifies and evaluates the potential effects (i.e. financial, safety, regulatory, legal/contractual, reputation) of natural and man-made events on business operations.
Completing a BIA for major IT systems will allow for the identification of system priorities and dependencies. The BIA examines three security objectives: confidentiality, integrity, and availability.
Going through this process means that you’ll be able to establish priorities for your disaster recovery plan. Once you’ve completed the BIA contingency strategies can then be developed.
You can find BIA templates and questionnaires online from Ready.gov and other sources.
People and processes are just as important as technology when it comes to the Disaster Recovery Plans. Now is the time to think about behaviours, systems; essentially all the steps needed so that everyone can start work again as soon as possible.
Also, identify by name the critical people charged with responding to a crisis.
Have a VIP Crisis list and make sure the direct email, mobile number and home number is clear, correct and up to date. This list are the important people to contact in a crisis and they should know that they are being held accountable.
Work with marketing and communications team as well as senior management to determine who will speak for your company to the victims, clients and employees in the event of a disaster. Know what you plan to say, how much you plan to reveal, and how you’ll reassure those who might be nervous of continuing business with your company.
Not everything in your business is worth saving or needs to be protected. Your proprietary information, of course, is. But any info that is for public release is not as important.
Think of it as if your house were on fire. What would you grab as you run out the door?
Don’t forget that practice makes perfect. Know you have your plan it needs to be tested regularly. The team involved need to practice the processes and procedures that have been put in place, just like a fire drill, for example. If not regularly practiced, the plan is ineffective.
A consideration of DRaaS
The growing practice of moving data operations into the cloud has helped give rise to disaster recovery as a service (DRaaS). These on-demand services have made DR easier and more economical, which in turn is enabling more organizations to be better prepared for disasters.
When considering DRaaS, ask how the provider will test and validate recovery of your data and workflows, as some testing is more extensive than others.
The biggest mistake most companies make is waiting until after a cyberattack or disaster to figure out what to do next.