Human nature being what it is, most of us make every possible excuse to avoid considering Disaster Recovery Plans (“DRPs”), even though we understand their necessity. We put it in the same category as flu shots, anniversary cards and other things that we only do at the last minute, if at all. DRPs are actually the technological aspect of Business Continuity Planning (“BCPs”), which are the ability to timely respond to an interruption in business services. And you shouldn’t fail to consider a disaster of a different nature: Litigation. You should have some sort of Legal Response Plan, which store electronic data so that it will be available in the form and within the timeliness required for legal proceedings. Naturally, most business owners believe that a disaster will never happen to them and that a plan is a needless expense, so they operate without one. Until it happens the first time and, hopefully, they can recover from the loss.
The problem is, there are lots of disasters that can affect your data or your business, and you can’t do much about recovery if you wait until after the fact. When your computer is down, your data may be lost, and along with it your entire business. An excellent example would be those users infected with the cryptovirus, malware which locks your computer’s data and refuses to release it until a ramson is paid. There is no anti-virus or anti-malware program that will save you the $600 or so to get the encryption key to unlock the data. But, if you have backed up your data and stored it unconnected to the computer or system (not the cloud, not an attached external or flash drive), you simply erase the enrypted data and copy it back from the exernal backup. According to the U.S. Department of Labor, a whopping 93% of businesses which suffer a significant data loss go out of business! And studies (e.g. MSI International (2009)) consistently show that small and midsize companies almost universally believe that it is the larger organizations (501+ employees) that are the preferred victims for hacking, although the facts show that smaller organizations are actually more at risk. Ponemon Institute found in 2016 that 50% of companies had customer and employee data breaches in the last 12 months, 75% of which evaded their anti-virus solutions, almost half of the companies categorized as small to medium. Can you afford this? Moreover, some statutes represent areas where disaster recovery planning intersects with the law (e.g. FFIEC guidelines; Foreign Corrupt Practices Act; OSHA; NFPA; IRS Records Retention; HIPAA; Federal Computer Security Act, to name just a few.) And as smart phones, netbooks and telecommuting have converged into workforce computing, it becomes even more important to secure company data from intentional or negligent disastrous dissemination.
The very first step in drafting a DRP is to identify the types of disasters you may be subject to and their probability of occurrence. Sure, you’ve got to consider weather disasters such as hurricanes and floods, but there are lots more “disasters”. Consider: Fire; theft of all or part of the computer system or its data; power disruptions or failures, either partial or complete; computer software failures; computer hardware failures; computer intrusions due to hackers; computer viruses (like the Cryptolocker virus, the only cure for which is to restore from your data backup); processing shutdowns; intentional damage or theft of computer data from internal or external sources; theft of hardware (stealing a router for home use, selling the corporate cell phones on eBay); terrorist acts; EMPs; and other things that we haven’t even imagined. For example, consider situations where your facilities and equipment may be available, but you cannot have access to them. A localized event, such as an accident on an adjacent roadway or a fire in a nearby building, could prevent access to or use of your applications and data. The 2008 scaffolding collapse, when construction of the 40-story Conde Nast building on West 43rd Street in New York turned the immediate area into a disaster area, paralyzed the entire Times Square area for more than a week. In the wake of Hurricane Katrina, some secondary or remote storage systems were also damaged in addition to the primary systems. Down here in Florida, new construction constantly severs cable, telephone and electrical cables, and conduits undergo continuous deterioration due to water and condensation in the pipes. What if e-mail is a critical component of your business, could you function without access to the server? Each of these items can affect the availability, integrity and confidentiality of critical business resources and leave an organization virtually dead in the water and possibly susceptible to compromise of its security measures.
The purpose of a DRP/BC plan is to put the company back into operation in the shortest amount of time with the greatest degree of efficiency. It’s actually a race against time, with the specter of possible bankruptcy right around the corner. Therefore, selecting your RTO (“Recovery Time Objective” - i.e. how quickly you need to recover, which will dictate the type of advance preparation you’ll need) should be your primary objective in devising your DRP, as should your RPO (“Recovery Point Objective” - i.e. how much data will be lost between backups, which determines how difficult it will be to recreate if it is lost, thus how often it should be done). If your company experiences a disaster, you’ve got to reduce downtime, maintain acceptable cash flow, preserve and grow your customer base, continue supply of services/products, maintain employees, maintain your reputation and public confidence, mitigate any loss of investor or creditor confidence, mitigate possible legal liabilities and maximize insurance recovery all at the same time as shock and dismay has set in after experiencing a serious and traumatic disaster. Your plan will also necessarily be more complex if you are using virtualization software, cloud computing or external devices such as smartphones or flash drives. Monitoring becomes more necessary as elements of your business that were traditionally separate become intertwined in terms of data usage.
As discussed above, recovering your computer services is only one part, although a major part, of your disaster recovery plan. At this point, many small businesses have already implemented such basic technology as tape and flash drives or optical storage to back up company data or geo-redundancy of servers. But they’ll discover that it takes literally days to recover 200 or more gigabytes of data from tape, NAS or on-line archives onto a new computer system. A better idea may be to use cloud computing to store backups. Using DRaaS (disaster recovery as a service) make make quite a bit of sense to a larger enterprise. Rather than requiring a re-creation from a backup, cloud computing requires only a recovery of the metadata, so that a client can be in operation almost immediately after a disaster, simply by signing in from any location. These companies, such as Nasuni or Double-Take Cloud from Vision Solutions, cost anywhere from $85 to several hundred dollars a month, depending on the amount of the data. They, in turn, share space on large cloud computers and interface with your business. Some companies offer a service that, if it senses your computer system is down, it will immediately “go live” from the cloud.
It’s no fun planning for the worst, but it is absolutely necessary. Some of the companies which lost their assets and data in 9/11 were actually up and running in rented space in NYC in less than two weeks after the disaster. Others never recovered and went out of business. No one could have ever foreseen two jets flying into their office building, but those who had an operable disaster recovery plan were glad they had one.
One of the benefits of being forced to think about possible disasters is that the process may well reduce the likelihood of a crisis by identifying and correcting vulnerabilities in business policies and procedures that could lead to business disruption. You should assure both the security of your data and its availability before and after a disaster. You should consider your usage of smartphones, laptops or netbooks to communicate with the office computers and protect yourself from any negative impact that may arise, including viruses, external intrusions or employee theft of proprietary data. You should consider protecting your network from intentional or accidental corruption through the use of external USB devices. [Just remember that even the Pentagon experienced “the most significant breach of U.S. military computers ever” in 2008 when someone plugged a portable flash drive into an American military laptop at a base in the Middle East, allowing Pentagon computers to transfer data to servers under foreign (suspected Russian) control, in what became known by the L.A. Times as “Project Buckshot Yankee.”] We have found that there’s an excellent chance that you may not even have a comprehensive list of your applications and data, their locations and responsible personnel, until you start thinking about a DRP. So this can be a good thing.
You may think you can get through a disaster O.K. if things go south, but your employees, customers and suppliers may expect a real plan. For both of their sakes, for example, you should have already established a “central command location” and person(s) who will operate that location to immediately contact employees and deploy them and notify the customers and assure them that you’re on the ball. Seems simple, but not doing this can cost you your operation.
Even large companies like Microsoft and Amazon have learned that redundancy and point-of-failure protection are no match for coincidences. Click HERE for the story of an amazing and totally unpredictable set of circumstances which led to catastrophic cloud computing failures.
The purpose of the DRP is to plan ahead, in writing, for anticipated and unanticipated business disruptions and decide in advance the policies and procedures for coping with them. The plan must consider the likelihood of various events, how they will affect the business, the budget for the plan, your recovery time objectives (“RTOs”) and recovery point objectives (“RPOs”), and personnel and time which can be devoted to the plan. After these considerations, you will be able to determine how much data must be backed up and how and where it should be stored and retrieved, and other security and recovery procedures and policies. Metadata classification has proved particularly useful in this regard, allowing you to identify all of the data in the organization and categorize it by priority. After the plan has been reviewed, it MUST be tested by all involved to prove its viability.
You say you’re not a Fortune 100 company and really don’t require redundant drives, network attached storage, SAS70 Type II certification (an industry standard that is awarded to vendors or service providers that adhere to certain criteria to ensure security and control) and off-site availability? You can still have a simple plan for protection and prompt retrieval of data and hardware and for recovery if disaster hits. It doesn’t necessarily have to be complicated or expensive, but it does have to be comprehensive.
We are expert in the drafting and implementation of custom DRPs. Call us if you require our services. Soon.