Cybersecurity measures are a top priority for businesses; protecting your own and your customers’ data with cyber-attacks on the rise is not something you should take likely. Unfortunately, no measure is infallible, and system failures and natural disasters can similarly cause disruptions to business operations. All businesses should make a disaster recovery plan to prepare for potential worst-case scenarios.
There are seven main components of any good disaster recovery plan. These include mapping out your assets, identifying your assets’ criticality and context, conducting a risk assessment, defining your recovery objectives, choosing a disaster recovery setup, budgeting for your setup, and testing and reviewing the plan.
You’ll first need to map out all your assets to identify which will need protection. Assets might include:
Building a list of assets, though tedious, will allow for a comprehensive understanding of your business’s systems. Update your list regularly as assets are added, removed, or modified, and use it as an opportunity to clean out unnecessary data.
Now that you’ve taken inventory of your assets, you need to look at them contextually. How does your business use these assets? In the case of a disaster, which assets would have the most significant impact if compromised or lost? Go through all your mapped assets and classify them according to impact, from high to low.
It’s often not possible to back up all your data. Understanding the importance of each asset and how they work together will enable you to decide which should be prioritized in your disaster recovery plan.
Not all threats are created equal. What are the biggest threats to your business as a whole? Which assets are these threats likely to target? Critical systems staff are knowledgeable about the most likely potential causes of service disruption, so getting their input at this stage is invaluable. You can’t anticipate all potential threats, but you can build an effective plan by weighing the probability and scale of each.
Recovery objectives should be categorized into recovery time objectives (RTO) and recovery point objectives (RPO). RTO refers to the amount of time your assets can be down before recovery, and RPO refers to how much data you are willing to lose. These objectives should be defined in the early stages of your disaster recovery plan so that a proper setup can be chosen accordingly.
Consult with your business’s senior management and operations staff to discuss the impact of the potential disruption for as little as one minute, to one day, or even longer. This information will allow you to define your RTO and RPO, including informing how often your data needs to be backed up.
You now have a comprehensive understanding of your assets, risks, and RTO and RPO at this stage. With this knowledge, you can build your disaster recovery setup. Some questions you might ask yourself at this stage include:
Having a remote data storage solution is essential to protect your assets from cyber-attacks and natural disasters that may physically damage your assets. With your required setup mapped out, select the cloud services, software, hardware, and partners that you’ll need to achieve this setup.
All businesses should have a disaster recovery plan, regardless of the resources they have available. Stress the importance of disaster recovery to senior management, but present several options based on different price points.
Higher budgets will have a disaster recovery plan with better RTOs and RPOs, more generous support for more critical services, and may be part of a more comprehensive business continuity plan. Each business’s needs for their disaster recovery plan will vary, and with the right information, management can weigh risk and investment in disaster recovery plan technology to find the right balance.
In the final stage, the disaster recovery plan will need to be tested and reviewed to ensure it’s ready. All staff members must understand what their role is in the case of an actual disaster. Conduct a disaster drill to test the plan itself and analyze how staff act and respond to the threat. If it doesn’t go as smoothly as you’d like, modify the plan accordingly.
A disaster recovery plan is never truly finished. It should be reviewed periodically—ideally every six months or so—to ensure it is still effective. Assets, the organizational structure, and IT setup will all change with time, and the disaster recovery plan must always be modified to reflect these changes.
Look into backup and disaster recovery services to get started, and follow the steps above to avoid disruption at your business in the event of a disaster.
Contact us at Axiom today to learn more about how we can help you make a disaster recovery plan.