10-Step Disaster Recovery Plan for Your IT Department
Many business owners simply don’t think about the topic of business continuity and disaster recovery, assuming that they’ll be fine just because they haven’t yet faced a catastrophe. Others argue that their IT department’s budget is too small to spare any funds for a hypothetical future event.
However, failing to take IT disaster recovery seriously could have major consequences for your company—including going out of business. According to the U.S. Federal Emergency Management Agency (FEMA), 40 percent of organizations will never recover from a natural disaster.
Even if your company stays afloat, the repercussions of a major disaster may include:
- Damaged reputation
- Loss of data
- Loss of revenue
- Reduced employee productivity
The good news is that there are steps you can take to lessen the risks during and after a disaster. Creating an IT disaster recovery plan will ensure that you can focus more on the other things on your plate, without having to worry that your systems are down as well.
In this article, we’ll discuss 10 essential steps that should be part of any IT disaster recovery plan.
A 10-Step IT Disaster Recovery Plan
1. Create an inventory
Every company should know exactly which IT resources—systems, hardware, and software—are used to run the business. In addition to a simple inventory, it can be helpful to add different scenarios to your IT disaster recovery plan. Consider which systems would be affected in the event of a flood, hurricane, fire, or power outage on your premises.
2. Establish a recovery timeline
Once you’ve documented your IT inventory, you can decide on the acceptable recovery goals and timeframes by which certain systems need to be back in operation. Industries such as healthcare may have a recovery timeline of mere minutes, while other industries may find longer timelines to be tolerable.
The concepts of Recovery Time Objective (RTO) and Recovery Point Objective (RPO) will be helpful here:
- Recovery Time Objective (RTO): The maximum amount of time that should pass before your IT systems recover.
- Recovery Point Objective (RPO): The maximum amount of time permissible since the most recent data backup in order for your IT systems to recover.
3. Communicate, communicate, communicate
Before disaster strikes, get buy-in from key stakeholders. Everyone should understand which IT operations are potentially affected, what would happen next, and who would be responsible for resolving the issues.
Ask employees how their work would be impacted if certain systems or networks were unavailable for a period of time. You should also create a plan for communicating with your staff in the event of a power or Internet outage.
4. Back up your data
Your options for data backups include cloud storage, internal off-site data backups, and vendor-supported backups. Maintaining your backups physically on-premises is not acceptable due to the risk of a natural disaster.
Both physical and cloud backups have their risks. Working with a trusted managed services partner can help you weigh the issue and decide which is the better option for your circumstances.
Not all of your data needs to be backed up. During the inventory stage, you should also decide which applications and information are mission-critical. It is important to understand what data is static and unchanging, meaning that you may not need to back it up more than once.
5. Consider physical damages
You may think that you’re safe from catastrophe because you’ve migrated to the cloud, but you also need to plan for physical damage to your facilities and equipment due to a natural disaster. Problems such as power outages and cut cables can bring your business to its knees. Make sure that you have a backup generator available that can keep you afloat immediately after a disaster.
6. Consider the human factor
Humans can also be a source of disaster, whether malicious or unintentional. To lower your risk of a catastrophe, lock down who has administrative rights on your systems.
Employees and third-party vendors should only have access permissions to the systems and data they need. In 2013, Target suffered a devastating data breach after attackers broke in via their third-party HVAC vendor that had external network access, costing the company $18 million. For example, salespeople likely don’t need account privileges to add users to the business network, or to view payroll and benefits information.
Staff members should also be proactively educated about identifying phishing emails, which are the fastest way to get into a network and one of the most common causes of data breaches.
7. Consider insurance
Purchasing catastrophe insurance as part of a disaster recovery plan can be an interesting option if you’re worried about the costs of recovery. This means not just replacing your IT equipment, but examining the broader consequences and losses following a disaster. If this idea appeals to you, speak with an insurance professional.
8. Test your disaster recovery plan
Your IT disaster recovery plan should be tested at least once, and preferably twice, per year. After not testing their plan for several years, one of our clients discovered that all of their drives failed when trying to restore them. If this had occurred during a real disaster, the data would have been lost forever.
Any gaps that you identify during these tests should be documented extensively so that you can start fixing them. Work with a trusted MSP to learn about your options for remediation.
9. Combine DR and BC
IT is extremely important, but it’s only one part of the equation when a business recovers from disaster. Business continuity (BC) refers to the organization-wide strategy to maintain essential business operations as much as possible during and after a catastrophe. Create and test a full BC plan in order to be confident that you can meet any unexpected event head-on.
10. Find the right partner
Disaster recovery isn’t something that you can set and forget; it needs to be actively maintained over time. You need to update your disaster recovery plan with new procedures, technologies, and equipment, as well as make any adjustments if your business needs change. Working with an MSP can be highly valuable to get another set of eyes on your disaster recovery plan, or to get some expert advice on how to create one.
Building a strong, resilient disaster recovery plan is essential. To learn more about the impact that specific disasters can have (and how to prepare for them), download our eBook, “Natural Disaster Survival Guide for Businesses.” If you want to know how your current disaster recovery plan stacks up, get in touch about our no-cost BCDR Assessment.