No one wants their business to have to weather a disaster – but sometimes they happen. If you go in without any concept of what you’re doing, you’re more or less guaranteed to be in crisis. But if you go in with a well-established disaster recovery plan? You’ll be able to survive just about anything.
Sometimes, bad things happen. Sometimes, those bad things are unavoidable. And sometimes, they impact your business in a way that could potentially lose clients, customers, and employees.
In today’s climate, your business faces a massive volume of threats, spread across a larger threat surface than ever before. Disaster recovery is critical to your security posture, as it’s often not a question of if you’ll suffer a cyber-incident, but rather of when.
Whether or not your organization survives a disaster largely depends on one thing – how well you’ve prepared yourself for it. With a good disaster recovery plan, you can weather just about any storm. Let’s talk about what such a plan involves.
A Clear Idea Of Potential Threats
It’s impossible to identify every single risk your business could possibly face – nor should you put time and resources into doing so. Instead, focus on the disasters you’re likeliest to face. For instance, a business located in Vancouver probably doesn’t have to worry about a tornado, but there’s always a chance that it could be struck by a flood.
When coming up with this list, consider your industry, the technology you use, your geographical location, and the political climate where you’re located. Incidents that impact all businesses include ransomware, malware, hardware failure, software failure, power loss, and human error. Targeted attacks are another threat to your organization, particularly if you work in a high-security space – you may even end up in the crosshairs of a state-sponsored black hat.
Ideally, your crisis response plan needs to be flexible enough to deal with any incident you deem likely, and adaptable enough that it can be applied when you encounter an unexpected disaster.
An Inventory Of All Critical Assets
What systems, processes, and data can your organization not survive without? What hardware is especially important to your core business, and what sort of tolerance does your entire organization have for downtime and data loss? Make a list of every asset you control, both hardware and software, and arrange that list in order from most important to least important.
From there, you want to ask yourself a few questions.
First, what systems are absolutely business-critical? This is hardware and software your business cannot operate without – stuff you need to get as close to 100% uptime as possible. This could include the server that hosts a customer-facing application if you need an example.
Second, what data do you need to protect? Healthcare organizations, for example, are required to keep redundant backups of all patient data and to ensure that data is encrypted and accessible at all times. Figure out what files are most business-critical and prioritize those in your response plan.
Third, for the assets mentioned above, what is their tolerance to downtime? If those systems do go down, how much revenue will you potentially lose for each minute they’re offline? Are there any other considerations aside from revenue that mark them as important?
For instance, a communications platform for first responders needs 100% uptime – lives literally depend on it.
Finally, what can you do without? If you run a home-repair business that brings in customers mostly through word of mouth, your website going down probably won’t be too harmful to your bottom line. If, on the other hand, you’re an eCommerce store, your website is likely one of the most important assets you’ve got.
As you’ve no doubt surmised, no two disaster recovery plans are going to look the same. Every business has different needs and requirements. Every business has different assets they need to protect, and a different level of tolerance for downtime.
Once you’ve figured out your critical assets, ensure you have backups and redundant systems in place. These failover methods need to be thoroughly tested. You must be absolutely certain they’re in working order; you don’t want to find out the files on your backup server are corrupt after you’ve lost your hardware in a flood.
Accounting For People
Too many disaster recovery plans neglect the business’s most important resource – its people. How will employees escape the building during a catastrophic event? What should each staffer do during an emergency? Who’s responsible for coordinating emergency communication, reaching out to shareholders, and ensuring all critical systems failed over properly?
Ensure that roles and responsibilities during an incident are clearly-defined and well-established. More importantly, your plan needs to include guidelines for how to shift responsibility. If the staffer who’s meant to handle coordination of their colleagues during a fire is on vacation, who steps into the role?
Your disaster recovery plan needs to account for these details, while also including a means of disseminating information between employees. Ideally, you’ll want a crisis communication platform of some kind. Ensure that everyone has access to that platform.
When establishing your communications guidelines, make sure you attend to the following:
How you will keep in touch with partners and shareholders?
How you will notify customers of the incident?
How employees will communicate during the incident?
Seeing To Recovery & Service Restoration
So, you weathered the storm. Your business is still standing. Good – now it’s time for recovery.
You should already have a good idea of what services are most critical to your business from the inventory you performed, so this is a fairly simple process to figure out which ones to restore first.
What you need to establish beyond service restoration is who you’ll reach out to, and how you’ll reach out to them. If clients or shareholders suffered monetary losses during the incident, how will you reimburse them? After the crisis has subsided, what will you do to improve your response in the next incident?
Practice and Evaluation
It’s been said that no plan survives first contact with the enemy. That’s true of disaster recovery, as well – if you leave your plan untested and unevaluated until your first disaster, it’s extremely likely you’re going to find weaknesses at the worst possible time. To identify areas that need improvement and familiarize staff with their responsibilities, run regular practice scenarios.
Additionally, you should constantly revisit your disaster recovery plan. Don’t approach it as a project. Approach it as a process.
Always look for ways you can improve it. Regularly revisit and re-evaluate it in light of new technology or new threats. And never assume you’ve done enough. You can always be better.
Don’t Let A Crisis Cripple Your Business
Natural disasters. Hardware failure. Hackers and rogue employees. Malware and ransomware. The array of different threats facing your organization is absolutely staggering. A good crisis response and disaster recovery plan is critical if you’re to survive – critical to establishing a good cybersecurity posture.