With the current rise in cybercrime, the presence/aftermath (nobody’s quite sure) of a pandemic, and an increasingly turbulent political climate both at home and abroad, it’s an… interesting time to be alive – never mind in business.
So, do you have any plans in case something dreadful happens to your tech? How do you even define “something dreadful” within your business? Here are 10 things you’ll need to explore when creating a tech disaster recovery plan.
Disclaimer: This article is only presented as a rough guide to get our readers thinking more closely about disaster planning and is not intended as security or legal advice. For a tailored risk assessment and disaster plan that’s suited to your individual organisation, get in touch with the team!
What is a Disaster Recovery Plan?
A disaster recovery plan is a detailed plan of action for responding to unplanned and unintended tech-related events which may negatively impact business or operation. This can include instructions about what to do in cases of ransomware infection, device theft, data loss, and much more.
Why is it Important to Have an IT Disaster Recovery Plan?
Even with the most secure systems, it’s important to have a plan in case something goes wrong, no matter how basic or vague that plan may be. The goal of recovery planning is to minimise business disruption, hasten recovery times, and generally get back up and running as smoothly and efficiently as possible.
However, disaster recovery planning also gives you an opportunity to audit your IT functions, business-critical processes, assess risk, and gauge the hypothetical impacts that an incident may have on your business.
Who Needs to Be Included in Disaster Recovery Planning?
- As many people as possible! To form a robust plan, you need a complete understanding of what processes, roles, and actions are instrumental in generally “keeping the lights on” within your organisation. So, speak to people who can help you understand all of the following – and don’t assume anything, even if you’re in charge!
- How does your business make money? Seek to understand the minutiae of fee earning, manufacturing, purchasing, marketing, sales – whatever keeps money flowing through your till.
- How do your products and services get into clients’ hands? Fully grasp the whole supply, manufacture, distribution, and delivery process.
- What “back office” work needs to take place? Explore the accounting, HR, legal, marketing, and administrative work that your team do.
- With supply chain risks on the up and up, talk to suppliers about their own security measures and assess the risk they pose to your business.
Finally, never approach any of these processes in a vacuum! Though they probably all rely on IT, there is likely to be a good deal of IT flowing between these processes, effectively holding them together. Seek to establish how your various IT systems interact and what measures currently keep things running smoothly and securely?
What to Include in an IT Disaster Recovery Plan
Assess Your Business’s Critical Needs
Consider the information you’ve gathered from your team and suppliers above. What processes and IT tools do they absolutely need in order to do their job? Assess each instance of software or data access and establish their criticality. If you’d be sunk without a given tool, then it’s highly critical and should be protected as much as possible, but consider alternatives and workarounds for all software, hardware, and data access.
Consider the techy touchpoints between departments and functions. For example, sales, purchasing, and accounts payable may all use different parts of your accounting software. If there is a slight gap between two functionalities, how are your team currently bridging that gap – and could that be automated?
Turning from software to hardware, ask yourself how important are your different physical resources like servers and network infrastructure? How badly would your different departments be affected if a primary server went down? Or if your firewall became overloaded and stopped protecting some or all of your network? If one of your mobile devices were stolen or accidentally left in a public place? What would – or could – protect you?
Turning to even more dire circumstances – how badly would you be affected if your PCs or servers were stolen from your premises? What about extended power cuts or rolling blackouts? What if your premises were suddenly destroyed or rendered uninhabitable – with your tech still in it?
Assess and Acknowledge Your Level of Risk
Now for one of the most important questions of your disaster recovery plan: what risks are out there and how might they affect you?
Here are a few common considerations, though it’s hardly an exhaustive list as each list item contains multitudes! Your aim here is to come up with a list of potential incidents, an idea of their severity, and an idea of their likelihood:
- Cybercrime: 39% of surveyed organisations fell victim to cyber attacks in 2021. Consider your business’s individual chances of falling victim to individual instances of cybercrime, including phishing, malware, persistent threats, DDoS attacks, active hacking attempts, and many others. If you handle particularly sensitive personal or payment details, that may prove a tempting prospect for data theft.
- Device Loss, Damage, or Theft: What are your chances of hardware loss, damage, or theft in the course of normal work? How likely is it that a team member will leave their laptop on a train, or that a company mobile phone may get dropped or pinched out on the road? Consider your existing policies around business-owned portable devices and the chances of loss, theft, or damage. Also consider what would happen if someone broke into your premises and stole your hardware – physical security impacts cybersecurity too!
- Regulatory Compliance: Think about your responsibilities under legislation like UK GDPR. How much personally identifying information do you collect and how sensitive is that data? How securely is the data stored? How could it potentially make its way into the wrong hands – or simply be deleted? Be mindful of your GDPR responsibilities as you craft your contingency plans.
- Power Outages: What are the chances of your business being interrupted by power outages? Power cuts don’t just hamper productivity – sudden power loss can also cause data corruption and loss on storage drives and devices. So if you foresee the power grid having a wobbly (like the experts do for this winter), you may want to ponder solutions like an Uninterruptible Power Supply for critical, non-battery powered hardware.
- On-Premise and Cloud Resources: Take stock of resources and software you use and whether they are stored on the premises or in the cloud. A move to the cloud could make a clerical business much more resilient if you ever had to vacate your premises and work elsewhere. Cloud-based technologies like SaaS software, cloud storage, and VoIP technology also better facilitate seamless hybrid working practices too.
- Fire or Other Premises Disaster: Unlikely though it may seem, it’s well worth considering what you would do if your premises were partially or fully destroyed. Obviously you’d have more problems on your hands than just your IT – how would you go about resuming some semblance of “normal” operations? Office-based companies will have an easier time here if they move operations to the cloud, but organisations in manufacturing or healthcare need really good backup plans!
- Rising Costs: The cost of living crisis isn’t just hitting households – it’s hitting us all. How would you handle a sudden, large price increase from a crucial supplier? How are you currently dealing with the rise in energy and fuel prices? The semiconductor chip shortage is still running rampant, with server hardware particularly suffering at time of writing. Can you streamline your IT to allow for some financial wiggle-room if needed?
- Internal Threats: Could a disgruntled team member invite a vulnerability in or actively leak or steal data? What motive might they have? What could an unhappy internal party get away with as things stand? Consider how fit-for-purpose your IT policies are at present and which team members have particularly high-level access.
What Preventative Measures Do You Have and Do You Need?
With the above info in mind, consider what preventative/mitigating measures you have – and what measures you don’t have – for each risk listed. What disaster prevention measures do you currently have at your disposal – whether that’s cybersecurity, fire suppression, premises security, or something completely different? Could you do more with the time and budget at your disposal?
Here are some measures to think about given the above list of potential risks – again, not an exhaustive list, but hopefully it will help get the grey matter firing:
- How secure are your backups? Remember, backups that are always connected to devices can become infected along with that device. It makes sense to keep at least one full backup of your systems on a drive that is only plugged in when a backup is being taken or restored. By “air-gapping” your backups like this, they are kept safe from online threats and are ready to spring into action when needed.
- As hinted at above, it may make sense for you to move your tech operations and telephony into the cloud wherever possible. Cloud computing costs are rising (likely due to the chip shortage and the current “cost of everything” crisis) – but could you be risking more by keeping on-premise servers, telephony, and software?
- Invest what you can into good network and cyber security. That means firewalls, Intrusion Prevention Systems (and their WiFi cousin), DNS Filtering, Multi-Factor Authentication, and even managed security monitoring. This might sound like a lot, especially for micro-businesses, but smaller organisations will be glad that you may not have to break the bank…
- Look into your physical security options such as security surveillance, access control systems, and even manned security if you have the budget for it.
- Maintain at least some capability for hybrid working practices in case some or all of your team need to work from home at a moment’s notice. Not only is this ideal for situations where your premises are inaccessible, but also in cases of sudden wide-spread illness or safety measures like the “ping-demic” of 2021-2022.
- Digitise important legal documents and/or keep their physical counterparts off-premise to save from tampering or damage. Failing that, keep them in a locked fire-safe case or cabinet.
- If you have devices that need to be kept running in any eventuality, consider a UPS or generator. However, be aware that any fuel needed to run a generator will be beholden to contemporary fuel prices.
But aside from these suggestions, think carefully about how you can prevent or at least minimise each risk.
How to Create Your Contingency Plans
Now it’s time to decide what you’re actually going to do in the event that each risk takes place. For each risk (or category of risk), establish…
- How you’ll identify that a particular kind of incident has taken place. Ransomware infections and broken hardware are often quite obvious – but not always. Make yourself aware of how to identify less-than-obvious threats like a DDos attack, IoT malware, or compromised credentials.
- What actions do you need to take should each incident take place? Some risks may involve letting insurers know, communicating with team members outside of work, yet some risks may simply need a single device restoring to factory settings. Make plans around each possibility, accounting for differing levels of severity.
- For each plan of action, establish an ideal timescale – when do you need to start taking action and when would you ideally like your contingency plans fully implemented by?
- What people/roles are required to help in each event and what does each person need to do? When things go wrong, you need a good team by your side. Some folks may be needed to simply get the word out, some may be needed to help with technical issues, some may be needed to run errands. Establish what you’d like each job role to do and clear each required action with the people in those roles to make sure they can step up.
- Create communication protocols and templates to inform staff, clients, and your supply chain if needed.
Communicate Your Contingency Plans
Draft your initial plans and share them with the team, directly requesting their feedback. Be open to their responses – even with everyone’s help, it’s likely that some functional considerations will have been missed. Redraft your plans as necessary and make sure everyone is familiar with those plans and any responsibilities that fall to them.
Test Your Plans
Now it’s time to put things to the test. Trial your intended contingency plans for a day – does everything go without a hitch? Or is more work needed to iron out the wrinkles? Will your team need any extra tools or training to keep everything running smoothly? Test your plans until you’ve got things working as smoothly as possible.
Regularly Review Disaster Recovery Plans
Contingency plans should never be a “set it and forget it” thing. Schedule in time to review your risk assessments and disaster recovery plans every 3 to 6 months. Do it sooner if things change, such as:
- Your business changes function: e.g., your business structure or ownership changes; or you invest in new technology.
- Your business changes focus: e.g., you pivot to a new market or you start selling something different.
- Your business’s risk profile changes: e.g., your business becomes more well-known; starts collecting more sensitive data; or is at the mercy of industrial action or political affairs.
And remember the old adage: when you fail to prepare, prepare to fail!
Need some experienced input? Is this all a bit much to handle in-house? Get an expert pair of eyes on those disaster recovery plans! Request a call back from our friendly team today.