Disasters strike without warning, wreaking havoc on small businesses with devastating force. Just look at the infamous coronavirus pandemic—a stark reminder that prevention is often out of our hands. But here’s the thing: while we can’t stop disasters from happening, we can prepare for them. That’s where the power of a rock-solid disaster recovery plan comes in.
What exactly is a disaster recovery plan? Put simply, a disaster recovery plan refers to the measures you implement to minimise the impact of a disaster.
Being proactive and having a stringent disaster recovery plan in place will ensure your business is equipped to combat a crisis, maintaining business operations, protecting data, and avoiding disruption to you and your clients where possible.
In this article, we’ll cover how to establish and execute a disaster recovery plan, including how to develop an emergency response team, create a communication plan, and accurately back-up your data.
Understanding the potential threats to your business continuity
Threats can range from pandemics to office break-ins, and small businesses aren’t immune. Here’s a breakdown of some of the most common threats to business continuity today.
- Cyber attack – Since the early 2010’s cyber attack has consistently topped the charts for posing the most serious threat to businesses globally. As technology advances, attackers are evolving and finding more loopholes to access your systems. A proper cyber security strategy is fundamental to protecting against cyber criminals, no matter the size of your business.
- Core IT Infrastructure failure – Servers failing, firewalls failing, and network switches failing can all cause downtime and disruption to varying extents. While these failures can be planned for and redundancies can be put in place, they still pose a significant risk to business continuity. Ensuring the reliability and resilience of your core IT infrastructure is crucial to minimizing the impact of such failures on your operations.
- Natural disasters – In London, you may not think of natural disasters as a real threat to business. However, whilst we don’t often experience tsunamis or earthquakes, we’re certainly accustomed to experiencing adverse weather conditions. Anything from storms, to floods and fires, could damage your IT equipment, servers and systems, causing data loss and disruption.
- Human error – Humans are prone to making mistakes, and even with the best intentions, your employees could put your business at risk. It’s not uncommon for people to accidentally delete important data, drop and break a laptop, or spill a drink over a server. Whatever the error, having a disaster recovery plan in place will help to maintain business continuity – and save your employees from embarrassment!
- Theft or loss – Hybrid working means that our devices are on the go more than ever. How many people do you know that have lost a phone? Or left a laptop at a bar after work? If these mobile devices end up in the wrong hands, this could pose a serious threat to your security. Moreover, what if your office is broken into? Thieves could access an abundance of sensitive data, putting your reputation and finances at risk.
- Health concerns – This hardly requires explanation given recent events, but generally the spread of infectious diseases can put office spaces in lockdown, force home working, and cause large portions of your team to be off-sick.
What could disaster mean for my business?
The impact of disaster can be split into three key areas, all of which put your small business at serious risk.
- Financial loss – if sensitive data ends up in the wrong hands, i.e. on the dark web, you will breach data confidentiality regulations, leading to hefty fines from authorities. Likewise, if your physical assets are destroyed in a crisis and your data isn’t secured elsewhere, you will not only be unable to work but also have the financial burden of replacing your devices and/or services.
- Reputational damage – the news of data losses and security breaches spreads rapidly, and soon clients and potential clients won’t want to work with you. Having a reputation for having bad cyber security and unreliable business continuity is a fail-safe way to see your business suffer.
- Operational disruptions – disasters will usually disrupt your business to some extent – they’re often unpredictable and unpreventable. However, you can control to what extent. If disaster occurs and your business is unable to function for weeks or even months, you will lose clients, money and your reputation. By having a robust disaster recovery plan in place, you will minimise this disruption and have your team back up and running as soon as possible.
Building your disaster recovery plan
Now that you know the risks of not preparing for example, you might be wondering… so how exactly do I create a disaster recovery plan?
We’ve included our guidelines for creating a successful disaster recovery plan. However, we recommend discussing this with your IT partner so that your plan is aligned with the unique needs of your business.
1- Backing up data and systems
Your data and systems are the backbone of your business and losing access to them could be catastrophic. As such, it’s vital that you effectively backup your data and systems as part of your disaster recovery plan.
Backup types
There are two keyways to back up your data; physical backup and cloud-based backup.
- Physical backup refers to backup that happens offline. These solutions are kept locally and don’t require an internet connection, for example, a USB stick or an external hard drive. Generally, physical backups aren’t recommended in favour of cloud-based backups. Because they’re physical, they’re more prone to loss, damage and theft. However, some business owners prefer to have physical backups of very important files. In which case, they need to have the right security measures in place to protect your data, should it get lost or stolen.
- Contrarily, with cloud-based backup, all of your data and applications are backed up via the internet. Backups automatically occur in the background, continually making a ‘copy’ of all your files, folders, images etc. Cloud back-up makes it easy to access data from different locations, whilst remaining cyber secure. This made cloud-based backup extremely important, and for some businesses vital, when the coronavirus pandemic broke out.
But choosing the type of backup, be it cloud or physical, will only mean that you have a copy of the data, but in the event of disaster, the important question remains: how can you actually recover your data quickly and minimise downtime?
This is why a comprehensive backup and DR solution goes beyond simply making copies of your data. You also must ensure that business can quickly recover from a disaster and resume operations seamlessly.
Choosing data recovery solutions
It’s all well and good to have a backup and disaster recovery plan, but getting a backup solution in place that’s fit for purpose is usually the first step and can be the most difficult.
There are many different backup solutions and practises available on the market, and it can get confusing as to what you need for what types of IT systems and data.
Here is some guidance on the types of backups available and what you should be looking for.
A backup service and a full disaster recovery solution are very different things, so it’s important to understand this to start with. Having a backup service may simply mean that your data (files) are stored in a different location, be that on a physical drive or in the cloud, and should you delete or lose them, you can recover them from this backup.
However, a full disaster recovery solution will allow you to completely ‘failover’ and work entirely from a recent version of your IT system if your primary system goes down.
For example, if you have an in-house server, it’s no good just backing up the data on it. If your Server went down and your employee needed to work, having a copy of the files without a way to access them or use the applications and systems your business relies upon won’t help anyway. In this scenario, you would need a DR solution that takes a full copy of your entire Server, replicating everything. Should your server go down, you can failover to this other DR environment and work from there without issue.
If your business runs on Servers or you have storage devices in-house, such as a network-attached storage device (NAS), the traditional best practise is to have an ‘onsite and offsite’ backup solution. This is where you have a failover server in your office that does frequent backups throughout the day and then also backs up to a secure data centre or cloud storage service ‘offsite’. The reason for this is to provide a full DR solution and provide the quickest recovery of data and failover in the event of a disaster.
The onsite backup Server is able to do more frequent backups without the worry of uploading and downloading over the internet (and killing your internet connection). It’s then quicker to recover data from this, or failover completely onto the copy of your server and work from this if your main Server goes down. Think of it like a spare tyre in an emergency.
The offsite or cloud backup should offer the same replication of your entire Server (image-based backup) to protect against a real disaster (hence the disaster recovery solution!). when both your main server and backup server onsite are unavailable—think fire, flood, electrical surge, outage, etc. In these scenarios, you can connect to your backup cloud environment and work from there, accessing all the files and systems you normally would, just through a VPN or Remote desktop.
Technology is changing, though, and many solutions now remove the need for an onsite backup server because they can offer such a quick and full recovery in the cloud. It is often cheaper to have just this, as cloud storage is coming down in price and you don’t need to pay for an onsite backup server, assuming this meets your Recovery Time Objective (more on this below).
Related misconceptions
A common misconception is that cloud systems and productivity suites, like Microsoft 365 and Google Workplace, do not need to be backed up or considered in a DR scenario. Due to these Software as a Service (SaaS) applications being cloud-based, they will have redundancy and security built into them to protect against cyberattacks and outages. However, they are still at risk. Microsoft, in its T&Cs, actually recommends that you have a third-party data backup!
The reason for this is that although companies like Microsoft offer ‘redundancy, this is different from ‘backup’. Should you delete or lose data, Microsoft does not keep old versions (backups) of your environment forever, so you can lose data quite easily. These systems are also not exempt from cyberattacks, and your data can become encrypted within them without a backup available outside of their environment.
The good news is that there are many low-cost SaaS backup solutions available. These will take full image-based backups of your entire Microsoft or Google environment frequently. Should anything then happen, you have a full backup available to recover from. Many other SaaS applications also have third parties offering backup solutions for them.
Things to consider
Not all data is created equal. What we mean by that is that many companies have two types of data: ‘live’ and ‘archived’. Live data is what your employees access frequently and depend on every day, and archive data is data that is rarely accessed and maybe just kept for reference or compliance purposes. Do consider this when looking at backups, as you could consider a cheaper data-only backup for archived data and a more comprehensive DR solution for live data.
Recovery Time Objective and Recovery Point Objective: When choosing a backup and DR solution and key for your DR plan, you will need to set and agree on RTOs and RPOs. Simply put, these are the speed at which your solution will get you operational again after a DR scenario and the longest period from the last backup point you are comfortable with. These should dictate the solution you put in place, be documented in your DR plan, and be tested in DR tests. More information on RTO and RPO can be found here.
Desktop backup: Desktop backups are simply a cloud backup of what is saved on an individual’s backup. Although they’re available and cost-effective, this encourages bad practise and isn’t recommended. All data should be saved in centralised file storage and backed up as part of the company’s DR policy; employees shouldn’t be saving files on their desktops. Tools like OneDrive and Google Workspace can be setup to backup anything on the desktop automatically, but once again, try to store everything centrally to avoid silos of information and duplications.
Reporting and testing: The most important thing when choosing a backup solution is reliability, and that means reporting and alerting. Backup success reports, failure alerts, and automatic testing of a full environment restoration should be in place. Your backup provider, or preferably your IT Support provider, should be managing these on your behalf and be able to prove success and report on it frequently.
It’s not just data, servers, and systems that need to be reviewed for disaster recovery; a DR plan should include the whole IT environment and consider all dependencies within it. For example, Firewalls, Network switches, UPS systems, and internet failovers should all feature in your DR planning and testing.
2- Developing a disaster recovery team
Backing up your data is just one piece of the puzzle. Without the right team in place to prepare for and respond to a disaster, your business could suffer.
So what roles and responsibilities make for a successful disaster recovery team? We’ve detailed some guidelines below…
- A disaster response expert – A disaster recovery expert will help you formulate a recovery plan that is unique to your business. This should cover recovery objectives, dependencies and diagrams, outlining what potential crises and solutions could look like. You may have someone qualified in-house, or you may need to consult your IT partner, who will help you draw up and execute a recovery strategy.
- Business continuity experts – All businesses should have a business continuity plan to detail how best to continue operating should disaster occur. A business continuity plan doesn’t just refer to your technical needs, it should involve everything needed to keep your business running, e.g. staffing supply chains. Again, if you don’t have this skill set in-house, you can outsource to experienced consultants.
- Executive team – Decision makers are vital when faced with disaster. Your executive team should be involved in the process of planning for disasters, including determining what’s possible given budget, staffing and other resource considerations.
- Catastrophe manager – If disaster does occur, you need someone to take responsibility for managing it. A catastrophe manager should have a solid understanding of how your business operates, so they can effectively coordinate things that your disaster recovery plan cannot plan for. For example, people, resources, and timelines.
- Recovery technicians – Your recovery technicians need to be immediately available in the event of a crisis and able to solve technical issues, either remotely or onsite. Once discussing with the catastrophe manager, they can prioritise fixing issues to align with the needs of the team.
- Utilities providers – Although not technically part of your team, it’s a good idea to establish relationships with utilities providers. For example, if you experience a power outage or damage to the office, they will need to act quickly to minimise disruption.
3- Creating a communication plan
Disaster has occurred. Your data is backed up and your disaster recovery team working to get your business back up and running as quickly as possible. Now you need to communicate what has happened, what the impact is, and when it will be solved.
In the event of a disaster, communication is twofold. You need to communicate both internally (e.g. to employees) and externally (e.g. to clients, vendors, or suppliers). We recommend using multiple communication channels to ensure the message is clear.
- Email – Email is a great way to send mass comms to employees, clients, vendors and suppliers. It enables you to get the message out quickly and reassure everyone of the situation before news spreads elsewhere.
- SMS – If you use SMS as a way to communicate with employees and clients, like email, this is another great way to send information out quickly.
- Phone/video call – You can offer phone or video meetings to employees or key clients whereby you explain the situation and the potential impact on them. This could be crucial to retaining important customers.
- Social media – You may wish to explain what’s happened via social media to mitigate rumours and protect your brand. Once the situation is rectified, you can explain what happened and how you were able to solve the problem quickly due to having a robust disaster recovery plan in place.
- Traditional media – If you are a big brand you may wish to communicate with customers, suppliers, and vendors via traditional media too. Again, offer reassurance by outlining how stringent your disaster recovery plan is.
We recommend creating templates for the communication channels above and including these in your disaster recovery plan. That way, if a crisis does occur, you can edit the templates according to the situation and distribute quickly
4- Testing and updating the plan regularly
Creating a disaster recovery plan is not a one-time event. Although many companies will create one, ‘tick the box, and then forget about it, they need to be reviewed on a constant basis to reflect organisational changes, technology changes, and the ever-changing threat environment.
There are constant changes within any organisation, such as changes in equipment, office location and facilities, business processes, and personnel. All of these feature heavily in a DR plan. Your technology is also likely to change over time. You will be adding new software and new hardware, all of which may need adding to or updating within the DR plan. The methods used in cybercrime are constantly changing, with new threats emerging and evolving on a daily basis. It’s important to ensure your DR plan addresses these new threats and the impact they could have on the business and a DR scenario.
Testing is a very important part of an effective DR strategy and should be used to validate that the DR plan in place is effective and still relevant. It should be expected that after tests, the DR plan will need updating. That’s ok; it’s a constantly developing process.
The first step in your testing process should be to create a testing plan. This plan will consider certain scenarios that could play out within your environment, including Cyber Security attacks, hardware failures, and even quarantine contingencies. Identify the biggest risks within your environment, test these scenarios first, and allocate the personnel involved in these tests.
A low-impact but good approach is a ‘tabletop’ exercise. You gather the relevant people together and simulate what would happen if a specific scenario occurred, walking through the steps to ensure everything is covered. This has the benefit of not disrupting operations or needing to be done outside of working hours to avoid this.
The most effective approach is to simulate the actual scenario itself in a ‘functional exercise’. Testing the impact and recovery/response process without causing a loss of operations. For example, simulating the failure of a core network switch You can observe the impact this causes, understand the turnaround times involved in replacements from hardware provider SLAs, and then the installation process and time for this, along with the communication needed throughout. All of which can be partially simulated by having a spare switch onsite for replacement, planning this out of business hours, and simply factoring in the time frame for the replacement to arrive.
How with Sereno can help
At Sereno, we can provide multiple backup and DR solutions to fit our partners needs. We take the time to understand what our partners recovery time and point objectives are and then find the right solutions for them, even tailoring ones to meet their needs.
We understand that it’s often backups and DR solutions that keep people awake at night, so it’s our job to remove that worry. We do this by providing proof and reporting for your backups; these can be automated to be sent to you directly or simply reviewed in a quarterly review meeting with your dedicated technology advisor. We take the success of backups seriously and only provide solutions that give us real-time alerting and reporting to always ensure success.
The benefit of having your IT support provider manage your backups is that your DR plan just became much simpler. One point of contact for response, recovery, and communications with your team Our aim is to take ownership of your entire IT environment, providing cyber security, infrastructure, and disaster recovery. This way, you can rely on us to keep you secure and recoverable at all times.
We are also best placed to help create and test DR plans for our partners. We understand your entire environment, can identify the biggest risks, and then suggest testing scenarios that are less impactful during operating hours, removing the burden from your employees.
Whether it’s virtual environments, physical servers, or cloud applications, we can find the right solution for you and manage it all on your behalf.
So, what next?
If you haven’t yet established a disaster recovery plan, or aren’t sure whether your existing plan is up to scratch, we can help. At Sereno, we specialise in disaster recovery plan for small businesses. Simply contact us today to speak to one of our experts, who will help determine the plan course of action in line with the unique needs of your business.
