Table of Contents
Your organisation probably needs a functional IT environment. So what happens when your hardware or software stops working? A disaster recovery (DR) plan can help restore your operations as quickly as possible – with minimal financial and data losses.
But putting together an effective plan isn’t always easy. This article will cover why every business should have an IT disaster recovery strategy and break down 5 DR principles you should incorporate.What Is an IT Disaster Recovery Plan?
An IT disaster recovery plan is exactly what it sounds like: a set of policies, procedures and documentation designed to keep your data and IT infrastructure accessible, secure and operational if an adverse event occurs.
There are two basic components to any IT disaster recovery plan. The first is data security. Your DR plan should follow the CIA triad – that is, your data should be kept confidential, integrous/intact, and accessible. If you lost important data following an event, for example, your DR plan would have failed the ‘intact’ component.
The second component is operational resilience. How quickly can your organisation’s IT environment return to full functionality? Operational resilience could range from securing a digital environment after an intrusion to procuring and deploying key hardware following a physical disaster.
There are also other disaster planning aspects, like prevention, detection, and response, which can be included in your DR plan (although, often, they’ll fall under your overall security plan instead).What Constitutes a Disaster?
The word ‘disaster’ connotes a natural catastrophe – a cyclone, a bushfire, a flood. But, in a business context, it actually refers to any adverse event that significantly disrupts operations.
That could range from a physical disaster (natural or otherwise) to a cyber security breach. In some cases, a disaster could be as simple as a key person, like a business founder, dying – without anyone else having access to their digital accounts.Why a Disaster Recovery Plan Matters
Most organisations are aware that they need cyber security. Even if standards like the Essential Eight aren’t actually met, non-technical leaders understand that threat actors can and will attack their businesses, and they generally take steps of some kind to prevent that from happening.
But disaster recovery is a different beast. A 2021 study of 150 UK organisations found that just 54% of survey respondents have a DR plan in place – a figure that’s representative of what we see in day-to-day practice. Maybe it’s optimism bias. Maybe it’s a lack of awareness. Maybe a ‘maybe’ scenario takes a back seat to more pressing operational concerns.
Either way, DR plans are non-existent or immature in many organisations. That’s a problem, because nearly 94,000 cyber security reports were lodged with Australian law enforcement in FY 2022–2023. There’s a high likelihood that an adversary will attack your organisation at some point – and, if something goes wrong, you need to be able to recover quickly.
Remember: if Facebook and LinkedIn can be breached, so can you.How to Develop an Effective DR Plan
One of the hardest parts of DR planning is knowing where to start. Use these 5 principles if you’re developing a new plan or refining an existing one.
(If you don’t have an IT team with experience in resilience and DR, it can be a good idea to engage an experienced MSP to help you. They’ll be able to streamline the planning process and ensure your measures are compliant with any relevant standards.)
1. Identify Your Priorities
Every organisation has critical functions that it needs to operate at the most basic level. Your DR plan should identify what those are for you. One of the easiest ways to do that is to conduct a business impact analysis (BIA).
A BIA typically:
-
identifies all business activities
-
identifies the people, infrastructure, systems and applications (resources) required for each activity (dependencies)
-
quantifies the impact of each activity’s cessation on business health (generally using a 5-point severity grading framework across different timeframes; the point at which a given activity reaches ‘5’ is called its maximum tolerable downtime (MTD))
-
prioritises the recovery of all activities based on their MTDs.
2. Have a Clear Plan
Once you know what your priorities and their dependencies are, you need to define when your plan is activated and who does what. Your IT DR plan should sit within your organisation’s broader DR framework, so its scope should be restricted to restoring IT-owned resources.
Your plan should answer questions such as:
- Who is responsible for developing, maintaining, and testing the DR plan?
- Where are copies of the DR plan stored and who has access to them, keeping in mind that your plan may contain sensitive information?
- What criteria must an incident meet to activate the DR plan?
- How is an incident initially identified and escalated?
- Who is responsible for making the decision to activate the DR plan?
- Once a decision has been made, how is the decision communicated to all relevant stakeholders, keeping in mind that normal communication channels may be unavailable?
- What central location should the plan’s execution be coordinated from?
- Where are your designated recovery sites?
- How will resources be restored, and who is responsible for taking the required restoration actions for each resource?
- While resources are inaccessible, how can their dependent business activities be restored?
Your plan should follow the SMART criteria: specific (such as having one owner per task), measurable (such as clearly defining activation and restoration criteria), achievable (such as planning for multiple scenarios), realistic (such as accurately gauging MTDs), and time-bound.
Keep in mind that your plan will require supporting documentation – information like key personnel, staff contact details, and current service provider contracts (which will likely overlap with your existing records).3. Have Multiple Backups
Most adverse events impact data, not IT infrastructure – and, for most organisations, data is exponentially more important than a few fungible pieces of hardware covered by insurance. Even if you don’t have a fully mature DR plan in place, make sure you back up your data.
Aim to follow the 3-2-1-0 rule, which means having:
- 3 different copies of data
- stored on at least 2 different media
- with one stored offsite
- and zero errors following backup recoverability verification.
4. Be Realistic
We talked earlier about how optimism bias often stifles disaster planning at the outset. It’s equally fatal when it’s embedded in a plan that looks, on paper, as though it works.
Unrealistic assumptions can range from ‘that won’t ever happen here/to us’ to ‘we don’t need multiple redundancies’ and ‘we can definitely get everything back up and running in 2 days’. During your planning, be pessimistic – or work with someone who can be. You need to assume that everything that can go wrong will go wrong.
At the same time, be realistic about costs, recovery point objectives, and recovery time objectives. For example, you might run daily incremental cloud backups, but only write to offsite tapes once a month to mitigate unnecessary transport and storage costs. It’s also important to look at opportunity cost – how much will it cost your business to have a given resource unavailable versus the costs involved with recovering faster?5. IT Isn’t the Only Consideration
It’s worth noting that, while this article is about IT disaster recovery, any non-cyber event will impact more than just your IT-owned resources. A building fire, flooding, theft, power outages – each one will have business-wide impacts.
Make sure your IT DR plan is congruent with your business-level disaster recovery and continuity plans. The last thing you want during a disaster is to have multiple departments in conflict because their DR plans are running on different timelines with different criteria. Use the same methodology for all plans, make sure all executive stakeholders have discussed and approved them, and have them tested at the same intervals (and, intermittently, together).Next Steps
Designing an IT disaster recovery plan that’s realistic, effective, and cost-viable isn’t straightforward. Your controls need to be tailored to your priorities – a professional services SMB could be offline for a few days without major business implications, but even an hour of unavailability in a hospital could lead to patient deaths.
Defining those priorities and implementing appropriate controls is easiest when you have a team with DR experience. We’ve helped more than 500 organisations prepare DR plans and data backups, ranging from small accounting businesses to aged care facilities with high availability requirements.
To learn more about what DR planning involves – or for an independent review of your existing DR plan – schedule a consultation with us.- List Item #1
- List Item #1
- List Item #1
- List Item #1
- List Item #1