Your business faces a massive volume of threats, spread across a larger surface than ever before. Disaster recovery is critical to your security posture, as it’s often not a question of if you’ll suffer a cyber-incident, but rather of when.
With a good disaster recovery plan, you can weather just about any storm.
A Clear Idea of Potential Threats
It’s impossible to identify every single risk your business could possibly face – nor should you put time and resources into doing so. Instead, focus on the disasters you’re likeliest to face. For instance, a business located in Vancouver probably doesn’t have to worry about a tornado, but there’s always a chance that it could be struck by a flood.
When developing this list, consider your industry, the technology you use, your geographical location, and the political climate where you’re located. Incidents that impact all businesses include ransomware, malware, hardware failure, software failure, power loss, and human error. Targeted attacks are another threat to your organization, particularly if you work in a high-security space – and you may even end up in the cross-hairs of a state-sponsored black hat.
Ideally, your crisis response plan needs to be flexible enough to deal with any incident you deem likely, and adaptable enough that it can be applied when you encounter an unexpected disaster.
An Inventory of All Critical Assets
Make a list of every asset you control, both hardware and software, and arrange that list in order from most important to least important.
• What systems, processes, and data can your organization not survive without?
• What hardware is especially important to your core business?
• What sort of tolerance does your entire organization have for downtime and data loss?
From there, you’ll want to ask yourself a few questions…
First, what systems are absolutely business-critical? This is hardware and software your business cannot operate without. This could include the server that hosts a customer-facing application, as well as your domain controller that you’ll need for authenticating to your network.
Second, what data do you need to protect? Healthcare organizations, for example, are required to keep backups of all patient data and ensure that data is encrypted and accessible at all times. Identify what files are most business-critical and prioritize those in your response plan.
Third, for the assets mentioned above, what is their tolerance to downtime? If those systems do go down, how much revenue will you potentially lose for each minute they’re offline? Are there any other considerations aside from revenue that mark them as important? For instance, a communications platform for first responders needs 100% uptime – lives literally depend on it.
Fourth, what can you do without? If you run a home-repair business that brings in customers mostly through word of mouth, your website going down probably won’t be too harmful to your bottom line. If, on the other hand, you’re an eCommerce store, your website is likely one of the most important assets you’ve got.
No two disaster recovery plans are going to look the same. Every business has different assets they need to protect, and a different level of tolerance for downtime.
Once you’ve identified your critical assets, ensure you have backups and redundant systems in place. These failover methods need to be thoroughly tested. You must be absolutely certain they’re in working order -- you don’t want to find out the files on your backup server are corrupt after you’ve lost your hardware in a flood.
Accounting for People
Too many disaster recovery plans neglect the business’s most important resource – its people. How will employees escape the building during a catastrophic event? What should each staffer do during an emergency? Who’s responsible for coordinating emergency communication, reaching out to shareholders and ensuring all critical systems failed over properly?
Ensure that roles and responsibilities during an incident are clearly-defined and well-established. Importantly, you’ll also want a crisis communication platform and ensure that everyone has access to that platform.
When establishing your communications guidelines, make sure you attend to the following:
• How you will keep in touch with partners and shareholders?
• How you will notify customers of the incident?
• How employees will communicate during the incident?
Managing Recovery and Service Restoration
After you have weathered the storm, it’s time for recovery. You should already have a good idea of what services are most critical to your business from the inventory you performed, so this is a fairly simple process to figure out which ones to restore first.
What you need to establish beyond service restoration is who you’ll reach out to, and how you’ll reach out to them. If clients or shareholders suffered monetary losses during the incident, how will you reimburse them? After the crisis has subsided, what will you do to improve your response in the next incident?
Practice and Evaluation
It’s been said that “no plan survives first contact with the enemy”. That’s true of disaster recovery as well – if you leave your plan untested until your first disaster, it’s likely you’re going to find weaknesses at the worst possible time. To identify areas that need improvement and familiarize staff with their responsibilities, run regular practice scenarios.
Additionally, you should frequently revisit your disaster recovery plan. Approach it as a process, not a project.
Look for ways to improve and re-evaluate it in light of new technology or new threats. Never assume you’ve done enough. You can always be better.
Don’t Let a Crisis Cripple Your Business
Natural disasters. Hardware failure. Hackers and rogue employees. Malware and ransomware. The array of different threats facing your organization is absolutely staggering. A good crisis response and disaster recovery plan is critical if you’re to survive.