Though often overlooked by SMBs, implementing a DR plan is absolutely critical. Should a natural or man-made disaster render an organization’s data inaccessible, it is likely the business will have to close its doors for good. According to Gartner, two out of five businesses that experience a disaster go out of business within five years.
Protecting ourselves from the worst is human nature. Look no further than the various forms of insurance and protection we purchase for our cars, homes and health, as well as the constant struggle to safeguard our personal information each day, and you’ll see this is true. Shouldn’t business owners and IT managers treat their networks and critical infrastructure the same way? Despite the compelling imperative “protect your IT, or suffer the costly consequences,” the majority of small and medium-sized businesses (SMBs) under-invest in business continuity (BC) and disaster recovery (DR) planning, according to Gartner, Inc. Gartner estimates that only 35 percent of SMBs have a comprehensive disaster recovery plan in place and fewer than 10 percent of SMBs have crisis management, contingency, business recovery and business resumption plans.
Though often overlooked by SMBs, implementing a DR plan is absolutely critical. Should a natural or man-made disaster render an organization’s data inaccessible, it is likely the business will have to close its doors for good. According to Gartner, two out of five businesses that experience a disaster go out of business within five years. Moreover, Gartner found that 80 percent of mission-critical application service downtime is directly caused by people or processes failures – not disasters or technology failure – meaning that DR plans are critical not only in a relatively rare emergency, but also in the organization’s day-to-day functions.
Establish a Downtime Threshold
Determining the recovery point objective (RPO) and recovery time objective (RTO) should be the first objective when building a DR plan. The RPO dictates the allowable data loss, while the RTO is the amount of time you can afford for application downtime – the maximum tolerable outage. If a disaster occurs, how much time can your business afford to lose? An hour? A day? A week? An organization that requires immediate recovery time will need to budget significantly more funds for DR than an organization that can afford to be down for a few days or a week. In the same fashion, a tight RPO is expensive, but businesses must weigh preventative expenditures against the potentially exorbitant cost of significant data loss. Identifying the RPO and RTO will help you allocate the appropriate resources and move forward accordingly.
If a business has difficulty establishing the RPO and RTO, a business impact analysis (BIA) can help. The basic assumption behind a BIA is that every element of the organization relies upon the continued functioning of every other element, but some elements are more crucial than others. The BIA prioritizes mission-critical data and systems and helps the organization allocate the appropriate resources for each component in case of a cataclysmic event. The BIA can also show both IT managers and business owners how much money they could lose by not implementing a DR plan.
Build the Disaster Recovery Plan
When the RPO and RTO are established, you are ready to build a DR plan. As you build the plan, keep these best practices top of mind:
- Involve all organizational stakeholders: Involve all the power players in the organization – not just IT. For example, the human resources department plays a critical role in training employees on the DR plan and communicating the DR plan, so they should participate in plan development. Chief executives and other top managers are essential to securing DR funding and organizational buy-in. If you lease your building, the property manager should be apprised of your plan. Further, it may be a good idea to inform local law enforcement officials of the plan
- Prevent data silos: It may be convenient to save documents to the desktop, but it is a bad habit for employees to develop. Individual computer hard drives are not backed up by IT, so implement a central server to prevent headaches and train all employees to use it exclusively
- Prioritize backups: Determine what data needs to be stored, and for how long, and develop a storage strategy that prioritizes critical data and applications, backing up the most critical first
- Back up on site and off site: Many backup strategies are feasible, from online backup services to tape and disk-based solutions. Whatever method you choose, it is essential to back up both on site and off site to ensure that your data and applications survive if your primary business location is compromised. With disk mirroring, for example, at least two drives simultaneously duplicate and store data, so if one of the disk drives fails, the system can instantly switch to the other – whether it is in the same data center or across the country – without any loss of data or service
- Ensure remote access: Data retention is just as important as network access. If the physical office cannot be used in the wake of a disaster, employees will still need to access the network infrastructure to keep operations afloat. All the key players should have remote access, if not the entire company
Test the Disaster Recovery Plan
Once the downtime threshold is established and the DR plan is in place, organizations should engage in periodic testing. Testing equals time and money, so the frequency with which an organization can test depends on the DR budget. As a benchmark, businesses should test no less than twice annually. If it is impossible to test the entire system more than twice a year, organizations should also periodically test the most critical applications and systems. Further, tests should be conducted during busy seasons and should be unannounced to all but a few personnel in order to simulate the urgency of a real disaster. Lastly, IT managers should review the process after each test to establish what worked and what did not, so any errors can be rectified.
An effective disaster recovery plan is critical to business survivability. Every year, one out of 500 data centers will experience a disaster so severe that 43 percent will be unable to recover, according to research from the McGladrey and Pullen accounting firm. Another 29 percent will be forced to close within two years. Disaster recovery is business insurance you just can’t afford to live without.