Cyber security and disaster recovery are both vital for any organisation’s safety; this can’t be stressed enough.
Should the unthinkable happen to your SME company, the last thing you need is compromised data and no plan to cope with it. Therefore, every good organisation needs a disaster recovery plan (DRP). This is a pre-planned and systematic approach for returning your business back to full operational levels after a cyber-attack.
Computer Weekly reports that just 35% of British businesses have confidence in their disaster recovery plans. Furthermore, fewer than a quarter of respondents in a recent UK survey stated they have off-site back-up of their data, and almost half haven’t tested their disaster recovery plans.
A disaster recovery plan is the equivalent of a site evacuation practice; staff need to know and practise it.
Creating a Disaster Recovery Plan
IT consultancies like Mustard IT can offer assistance in generating a disaster recovery plan, and many specialise in backup and disaster recovery. The reason every business needs to think about this is simple: it’s not ‘if’ but ‘when’ there’s a successful cyber-attack. Being prepared against cyber-attacks is one defence; the next level of preparedness is having a workable and tested disaster recovery plan in place.
For larger businesses with an in-house IT department, the creation of a disaster recovery plan can be managed internally. However, smaller companies may well look to external IT companies to manage their recovery plan. It can be a complex undertaking for a novice.
The first step of any disaster recovery plan involves identifying the business’s critical IT assets, e.g., servers, databases, hardware, client details, business plans, software needs, regular and off-site back-up, and hardware need to be accounted for. For example, a disaster recovery plan may involve how to deal with the physical theft of hardware if PCs, keyboards, laptops, iPads, and hard drives are removed off premises. Regardless of the form the crime takes, a disaster recovery plan is needed.
All software assets need to be backed up regularly. Best practice is to schedule back-ups periodically, ensuring that it’s not an ad-hoc process. Once backed-up, there needs to be regular checks that the data is (A) correctly backed up and (B) able to be downloaded and (c) useable. Remember to back-up hard copies, too, as this information can be scanned into digital format and easily accessed.
A few questions to ask yourself before backing up:
- What is the core information needed for the business to exist and run successfully?
- What is needed for consistent back-up of that data?
- Are back-ups easily accessible?
A Team Effort to Implement
IT departments and external IT consultants need input from key personnel to know which business resources are critical (and thus, need backing-up). IT personnel may consider using surveys and workshops to determine what the critical resources and processes to manage are. Building on this, IT consultants should have one-on-one sessions with department heads for them to fully understand the goals of any DRP.
In all this talk of hardware and software, it’s easy to forget the human component needs to be covered, as well. Most importantly, the recovery disaster plan needs to include the names and contact details of people who’ll implement the plan after an incident. These people should be staff members who know what information is needed first and who needs to have access to that data immediately. They would be involved in accessing back-ups, checking it hasn’t been corrupted, and restoring it.
There’s value in looking at ways to test the DRP when the opportunity arises, especially if there’s a major weather event expected – that is an ideal time to test the back-ups. Another good time to check are at times when key updates are being made to the system. Various staff should be involved in these checks, so the processes are clearly known and used often.
Prepare a Space for Your Emergency Response
In smaller businesses, there’s a limited amount of space within which the business can exist.
However, if space allows, there’s value in having space set aside to manage an emergency response. This need not be a major undertaking – perhaps two PCs, an external hard drive, scanner, printer, landline and mobile phones, and a back-up wi-fi dongle for emergency use.
In the world of IoT, it’s possible for some of the hardware to become compromised; therefore, if the server were compromised, a plan would be needed for restoring the data, perhaps to a temporary server. Theoretically, the hardware already in place should be enough to get things going again, but a small space set aside with some basic equipment would expediate the process of re-establishing the business. Furthermore, once the company comeback has been achieved, it’s important to ensure there’s another check-up on the back-ups again.
An IT consultancy may suggest other options to consider, some ideas of which are more feasible than others in SMEs. They may suggest having a cheaper internet provider as a back-up, or that a policy for archiving e-mails may be needed. Every suggestion needs to be assessed and either added to the disaster recovery plan, or left off but noted. It isn’t just a simple matter of cost, but also the cost of not including a recommendation.
The Bottom Line
Identify what’s critical to your business and back it up. Check back-ups at regular scheduled intervals. Know who’s involved in bringing the system back to operational use and how to contact them. IT disaster recovery is the same as a weather-related disaster plan – everyone involved needs to discuss, plan, and practise.