NPI Technology Management Blog

Reducing IT risk: planning for quick recovery from disaster

- July 8, 2019

This article originally appeared in the July 2019 issue of  Business People Vermont.

At the beginning of the year, we covered the creation of a business continuity plan, which prevents most issues from becoming disasters. But what if a disaster exceeds your capacity for immediate remediation? That is when your disaster recovery plan is invaluable — to ensure that an interruption does not threaten the survival of your business.

All businesses require a disaster recovery plan — don’t fall into the trap of thinking (for example, in the case of a manufacturer) that “if my shop is gone, IT is the least of my worries.” Even if you can no longer make widgets, you need access to order/shipping/client information to inform customers of delays and get their support while you recover.

The good news is that you have already done much of the groundwork: identifying the data you have, the people responsible for it, and how long you can tolerate being without access to your various data sources.

Start by envisioning the worst. That includes:

• Fire or flood in a server/switch room, or in your entire facility

• Extended (multi-day) loss of Internet service or power

• A ransomware attack or application failure that corrupts data or makes it inaccessible

• A region-wide weather disaster (ice storm, hurricane) that damages your facility or prevents staff from reaching it

Your disaster recovery plan need not be lengthy, but will include these key components:

Backup. Consider the frequency of data backup (backing up only once daily risks too much data loss for many organizations today), verification of backup, how long a restore will take when required, and the ability to quickly use the backup as a “live” server when your primary systems are down. Fresh backups and fast recovery matter here.

Cloud systems. Cloud providers have outages and failures. Backup from one cloud provider to another (or from the cloud to your site) is increasingly a part of disaster recovery plans.

Remote access. While some plans provide for a formal alternate work location contracted in advance by your company (a “warm” or “hot” site), most assume that employees will work from home or other ad hoc locations. In that case, you need to be able to “spin up” server resources in the cloud, and ensure that key employees have the computer, tablet, or phone (whether personal or provided by you) and Internet access they will need to work remotely.

Storage of the plan and related information. Documentation (including this plan!) needs to be stored or copied somewhere that’s accessible to key staff (not just IT personnel, who may be unavailable in the event of a disaster) when your systems are down. Consider a one-page paper overview (not including passwords or other sensitive information) for key staff, stored at home.

Contact information: Much of the plan will involve quickly mobilizing the help you need. This means:

• Staff names and contact information, including cell and landline numbers and personal email. Also include responsibilities in case of a disaster;

• Usernames and passwords stored and shared (as appropriate) securely in the cloud so staff can continue to access your systems;

• Information about your vendors, manufacturers, and IT support organizations, including phone numbers, customer and contract numbers, support levels, and procedures.

The disaster recovery plan, like all IT plans, needs to be reviewed annually — contact information, for example, will almost always change every year.

You may notice that data breaches are not addressed here. That is because those types of disasters are prevented and remediated by their own plans — the security policy and data breach/incident response plan, respectively — and are the subject of future articles.

Hopefully your preparation will prevent a disaster from occurring — but if the worst happens, you will know you are well-prepared.