Hope for the best; plan for the worst. Of course, we recommend you take steps to avoid disasters, such as using Google Workspace’s advanced security settings to mitigate threats from phishing and malware. It still remains vital to also plan to recover from a disaster. In this 2-part blog series, we’ll cover the key components of business continuity and disaster recovery (DR), then take a look at how to build DR plans.
How business continuity is a part of disaster recovery
Business continuity is the entire process of ensuring that personnel and assets are protected, and operations can quickly resume in the event of a disaster. Business continuity ensures you meet your SLAs and is also mandatory to comply with multiple regulations.
Even for organizations not subject to regulations, business continuity plans are still vital. Negative events that disrupt business continuity happen all the time. For example, security breaches can be particularly devastating for smaller businesses. Sixty percent of small companies go out of business within six months of falling victim to a data breach or cyber attack.
Essential parts of any effective business continuity plan include:
- Clearly defined team
- Detailed plan
- Effective testing
- Crisis communications
- Employee safety
- Uninterrupted access to business resources
- Continuous IT operations
How to consider the cost of downtime and conduct a business impact analysis
Disaster recovery (DR) is the ability to quickly recover from an IT emergency. Whether the IT emergency is a virus, ransomware attack, or hurricane flooding the data center, DR is the process of bringing back operating systems and data. Disaster recovery is just one component of business continuity.
Gartner estimates the cost of network downtime to be $5,600 per minute, which extrapolates to well over $300K per hour. Just one hour of downtime can cost a small business $8,000 or a medium business $700,000. A business impact analysis (BIA) helps the IT department and the business align on what should be considered mission-critical infrastructure. A high level of executive sponsorship is an important component of successful business continuity initiatives.
According to Google’s, disaster recovery planning guide, “DR planning begins with a business impact analysis that defines two key metrics:
- A recovery time objective (RTO), which is the maximum acceptable length of time that your application can be offline. This value is usually defined as part of a larger service level agreement (SLA).
- A recovery point objective (RPO), which is the maximum acceptable length of time during which data might be lost from your application due to a major incident. This metric varies based on the ways that the data is used.”
As I mentioned earlier, this is just a short list; it’s not exhaustive. There are many other security controls that should be enabled. However, this is how a business can begin to mature its cyber security program. Start by looking at your Admin console for what is available.
You will want to make RPO lower for the most important data. Of course, this requires tackling the complex task of determining what data is “most important.” In the post-COVID era, “business requirements for data recovery times have shrunk from hours to minutes. And 15% of respondents in the ESG survey say their business units won’t tolerate any downtime at all.”
How to build a disaster recovery plan from scratch
When making DR plans, it’s important to give DR its due more than lip service. To start off on the right footing, understand what capabilities your business is going to need and when. Create a timeline like a Gantt chart, as if you’re beginning operations from scratch. To determine RTO and RPO, list the capabilities you need to do your business and restore service to customers, starting with what you need in place at disaster [D] + 2 hours, D + 8 hours, etc. Then begin to determine how to set things up to hit those milestones, similar to planning any project.
For planning purposes, we may think of disaster recovery as starting from the point where your building is a smoking ruin. Thankfully, annihilation from a giant meteor isn’t something we need to be concerned with. Reddit has an amusing take on giant meteor craters:
While meteors aren’t a common threat, cybersecurity risk is higher than it’s ever been, yet lower than it ever will be. This is a bleak declaration, but undeniably true.
What’s the difference between backup plans vs. disaster recovery?
Data and keeping it accessible is a key component in a business continuity plan. But what’s the difference between backup and recovery?
Data Backup: Copying data or data files from one place to another in the event they are lost or destroyed. You can backup data anywhere. I’m old enough to recall my IT director husband bringing tapes home from the office. Yes, tapes (look it up, kids.)
Disaster Recovery: A subset of business continuity planning, primarily focused on IT. It defines how an organization’s IT department will recover from a natural or artificial disaster, and covers all IT assets, including:
- Server and network restoration
- Copying backup data
- Provisioning backup systems
Continuity Central recommends “differentiating between data backup and disaster recovery. DR must include backup, but backup alone is not disaster recovery.”
Part 2 of this series: “Aligning Needs & Technologies” will be coming soon. Then, we’ll address ways to achieve secure and compliant data backups without putting all your eggs in one basket.
Interested in hearing more about applying these principles to your organization? Contact us here for disaster recovery planning as well as cloud discovery assessment services.