A pragmatic approach to disaster recovery

What will your business do in the face of a disaster? Does your business shave a disaster recovery plan? Is it up to date and has it been tested?

Disaster recovery is an important part of your security strategy, as safeguarding the integrity and availability of information are key principles of information security.

Businesses of all sizes create, process and manage huge volumes of information, much of which is vital to business operations. A plan for backup and restoring data is therefore essential.

What are you protecting against?

Businesses face different disaster scenarios, so therefore there is no one size fits all approach to disaster recovery. Each business’ disaster recovery strategy must address the risks faced by your business.

When we think about disasters, in the UK at least, we think about floods, fires, storms, power cuts. Businesses on high ground and those based in office blocks might think they are immune from the risks of flooding, but consider whether a burst water pipe or a leaky air conditioning unit could cause water damage to your key business assets.

When disaster recovery planning, don’t just consider natural disasters, consider all the threats facing your business, internal and external, online and offline. It’s not just once in a lifetime threats that destroy data and ruin businesses.

How do you create a disaster recovery plan?

Identify your key business processes and information

Start with your core business activities and your information assets – both hardware and data stores. Consider the importance of each to your business and prioritise appropriately. What would the consequences be if a business activity was not performed, if information was unavailable? Consider which assets support which processes and who supports each asset – internal teams, vendors, contractors. All these parties need to be part of your disaster recovery planning.

Define your tolerances

Now, for each core activity, work out your tolerance for downtime and data loss. Can your business afford for a service, information asset or hardware to be unavailable? Use this information to assist your prioritisation and document these tolerances, they will become important when you begin putting in place preventative measures.

When talking about these tolerances, you may see the acronyms RPO and RTO. In short, RPO stands for recovery point objective and RTO stands for recovery time objective.

Your recovery time objective is a measure of how long your business can survive without performing a core business activity or without access to core information assets. In other words, how quickly does the business need to be back up and running? This measure will likely depend on the activity or information asset. Contractual obligations, service level agreements and regulatory requirements may influence your recovery time objectives.

Your business’ recovery point objective is, at its core, a measure of the volume of data you can afford to lose, if the worst was to happen. This is expressed as a measurement of time, for example losing up to 1 hour’s data can be tolerated after a recovery from a disaster, failure, or comparable event.

It can help to think in terms of buckets. What processes and information do you need immediately – these are mission critical. Some processes and information can stand to be unavailable for a business day. Other processes and information are low priority and your business can stand to be without them for a longer period of time.

Communication is key

In your disaster recovery plan, define roles and responsibilities. Who has the ability to invoke the disaster recovery plan? Which roles do key individuals play in recovering from a disaster? 

Businesses that rely on third party providers must involve their outsourced services in their disaster recovery planning. A business’ outsourced providers are an extension of the business and often look after key information and critical processes. Ensuring that these providers are capable of executing the disaster recovery plan and understand the role that they play is key to ensuring that the plan functions as intended. Outsourced providers should be included when testing your disaster recovery plan.

Within your organisation, having clearly identified roles and a hierarchy within you disaster recovery team will help your business to execute your disaster recovery plan. Defining responsibilities and decision makers means that the disaster recovery process will operate as efficiently as possible, as decisions can be taken quickly and the required actions can be undertaken without delay. 

Document your business’ key contacts, both internal and external – remember that in a disaster recovery scenario you may not be able to access the records you need.

Plan your recovery

Now we have defined what needs to be recovered, the priority for each and who will be involved in disaster recovery, it is important to define the how – what steps must be taken to recover the core business activities and information assets back to the recovery point objective within the recovery time objective.

Your business must develop recovery strategies to restore the hardware, applications and data needed to be able to run your core business activities.

This process must be repeated for each of the core activities

While planning, you may realise that your business cannot meet its objectives with the technologies and processes it currently has in place. This process will force you to examine your backup strategies and relationships with your suppliers.

Putting it all together

Once the plan has been developed, you must communicate the plan to your employees and regularly test the plan.

Your disaster recovery plan does not exist in a vacuum and must adapt to the needs of your business, as they change. New systems, processes, clients and suppliers can all affect your disaster recovery plan.

A change impacting your disaster recovery planning might be a move from a traditional telephone system to a VOIP phone system – you must reconsider how you would communicate during an internet or network outage and your plan should reflect that. New customers may have specific provisions in their Service Level Agreements that affect your business’ recovery point and recovery time objectives.

An untested disaster recovery plan is an unproven disaster recovery plan. Simulating a disaster allows your organisation to test the plan, to identify weaknesses in the plan and, most importantly, to put in place any corrective actions needed. Then, test those changes.

Remember, it’s better to find these problems now, when you can afford to fail, rather than find them when a disaster hits. 

Much like insurance, testing and maintaining your disaster recovery plan is work that pays dividends should the worst happen. As they say, fail to plan, plan to fail.