Editor's note: This article was originally published in 2019, but has been updated to include the latest, most comprehensive information.
Most business leaders don’t relish the idea of the possibility that disaster will strike their organization. Whether it’s a natural or man-made disaster, the ramifications can be equally damaging. At a minimum, disasters of either kind can cause downtime, damage to your reputation, and financial loss.
Like many business owners, you may simply brush aside the topic of business continuity and disaster recovery, assuming that since you haven’t been affected yet you won’t be a victim of such devastation in the future.
Or, you may think that you don’t have the financial and staffing resources necessary to prepare for a future event that may or may not happen.
At Kelser Corporation, businesses often come to us for services after suffering a damaging event. We are not writing this article to sell Kelser’s services, but rather to provide the information that business leaders like you need to protect your organization.
You see, we believe firmly that it’s better to prepare for an event than struggle to recover from one. We’ve seen the damage that can be caused and we want to help businesses avoid falling victim.
In this article, I’ll outline a 10-step IT disaster recovery plan you can implement with or without external help. I’ll explain the critical elements and what you can do now to prepare.
What Is An IT Disaster Recovery Plan?
An IT disaster recovery plan is a well-thought-out, strategic, systematic document that companies can use to recover from a disaster (natural or otherwise).
It involves a step-by-step process for restarting work after an unplanned (and sometimes devastating) event.
While having an overall disaster recovery plan for the entire organization is important, there should be a separate IT disaster recovery plan that focuses on the IT infrastructure.
Disaster recovery plans are only effective if they are in place long before a disaster ever happens.
Why Is An IT Disaster Recovery Plan Important?
Most companies would be hard-pressed to operate without their IT infrastructure. Everything from customer orders to scheduling to employee communication would grind to a halt without IT.
A quick internet search shows that between 25 and 40 percent of businesses never recover from a natural disaster.
In addition, the Council of Insurance Agents & Brokers estimates that 60 percent of small businesses are unable to withstand the six months following a cyber-attack due to the massive costs of recovery including damaged reputation, loss of data and revenue, instability, and reduced employee productivity.
The good news is that there are steps you can take to lessen the risks during and after a disaster.
10 Things Every IT Disaster Recovery Plan Must Include
Creating an IT disaster recovery plan will ensure that you can focus more on the other things on your plate. Here are 10 topics every IT disaster recovery plan should cover:
1. IT Inventory
Make sure you have a list of exactly which IT resources—systems, hardware, and software—are used to run the business.
Ask employees how their work would be impacted if certain systems or networks were unavailable for a period of time. Identify which applications and data are critical to your business. Take extra measures to protect them.
It can also be helpful to add different scenarios to your IT disaster recovery plan so that you understand which systems would be affected in the event of a flood, hurricane, fire, power outage, or another disaster on your premises.
2. Data Backup & Verification
If you don’t have one already, develop a way to regularly back up your essential data off-site. (Data that is static and unchanging may not need to be backed up more than once.) You may decide to use a physical data center located in a different geographical region or the cloud, for example.
Many organizations don’t consider the risk of maintaining backups physically on-premises in the event of a natural disaster.
Once you establish a regular backup procedure and schedule, test it often to make sure that it works. The last thing you need to realize mid-emergency is that your backups haven’t been working.
Both physical and cloud backups have risks. Figure out which makes the most sense for your organization.
If are considering migrating your data to the cloud, read this article for answers: Cloud Migration: What It Means, How It Works (6 Questions To Ask)
3. Recovery Timeline
Outline acceptable recovery goals and timeframes by which certain IT systems need to be back in operation. Industries such as healthcare may have a recovery timeline of mere minutes, while other industries may be able to tolerate longer timelines.
Be sure your IT disaster recovery plan includes a well-defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO).
The RTO outlines the maximum amount of time that should pass before your IT systems recover. The RPO defines the maximum amount of time permissible since the most recent data backup.
Use this downtime cost calculator tool to evaluate your RTO and RPO and get an estimated cost of downtime for your organization.
4. Detailed Responsibility
Get buy-in from key stakeholders.
Be sure the team understands which IT operations could be affected, how that could affect different business functions, what would happen next, and who would be responsible for resolving the issues.
Be sure to include a plan for communicating with employees in the event of a power or internet outage.
5. Physical Damage
Physical damage to your plant could affect your on-site IT equipment as well. Everything from servers to devices could be affected. Some of these damages can be mitigated by moving your operations to the cloud, but anticipate how you will respond to physical damage that may impact IT resources.
6. Insider Threats
Humans can also be a source of disaster, whether malicious or unintentional.
One way to lower your risk is to lock down administrative rights on your IT systems.
Employees and third-party vendors should only have access permissions to the systems and data they need.
There are countless stories of companies that have been breached by third-party vendors that were given inappropriate access to vulnerable systems. And, your internal salespeople don’t need access to the payroll and benefits information of other employees.
Another way to reduce risk is to provide employee security awareness training on a regular basis, This training will keep your staff abreast of the latest cyber threats. Experts agree that 80-90 percent of cyber attacks are caused by human error.
Effective employee security awareness training can reduce your risk.
Questions? Read this article: Employee Security Awareness Training: An Honest Cost-Benefit Analysis.
Wondering what security awareness training should include? We spell it out in this article: 3 Topics Every Cybersecurity Awareness Training Must Include.
7. Insurance
If you are concerned about the costs of recovery, there are insurance policies out there that cover natural disasters and cyber incidents. This coverage can include the cost of replacing IT equipment, and compensating for broader losses that result from a disaster.
If you invest in these types of plans, be sure the details are included in your IT disaster recovery plan for easy access.
8. Validation
IT disaster recovery plans should be tested at least once (or preferably twice) per year. One of our clients didn’t test their plan for several years, only to find out that when they did a test all of their drives failed when trying to restore them.
If this had occurred during a real disaster, the data would have been lost forever.
Gaps identified during these tests should be documented extensively so that you can start fixing them.
9. Business Continuity
Business continuity (BC) refers to the organization’s strategy for maintaining essential business operations as much as possible during and after a catastrophe. Create and test a full BC plan in order to be confident that you can meet any unexpected event head-on.
This plan, which goes hand-in-hand with the IT and organizational disaster recovery plans, should also be tested and kept current. It is an essential part of the organization’s overall BCDR efforts.
10.Updates
Disaster recovery isn’t something that you can set and forget; it needs to be actively maintained over time. Update your IT disaster recovery plan with new procedures, technologies, and equipment.
Business needs and staff changes, make sure to update and communicate the relevant changes to everyone involved in executing the plan.
Are You Ready To Implement Your 10-Step IT Disaster Recovery Plan?
Building a strong, resilient disaster recovery plan is essential. After reading this article, you know the topics to include in your plan: IT inventory, data backup & verification, recovery timeline, detailed responsibility, physical damage, insider threats, insurance, validation, business continuity plan, and updates.
Honestly evaluate your ability to implement the steps outlined in this article. Maybe you can do all or some of them on your own. Organizations with a full complement of IT professionals on staff can likely implement this 10-Step IT Disaster Recovery plan on their own.
Organizations with a small IT staff (or IT staff), may need help from an outside IT provider.
If you decide that working with an outside provider is the best solution, be sure to compare a number of providers so that you get the best fit. Here is a list of questions to consider asking IT providers you are considering.
While we know Kelser isn’t the right fit for everyone, we encourage you to check out our managed IT support, which includes business continuity and disaster recovery services.
Or read this article: What Is Managed IT? What’s Included? What Does It Cost?
No matter how you choose to proceed, it’s imperative that you move forward to protect your organization from disaster before you are affected.