No one likes to think about disaster striking their business, but ignoring the risks is the worst possible approach to disaster recovery and business continuity planning. The bad news is that the risk of unplanned business downtime is probably higher than you think—and the costs can be enormous. The good news is that new technology and services can help with every stage of preparing for a disaster, from online collaboration tools that keep your people connected, to new options for data center replication and recovery. To help you get started, here are some disaster preparedness tips designed for IT teams and business owners.
Sources of Disaster Risk
Business disasters come in all shapes and sizes, from physical destruction of a facility to a disgruntled employee stealing classified information, to a computer virus taking down your mission-critical applications—and the list goes on and on.
The point is that it’s imperative to consider all sources of risks to your business, which can be broken down into the following key categories:
- Storms and weather: hurricanes, tornadoes, blizzards, high winds, extreme heat or cold
- Natural disasters (weather-related or not): fires, floods, earthquakes
- Human causes (human error, cyber-attacks, terrorism, vandalism, theft)
- Hardware and software (failed server component, application defect)
Any of these can cause a disruption to both physical operations and IT system functions, with very costly consequences to the business.
Scope and Cost of Business Disruption Risks
The level of risk from any particular threat varies widely across organizations, based on business type, location, and other factors.
But the danger of the “average” business facing some business disruption in any given year is far from insignificant. Most small to mid-sized businesses will suffer some form of business disruption at some point.
According to the Nation Federation of Independent Businesses (NFIB), 30 percent of small business will experience a natural disaster. Another survey found that more than one-third (36 percent) of organizations lost one or more critical application or data files for hours at a time over the past year. And in a Symantec study, 44 percent of small business customers said they’ve had a smaller vendor temporarily shut down because of a technology failure.
Though costs vary significantly by company size and industry, the average cost of a data center outage has been estimated at $5,000 to nearly $8,000 per minute. Over time, the losses can be catastrophic. According to an article the Disaster Recovery Journal:
“The longer a disaster disrupts communications, the more critical the impact. In the first hour alone, it is estimated that more than 80 percent of the financial institutions would lose nearly $1,000 per hour; an additional 10 percent of the surveyed financial institutions claimed losses of more than $100,000 per hour. A University of Texas study found that 85 percent of businesses are totally or heavily dependent on information systems to stay in business, and that a loss of those systems would cost companies up to 40 percent of their daily revenues. AT&T estimates that it would not take long for the loss of information systems to have a heavy impact – nearly 60 percent of financial companies, 50 percent of service firms, and more than 40 percent of retail organizations would be seriously affected in less than eight hours.”
Despite the high risks and costs, most small to mid-sized businesses (SMBs) remain unprepared or poorly prepared for any significant business disruption. As the DR Preparedness Council reported recently, “…73 percent of…companies worldwide are failing in terms of disaster readiness” (either no plan in place or inadequate preparation).
How to Prepare for a Disaster
More positively, though, resources and tools continue to improve to help businesses of all sizes prepare more effectively for potential interruption of operations. There are many online resources to help with the emergency preparedness, such as the emergency preparedness plans and checklists available from the Small Business Administration, so do your homework.
Here are the essential steps business owners and their IT teams need to take to prepare for a disaster:
- Business Continuity Plan. Create a business continuity plan for your company, taking into account all aspects of your operations and the needs of everyone affected (employees, partners, customers, etc.).
- Arrange for a Business Continuity Space. In the event your physical facilities are damaged or must be evacuated, and if feasible, pre-arrange for a back-up site that will allow you to continue operations. This could be a local hotel, an employee’s home, or a satellite location. Make sure your plan includes the ability to quickly and efficiently equip it with the data files, supplies, and other equipment or information that will be critical to your operations.
- Communications Plan. Create a communications plan that will allow you and your team to stay connected, even if physically separated. Consider implementing an online collaboration tool to keep your people connected, wherever they may be, using any device. Apps like Slack, Skype, Facebook Messenger and even Google Drive can help with that.
- IT Disaster Recovery Plan. Once you’ve put all the other pieces of the puzzle in place, work with your team to create an IT disaster recovery plan covering all the essential elements of your business-critical systems: servers, desktops/laptops, software, data, and connectivity. Let’s dive into that a little more fully.
Developing Your IT Disaster Recovery Plan
Though it’s vital to plan for all aspects of business disruption risk, IT has typically been central in disaster recovery and business continuity planning. This is true because technology now plays an essential role in virtually all aspects of business operations.
The focus of your disaster recovery plan is to restore the operability of systems that support the mission-critical applications and processes of your business, as quickly as possible. As such, there are essential best practices that need to be followed when developing a DR plan to ensure you can achieve your recovery objectives. They include:
- Critical Systems Inventory. IT disaster recovery planning starts with having an up-to-date, documented inventory of all critical hardware, software applications (including any dependencies), and vital data. You have to know what you have and where to find it if you expect to successfully recover it. From here, you need to identify and prioritize the criticality of these systems and classes of data, which will require some form of business impact analysis.
- Business Impact Analysis, RTO and RPO. It’s imperative to understand the business processes and functions and the effect a disruption could have on them. To do this, a Business Impact Analysis (BIA) needs to be conducted to identify the most important functions along with the IT systems and applications that support these functions, and quantify the impact of a disruption. From this, you can then establish the necessary recovery time objective (RTO) and recovery point objective (RPO) of these supporting systems and applications required to get your business operations back to an acceptable running state.
- Risk Assessment. After the BIA, you need to perform a risk assessment to identify and evaluate potential threats against your business, the likelihood of occurrence, and the severity of the event if it occurred. Remember, threats come in all shapes and sizes. Even a seemingly “small” threat can lead to a huge disaster for your business.
- Test. Test. Test. Once you’ve completed the above steps, you can adequately determine the best DR strategy for your business, build the appropriate IT disaster recovery plan, and then very importantly, start testing it. Testing is a crucial step that cannot be overlooked. Otherwise, you’ll never know if your DR plan actually works or meets your recovery objectives until it’s too late. The more you plan for disaster, and the more you test and practice how you’ll handle it, the more prepared you and your team will be, and the smoother your operations will run when you need it.
- Maintain, Audit, and Update. Change is inevitable. Businesses, processes, people, risks, and technology all change, so you can’t just sit on your laurels after creating and testing your disaster recovery plan. You have to revisit your DR plan regularly and update it as needed to ensure your business is always prepared for a disaster.
Options for Protecting Your Data and Operations
When it comes to protecting your data and operations as a whole, there are numerous options. Large enterprises with multiple data center locations can feasibly replicate entire systems in different cities, protecting themselves from almost any conceivable threat to IT operations. While that approach isn’t feasible for most SMBs, cloud technology offers several practical approaches that can provide an equal level of preparedness. These include:
Public cloud. Online file backup services are a popular choice for consumers, they offer shared resources and the ability to pay only for services and resources needed, with no investment in server or networking hardware required. While this might sound attractive, with the public cloud, however, comes inherent security risk. If you operate in any industry that must adhere to compliance standards, the public cloud is probably not the best choice.
Colocation. With colocation, SMBs purchase their hardware but install it in a physically separate, secure, specialized location that offers protection from both natural and human-caused disasters, and which also provides redundant power and connectivity options.
Hybrid cloud. A hybrid approach enables businesses to leverage multiple platforms and services to fit their unique business continuity and disaster recovery needs, such as a combination of colocated servers and equipment, public and private clouds, and managed hosting services.
DRaaS. Disaster Recovery as a Service (DRaaS) is perhaps the simplest approach from the customer’s perspective. A managed hosting provider supplies continuous and fully automated replication of data and applications from a primary site to a target site, often in a different geographic region. Today’s DRaaS solutions enable businesses of all sizes to cost-effectively and efficiently protect critical systems and data in the event of a disaster. The need for complex and time-consuming manual DR processes has been replaced with fully orchestrated, automated failover and failback of systems and applications. Additionally, DRaaS solutions give companies the ability to non-disruptively test and verify their DR plan, which is crucial. And, very importantly, DRaaS allows businesses to achieve extremely low RPOs/RTOs, thereby speeding the recovery time of critical applications and ensuring valuable data stays protected. The end result: costly downtime and data loss is avoided, and the business and financial impact of a disaster is minimized.
The DRaaS approach is relatively new and has been adopted by less than one in ten businesses (compared to 15 percent for public cloud), but is projected to grow rapidly.
Business disasters aren’t pleasant to contemplate. But the high risk that your business will face some type of operational disruption, and the high cost of even modest downtime, make it essential to do so. Fortunately, with proper planning, business and IT leaders can position their organizations well to weather any storm (or another source of disruption). And new technology options make it more affordable and manageable for even small businesses to obtain enterprise-grade disaster protection.
Additional Resources on This Topic: