The importance of having a functional disaster recovery plan (DRP) cannot be overstated. Your DRP outlines the processes your company will use to recover and resume business-critical functions should a disaster strike. Disasters can range from natural disasters like tornadoes or hurricanes to man-made like cyberattacks or simple human error.
Surprisingly, some 20% of organizations with 100 to 5,000 employees do not maintain any disaster recovery (DR) solution, according to “Infrascale’s 2016 Disaster Recovery as a Service Attitudes and Adoption Report”, leaving those companies vulnerable to extended downtime and loss of business. Take for instance, the recent WannaCry ransomware phenomenon—those who had data backups and a proper DR plan did not have to consider paying to regain access to their critical data.
Infrascale’s report also notes that 22% of enterprises with disaster recovery plans test their plan less than once a year, which leaves those organizations at risk, too. Without ongoing testing and improvement, the strategy cannot fulfill its duty to minimize risk and improve recovery time. An inactive DRP can only do so much to protect against the latest ransomware or DoS (denial of service) attack, especially because threats are evolving and becoming more sophisticated.
Vulnerability Due to a Weak Link
Take a long, honest look at your organization’s disaster recovery initiatives. Does your organization follow best practices and schedule regular drills to test your disaster preparedness? Or, can your business improve its DR testing? Without consistent testing and optimization, disaster recovery remains a technological hypothesis. It likely does not account for the contingencies of a real emergency. For companies that never test a DRP or only test it once every few years, unproven recommendations could undermine the entire disaster recovery process.
Assess Your Risk by Testing DR Plan
“37% of respondents can’t even speculate what an outage costs their business.”
(Source: Infrascale Report)
Finding out the value of your risks is imperative, and DRP testing means analyzing redundancies and recovery systems currently in place. While monitoring and maintaining systems play a significant role in disaster recovery, neither constitute accurate testing. A real test involves running a simulation of a real-world scenario to ensure the business can continue in an emergency. It means identifying individual components of the DRP, determining optimal outcomes, and then creating an environment to run the test, and measure results.
Testing frequency varies among organizations and depends on many factors. Consider data sensitivity, your company’s need for a fast recovery, and the number of technological changes the company makes per year to create the right testing schedule. More testing usually facilitates a better, faster disaster response.
Identify Common Shortcomings in DRPs
One of the most serious mistakes in DR planning is failing to implement a test plan. As organizations test their plans and optimize their systems, some of the most common shortcomings include:
- Underestimating true recovery time. Ideally, a failover will take over the moment a system glitches, and it will create seamless business continuity. However, disasters bring unexpected outcomes. Consider the true recovery period of weather events, cyberattacks, and system glitches, and test with the goal of reducing recovery times in any situation.
- Failing to involve all recovery team personnel in testing. If only the IT department conducts disaster recovery tests, it alone will understand the recovery process. In the event of a disaster, leaders, legal advisors, IT personnel, and other employees may play a role in recovery. Include them in testing procedures.
- Failing to go beyond regulatory compliance. Certain industries have mandates that require disaster recovery planning—i.e. Healthcare organizations must meet the HIPAA Contingency Plan standard in the Administrative Safeguards section of the Security Rule. While regulatory requirements are essential, prudent DR plans go beyond compliance to address all security threats.
With testing, organizations begin to see hidden vulnerabilities in applications, infrastructure, and internal policies.
Discover Best Practices for Disaster Recovery Testing in 2017
Testing a may involve penetration testing, employee phishing scam simulations, and backup system access testing. For each test, consider the following tips and best practices:
- Always use a script and keep thorough DR documentation. A step-by-step plan of action creates accountability and allows you to act swiftly. It also enables the recovery team to respond according to pre-approved policies, regardless of stress or confusion. Use a detailed script for every test to create and account for true-to-life response activities. This document will evolve as you identify better solutions and correct ambiguities. Furthermore, good documentation prevents issues associated with “tribal knowledge”—meaning, solid documentation about systems and processes prevents confusion when there’s internal turnover.
- Go beyond basic data and application transference. An off-site storage facility (colocation, hosted, etc.) retains business applications and datasets but requires validation before user access. A backup system needs to receive pings from a different (not down) IP address to grant users access. This seemingly small, back-end oversight could stall the entire recovery.
- Simulate common disaster scenarios for true-to-life-testing. Work with security professionals to test systems in a simulated environment. Conduct specific penetration tests from internal and external endpoints and consider all potential vulnerabilities from a holistic viewpoint.
- Partner with experts. Most businesses cannot afford to manage a department dedicated to disaster recovery activities. To improve the quality of testing environments and reduce the stress of internal disaster recovery planning, collaborate with a third-party organization focused on disaster recovery, backup, testing, and maintenance.
Disaster recovery plans are living documents. Without testing, modification, and maintenance, they cease to provide relevant information. Prioritize testing to develop a plan that provides value in the wake of a natural disaster or a cyberattack. If you’d like to get a second opinion on your disaster recovery efforts, contact us to discuss your strategy—we’re happy to help.
Additional Resources on This Topic: