In our daily lives we try to protect ourselves from the worst. We buy insurance for our cars, homes and health, and we safeguard personal information. Shouldn't business owners and IT managers treat their networks and critical infrastructure the same way?
According to Gartner Inc., the majority of small and midsize businesses (SMB) under-invest in business continuity and disaster recovery planning. Gartner estimates only 35% of SMBs have a comprehensive disaster recovery plan, and fewer than 10% have crisis management, contingency, business recovery and business resumption plans.
For SMBs, it is critical to implement a disaster recovery plan. According to Gartner, two out of five businesses that experience a disaster go out of business within five years. Moreover, disasters happen more frequently than you think, because 80% of application downtime is caused by people or process failures, not disasters or technology failure.
Establish a downtime threshold
When building a disaster recovery plan, the first objective should be to decide the recovery point objective and recovery time objective. The RPO dictates the allowable data loss, while the RTO is the amount of time applications can afford to be down -- the maximum tolerable outage.
If a disaster occurs, how much time can your business afford to lose? An hour? A day? A week? An organization that requires immediate recovery will need to budget significantly more funds for disaster recovery than an organization that can afford to be down for a few days. In the same fashion, a tight RPO is expensive, but SMBs must weigh preventative expenditures against the potentially exorbitant cost of significant data loss. Identifying the RPO and RTO will help you allocate the appropriate resources.
If a business has difficulty establishing the RPO and RTO, a business impact analysis (BIA) can help. The basic assumption behind a BIA is that every element of the organization relies upon the continued operation of every other element, but some elements are more crucial than others. The BIA prioritizes mission-critical data and systems and helps organizations allocate the appropriate resources for each component in case of a cataclysmic event. The BIA can also show IT managers and SMB owners alike how much money they could lose by not implementing a disaster-recovery plan.
Build the disaster-recovery plan
When the RPO and RTO are established, you are ready to build a disaster recovery plan. As you build the plan, keep these best practices top of mind:
- Involve all organizational stakeholders, not just IT. For example, the human resources department plays a critical role in training employees on the disaster recovery plan and communicating the plan, so they should participate in development. Chief executives and other top managers are essential to securing disaster recovery funding and organizational buy-in. If you lease your building, the property manager should be apprised of your plan. Further, it may be a good idea to inform local law enforcement of the plan. It is critical to involve all stakeholders in the planning and implementation.
- Prevent data silos: It may be convenient to save documents to the desktop, but it is a bad habit for employees. Individual computer hard drives often are not backed up by IT, so implement a central server to prevent headaches and train all employees to use it exclusively.
- Prioritize backups: Determine what data needs to be stored and for how long, and develop a storage strategy that prioritizes critical data and applications, backing up the most critical first.
- Back up on-site and off-site: Many backup technologies are available, from online backup services to tape and disk-based solutions. Whatever method you choose, it is essential to back up both on-site and off-site so your data and applications survive if your primary business location is unusable. With disk mirroring, for example, at least two drives simultaneously duplicate and store data, so if one of the drives fails the system can switch to the other -- whether it is in the same data center or across the country -- without any loss of data or service.
- Ensure remote access: Data retention is just as important as network access. If the physical office cannot be used in the wake of a disaster, employees will still need to access the network infrastructure to keep operations afloat. All the key players should have remote access, if not the entire company.
Once the downtime threshold is established and the disaster recovery plan is in place, periodic testing should occur. Testing equals time and money, so the frequency with which an organization can test depends on the budget. As a benchmark, SMBs should test no less than twice annually. If it is impossible to test the entire system more than twice a year, organizations should periodically test the most critical applications and systems. Further, tests should be conducted during busy seasons and should be unannounced to all but a few personnel, in order to simulate the urgency of a real disaster. Lastly, IT managers should review the process after each test to establish what worked and what did not, so any errors can be rectified.
An effective disaster recovery plan is critical to business survivability. Every year, one out of 500 data centers will experience a disaster so severe that 43% will be unable to recover, according to the McGladrey and Pullen accounting firm. Another 29% will be forced to close within two years. Disaster recovery is business insurance you just can't afford to live without.