Thus far in 2020, cleaning up after the 11 biggest ransomware attacks has cost municipal governments, universities and private businesses more than $144 million, and that doesn’t factor in lost productivity and reputation damage.
Disasters hit organizations in many forms—from ransomware to lightning strikes—with little to no warning. So it’s crucial to have a disaster recovery (DR) plan designed, implemented, and tested long before you might need it.
Your DR plan should exist as part of a comprehensive business continuity plan, and, at a minimum, include these eight elements.
1. Complete Inventory of Hardware/Software/Other Equipment
When creating a DR plan, you have to know what resources may need to be recovered. You will need to do a full inventory of every piece of hardware, software, and peripheral that touches your networks or is used by your employees, contractors, and vendors.
This will be a pretty extensive project, because you will need to account for every on-premise, cloud-based, and mobile/BYOD tool and technology your organization uses.
2. Documented Business Objectives
DR is often more about business decisions than IT decisions. So it is imperative to involve all business units and stakeholders in the conversation about business objectives, so you know where to focus first during recovery.
Start by mapping out the entire infrastructure to ensure all systems are accounted for. Once you know what you are protecting, you can set priorities to ensure the most important systems and applications are up and running first.
Divide systems and applications into three tiers to facilitate recovery efforts:
- Mission-critical: These are the first priority. Get these systems back up immediately to avoid massive data loss or severe disruption to business operations.
- Essential: These systems are less critical and can be unavailable for up to 24 hours without significant impact to the business.
- Non-essential: The applications are the lowest priority because business can run without them for a few days.
Be sure to consider any system dependencies in your business objectives, because they may affect how you prioritize recovery efforts.
3. Defined Tolerance for Downtime and Data Loss
With your documented business objectives in hand, you can define recovery time objectives (RTO) and recovery point objectives (RPO). These are the metrics you will use to determine your downtime and data loss tolerance. In other words, these metrics allow you to measure how much time an application can be down without causing significant damage to the business (RTO) and the amount of data that can be lost before significant harm to the business occurs (RPO).
4. A DR Team
A trained DR team is invaluable during a crisis. Every member of the team is assigned specific tasks, so there is no question about who is responsible for which part of the recovery effort.
This team will also be in charge of communications throughout the crisis and be a point of contact for stakeholders. The disaster response team is in charge of training staff so everyone is aware of emergency response policies and procedures during a disaster.
5. Alternative Workspaces
In the event of a fire or natural disaster, your office space may not be accessible. Having a plan to enable employees to work remotely will help keep the business operating as close to normally as possible.
Be sure all employees have or can quickly get access to laptops and an internet connection. And stay accessible by preparing fall-back email and phone system solutions that provide essential lines of communication for employees, customers, and vendors.
6. Remote Access
Whether you’re using VPN, RDP, SSH, or other access-control technology, accessing company data and applications remotely can be a security risk. This became very apparent when COVID-19 concerns suddenly forced millions of employees to work from home.
The middle of a crisis isn’t the best time to find out your infrastructure can’t handle remote access securely. Update your security technology now to ensure your data can be safely accessed from outside the firewall.
7. Secure Backups
The quality and frequency of your backups will make or break your DR efforts. Consider these best practices for keeping backups secure and available if you need them in a crisis:
- Keep your backups separate and inaccessible from the main company network. Some ransomware can pass through the network and encrypt backup data, rendering it useless.
- Implement a 3-2-1 backup strategy; create three copies of your data, store them on two different media, and store one of those copies off-site or in the cloud.
- Invest in a cloud backup and DR solution that simplifies backup and recovery by providing a central UI and the most current disaster recovery tools and technology.
8. A Comprehensive Testing Strategy
Don’t wait for an actual disaster to find out whether your DR plan works. Implement a comprehensive testing strategy now (and actually use it). Your strategy should accomplish three objectives:
- Test your backups to make sure your data is protected and recoverable
- Test your DR processes to make sure they work
- Test your people to make sure they know what to do in a real emergency
No organization wants to find itself digging out of a disaster, but the reality is that ransomware attacks, hurricanes, forest fires, and good old-fashioned human error can happen at any time. Download How to Build a Disaster Recovery Plan to learn more about how to prepare your organization so a crisis doesn’t become a worst-case scenario.