The MSP Event of the Year! Oct 4 - 7

When Disaster Strikes: Disaster Recovery and Your Small Business

When Disaster Strikes: Disaster Recovery and Your Small Business

When it comes to preparing for the worst, strive to be the best. Small businesses that invest in a robust disaster recovery plan are much more likely to survive a major incident.

When disaster strikes, will your small business be ready?

Notice the word “when” in the above sentence. At some point, for some reason, your company is going to experience a disruptive event that puts some of your IT infrastructure out of commission. It could be a cyberattack, a natural disaster, or just good old-fashioned human error. But whatever it is, it’s going to happen.

And when it does, having a plan of action in place — a disaster recovery plan (DRP) — will, more than anything else, be the difference between weathering the storm and getting dashed on the rocks of misfortune. Whether your company has 5 employees or 5,000, you need to treat disaster recovery planning like the vital business function it is, which means actually investing in it. Failing to prepare means preparing to fail!

In this blog post, we talk about disaster recovery planning: why it matters, what it involves, and how to approach the task of creating a DRP at your growing business.

Small Businesses and Disaster Recovering Planning

While it’s true that there’s only so much you can do when disaster strikes — many things are outside of our control — it’s pretty clear that small business owners could be doing more. Let’s look at some numbers …

Back in 2015, a study by Nationwide found that 75% of small

businesses don’t have a disaster recovery plan. A more recent report from Shred-it found that 67% of small businesses lack an incident response plan, which suggests that smaller companies are starting to get their act together — although not nearly fast enough.

With so few small businesses giving disaster recovery planning adequate attention, it’s no surprise that 40% of small businesses close permanently in the wake of a disaster (source: FEMA). Without any kind of DRP, a small business is likely to experience lengthy downtime after a disaster, which is expensive — to say the very least!

So what can your small business do to avoid becoming a statistic? Well, the first step is to finish reading this blog post — sound advice is coming your way!

An Important Point to Keep in Mind

Before we get into the nitty-gritty of disaster recovery, a quick word on the nature of disasters. When you hear the word “disaster,” you likely think of dramatic, cataclysmic events — earthquakes, fires, maybe a sweeping cyberattack carried out by nefarious hackers.

But the truth is, the two most common “disasters” are simple hardware failure and power failure. These more mundane, day-to-day disasters might not make the news, but they will take down your IT systems and, consequently, bring your business to a grinding halt.

Keep this point in mind as you cultivate disaster recovery capacities at your own business; you’re not just preparing for highly unlikely and highly

destructive scenarios, but fairly likely (and potentially highly destructive) ones, too. In short, develop your DRP with an eye to the fact that you’re going to end up using it!

It Starts with Backup

The cornerstone of every DRP is a sound backup strategy. Backing up data just means making a copy of it. It’s easy to understand why backup is such a powerful tool in the context of disaster recovery. When disaster strikes and crashes your IT infrastructure, you can lose data. But if that data’s backed up, it’s not really gone, is it?

An analogy: Let’s say your car gets stolen, but you have the exact same car — down to the mileage. You can just start driving your backup-mobile and it’ll be like nothing happened. Problem solved.

Of course, things aren’t quite so simple. Just as having a ‘backup car’ doesn’t negate all of the negative consequences of your car getting stolen, having a backup of your data doesn’t negate all of the negative consequences of a data breach, natural disaster, or any other disruptive event that does significant harm to your business’s IT infrastructure.

That said, it does diminish overall damage considerably, especially in the case of ransomware attacks, which have become utterly rampant as of late.

Let’s review two topics pertinent to developing a sound backup strategy: the “3-2-1 rule” and RTO/RPO.

3-2-1 Rule

Whatever your business’s size or specific backup needs, following the 3-2-1 rule is a good idea when it comes to backing up organizational data. This rule states that businesses should maintain:

  • 3 copies of data
  • 2 (or more) of which are stored on different media formats
  • 1 (or more) of which is stored offsite

The 3-2-1 rule gives your organization resilience. If a disaster wipes out one storage medium, you’ve got the other to fall back on. If a disaster wipes out all of your on-site data, you’ve got the off-site copy to fall back on. The idea is that whatever happens, at least one copy of your data will survive, allowing you to resume operations as swiftly and seamlessly as possible.

RTO & RPO

RTO and RPO are difficult to calculate, but fairly straightforward on a conceptual level:

RTO stands for “recovery time objective,” and refers to how long your business’s IT infrastructure (or certain parts of it) can remain out of commission before it starts to do serious harm to your organization.

RPO stands for “recovery point objective,” and refers to how much data — measured in time: minutes, hours, days, etc. — your organization can afford to lose, counting back from the present. If your company can function normally without data from the last four minutes and fifty-nine seconds, but it needs 5-minute-old data, then your RPO is equal to 5 minutes.

Let’s connect these concepts to backup and disaster recovery.

One thing you want from your DRP is the ability to recover from a disaster quickly. But how quickly? That’s the question that RTO answers by identifying how long is too long. If your RTO is 2 days, it means

you can’t afford more than 2 days of downtime following a disruptive event.

Your DRP should also include a backup solution that makes sufficiently frequent copies of your organization’s data. But how frequent is “sufficiently frequent”? That’s the question that RPO answers by identifying the amount of data your organization can afford to lose. If you can’t afford to lose more than the last 10 minutes of data (RPO = 10 minutes), you want a backup solution that makes a copy of your data (and stores it offsite preferably), every 10 minutes — or even more frequently than that.

Backup vs Disaster Recovery

A lot of explanations concerning the relationship between data backup and disaster recovery overcomplicate things. So we want to put it in plain English: Data backup is an important part of your disaster recovery plan.

See? Simple. Two words tell you everything you need to know: “important part.”

Data backup is IMPORTANT because if you can’t, following data loss due to disaster, recover your data via accessing a sufficiently recent copy of it, resuming normal operations is going to be tough, if not downright impossible.

But it’s only PART of disaster recovery because the latter refers to everything involved in making sure your business can bounce back quickly after a disaster. This goes well beyond maintaining backups of data — as we will now discuss.

Creating a DRP for Your Business

Here are 4 tips to help you get the most out of your disaster recovery planning.

Tip #1: Don’t go it alone!

Creating a DRP for your small business can be daunting — especially when you’re already knee-deep in the day-to-day — so our first piece of advice is simply: Don’t go it alone! Involve your employees (it might even be a good idea to create a “disaster recovery team” whose job is to oversee and develop the procedures included in your DRP), your in-house IT staff/IT provider, your insurance broker, and disaster, backup and recovery (DBR) experts.

Tip #2: Figure out ‘the what’ and ‘the who’!

When drawing up your DRP, you want to include very specific instructions detailing not only what is to be done following a major disruptive event, but also, who is to do it. In other words, assign particular tasks and responsibilities to particular people within your company — and put it in documentation. Who’s in charge of contacting clients after an incident? What about vendors? When disaster strikes and every second counts, you’ll be glad you don’t have to waste precious moments trying to figure out who should do what.

Another component of figuring out ‘the what’ is taking inventory of all the IT assets at your company: hardware, software, devices, etc. Furthermore, assign relative levels of importance to the different parts of your digital landscape. The more important an IT asset is to your organization, the more quickly you want to restore it to full functioning in the wake of a disaster. So establish what’s critical, so that your DRP can prioritize getting those things back up and running the fastest.

Tip #3: Put it to the test!

This is perhaps the most effective — and overlooked — aspect of disaster recovery planning. Small business owners will create a DRP and

then file it away to collect dust. This is a big mistake, because in a disaster situation, the last thing you want to be doing is trying out your DRP for the first time. Practice makes perfect, so run drills that force you and your team to put your DRP into action. Nothing exposes flaws in a DRP like actually trying to run it through. Test, troubleshoot, rinse and repeat!

Tip #4: Work with an MSP!

Disaster recovery takes time and resources. There’s creating the plan. There’s testing it. There’s training employees. There’s revising the plan in light of technological and other sorts of changes. It adds up — and can get expensive if you’re not careful in how you invest.

For this reason, more small and mid-sized businesses are turning to managed service providers (MSPs) for help with disaster recovery planning, training, and execution. A good MSP can help with every facet of disaster recovery and business continuity, and stitch together a DRP that’s tailored to your organization’s exact needs. Moreover, MSPs know how to leverage modern IT solutions like cloud computing and the automation of backup monitoring and reporting to keep your disaster recovery investment from outpacing your IT budget.

If you’re really looking to improve your organization’s disaster recovery and resilience, it might be worth looking into DRaaS (Disaster Recovery as a Service), now offered by many MSPs. DRaaS is a cloud-based solution aimed at minimizing downtime caused by catastrophic events that disrupt IT functions. With DRaaS, a third party (your provider) copies your data and systems to a cloud infrastructure at a frequency in line with your RPO. If disaster strikes and causes your primary site to go down, your DRaaS will trigger a failover — the transition of your workloads from your primary

systems to your standby systems — thereby reducing, if not eliminating, unwanted downtime.

If you have DRaaS, you can rest easy knowing a whole team of experts is overseeing and managing every facet of disaster recovery at your business. Talk about peace of mind!

Final Thought

In the fast-paced world of business, waiting until you have a perfect grasp of something before giving it a try is a recipe for regret and missed opportunities. So don’t let the fact that you don’t perfectly understand all the ins and out of disaster recovery stop you from getting started on your own DRP. You can refine and learn as you go. What matters is that you take those first steps and get the ball rolling!