Disaster recovery and business continuity
Disaster recovery and business continuity
With an ever-increasing dependency on IT, it is important to be aware that an existing IT disaster recovery (IT DR) plan may no longer be appropriate for the digital world in which we live. Malicious cyber-attacks are fast becoming one of the most common disaster events for businesses across multiple industries, with the Gov.uk 2020 Cyber Security Breaches Survey reporting 46% of businesses having experienced such breaches in the last 12 months.
In relation to business continuity (the business side of recovery planning), the most important takeaway from the Covid-19 is that business continuity planning should be undertaken in anticipation of the worst, and not as a reaction to the worst happening.
Why should your business be proactive in their inclusion of a DR plan into their strategy?
Business continuity planning can sometimes fall to the bottom of the to-do list when it is up against seemingly bigger and more pressing business priorities.
It is important to prioritise resources for business operations and function as these meet the more immediate demands of the business, however, an upfront and considered investment – both in executive time and cost – will make significant difference to the pains felt should a disaster event occur.
One of the main difficulties when understanding the necessity of business continuity planning lies in the nature of these events. They are low probability, but potentially high impact events that may never happen. Allocating resource and money to something that may never happen creates an understandable dilemma for many, but if they do occur, a lack of preparation could prove detrimental to survival.
How can businesses approach DR planning?
Covid-19 is an example of a worst-case scenario that businesses can face. Whilst many traditional business continuity plans anticipate IT outages or an office becoming unavailable, in the case of Covid-19, we saw widespread office closure overnight. Moreover, disasters come in many forms with different faces. The real trick of business continuity is to predict the possible disaster scenarios so that if they occur there will be manageable processes to follow instead of a crisis. Natural disasters, financial crises and cyber-attacks are just some examples of types of catastrophe that a business may face.
Individual circumstances between businesses will vary. Good business continuity plans can follow a generalised format for each type of crisis event. The best plans will have practiced procedures that can be quickly and efficiently flexed to suit the disaster.
Your business continuity plan might include the following key areas:
What is your most likely scenario for a BCP plan to go into effect, including the risks that are most likely to occur?
If your business sits in a high-risk flood plain, there is a critical need to have a BCP in case of flood. If your business has a high dependency on IT or online sales, then a cyber-attack would cause significant disruption.
What are your business-critical functions and the technologies and applications that underpin them?
It is important to decide what your most critical business services and technologies are, so you can prioritise these in the event of an incident.
What is the minimum level of staff you require to get back online, considering which teams are most critical in case of disaster?
In the event of a disaster occurring at the end of the financial year the accounting team may be a higher priority than sales.
What timeline of events does your DR plans take into consideration, and does it mirror the needs of the business?
Covid-19 has changed the way this could be approached due to the remote-working requirements for many industries. How long could your business continue to function without anyone accessing a building, if even possible at all? It is important to make sure your plans take into consideration every part of the business in the event of an incident.
How will communications to your business, clients, and the press be managed?
Internally, staff need to understand the current situation so that they can either prepare to take work home or in the case of a ransomware attack, isolate machines. Externally, you may wish to inform clients that services may be unavailable and appraise them of the situation. Reputationally you will need to manage how the incident is portrayed in the media.
Does your business warrant a specialist DR application to help manage documentation and automated messages to staff should an incident occur?
It is important to consider what IT applications could be called upon to aid in the recovery process, as well as whose responsibility within the company it would be to manage those applications.
Finally, experience shows that it is vital to have an executive level sponsor and gain executive buy-in before, during, and after implementing DR plans. This ensures alignment with business strategy and creates the necessary culture and support within the business to make it a success.
To conclude, there is no better time to act and improve your businesses DR plans. Many businesses will be deliberating whether this is something the business can afford now, but perhaps more appropriately, is the question: “Can your business afford not to”?
Get in touch
If you have any further questions about disaster recovery and business continuity, please do not hesitate to get in touch via the button below.