IT Disaster Recovery for Canadian Businesses
All Canadian businesses should adopt a IT disaster recovery plan that will sustain them through an unexpected crisis or interruption of any kind. Interruptions could include power failures, extreme weather, terrorist attacks, cyberattacks, natural disasters, incapacity of principal staff, supply chain problems, fire, theft, acts of god, revolution, political unrest, and more. To a certain extent, the nature of the disaster doesn't matter. A good disaster recovery plan should be sufficiently generalized to address most, if not all, disasters.
Business Continuity and Disaster Recovery Planning
Business continuity and disaster recovery (BCDR) planning is proactive and generally refers to the documented processes and procedures that an organization must implement to ensure that critical functions continue to operate during and after an unexpected interruption. It involves a comprehensive approach to restoring existing business systems of any kind. Business continuity and disaster recovery is about making sure that you can keep doing business and keep making money.
An IT disaster recovery plan is significant for IT companies or those companies that have IT-dependent components. It addresses preparedness for unforeseen interruptions to operations, such as data loss and getting your data and applications restored from backups should they crash or become damaged. Having a solid and comprehensive IT support system in place will ensure that your organization quickly recovers and sustains normal business practices in crucial times of disruption.
Estimated Time to Restoration (ETR)
A business continuity plan identifies and enumerates the systems that need to be recovered in order of priority. Priority can fall into two different camps:
- Technical requirements; and
- Operating requirements
Typically, you should make an effort to identify a logical ETR or Estimated Time to Restoration for all requirements. For example, you wouldn't restore your email server before you restore your login server. A login server will typically be restored in 2 hours, while an email server might be the last thing that is restored.
Procedures for Restoration
Business continuity should include fail-over plans, such as having Gmail in place. That way, if your email server goes down, the system can automatically switch to Google so your email isn't lost. Itemizing the systems that need to be restored and time to restoration should always incorporate temporary secondary systems.
It is equally important to always include procedures for conducting the restore. When you're in a crisis, it's not a good time to figure out your backup software. A really good business continuity and disaster recovery plan will contain all your systems and the procedures for restoration.
Recovery Time Objective (RTO)
Recovery Time Objective or RTO outlines how quickly you need to get on your feet. It typically includes guaranteed access to replacement equipment in the case of a disaster that affects more than your office or building and impacts your city. There are many factors that can affected RTO and secure access to equipment is one of them. If an earthquake in downtown Toronto causes a chasm, many servers will be required. When a disaster disrupts a considerable amount of people, it puts constraints on replacing products. The market will supply them but your RTO may change. If you can't get a computer it will be impossible to restore your data and therefore you can't operate.
Recovery Point Objective (RPO)
Recovery Point Objective or RPO is how far back in time you need to go to restore your systems. If you need to upload 7 years of data, restoration could take a lot more time. One strategy is a business continuance facility. This involves renting a shadow office with a shadow computer, and a shadow telephone. In this scenario, a team could decamp to that facility and every file they need will be there.
87% of companies that have their data compromised are out of business within 18 months.
Steps for Development of an IT Disaster Recovery Plan
Disaster recovery planning is comprised of specific steps that an organization must take to resume operations and recover IT resources following an incident. It works to maintain the technical infrastructure upon which the business is dependent. Following this documented process will allow an organization to recover its IT infrastructure and data in the immediate aftermath of a disruption.
1. Essential Business Functions
Conduct a business impact analysis to identify your essential business functions and processes, and the resources that are necessary for those functions. Make sure to highlight anything that might be time sensitive.
2. Decision Chain and Escalation Chain
Organize a business continuity team to manage a potential business disruption. A decision chain should dictate which people should be called and include their phone numbers. Contact information should be included for principals, partners, suppliers, and service providers.
Roles and responsibilities should be outlined in an escalation chain. It should include an escalation contact list of people that need to be contacted. If you call a person on the list and they can't be reached, then you need to call the next person on the list.
3. Priorities
Once identified, document and prioritize all your critical business functions and processes.
4. Training and Drills
Create and conduct training for your business continuity team. Ensure that the entire organization is aware of who is on the team and who they can look to for guidance in the event of a disruption.
Conduct regular drills to ensure that staff are properly trained on recovery procedures. Training and mock drills often identify gaps in your disaster recovery plan. Gaps creep in organically, such as implementing a new HubSpot CRM, but not updating the plan. By doing regular business continuity drills, you can locate new systems that haven't been accommodated by the plan. At the very least, a business continuity plan should be reviewed and amended annually.
5. Testing
Testing periodically will allow you to evaluate and update all components of the business continuance plan. It is essential to test installation media and backups frequently so that you don't make a mistake thinking that a backup will work when it doesn't.
Data Loss and IT System Disaster Recovery
A disaster recovery plan outlines the recovery strategies that need to be taken to restore hardware, applications and data in a timely manner. Recovery strategies should be developed for all IT systems, applications, and data. This includes networks, servers, desktops, laptops, wireless devices, and data. It also includes connectivity, such as Internet, local area network (LAN), and wide area network (WAN.) Remember that without one component, your system may not run.
Even the smallest businesses can create a large volume of data. Some, if not all, of that data may be critical to the continued operation and the reputation of the business. The impact of data loss, whether it is from hardware failure, hacking, malware or simple human error, can be catastrophic, making data restoration plans essential.
How to Connect Disaster Recovery Within Business Continuance Planning
Priorities for disaster recovery planning should be consistent with the priorities determined for business continuance planning. They should include many of the same considerations such as prioritization, the identification of resources and the highlighting of time-sensitive components. In prioritizing disaster recovery steps, you should ensure the recovery of IT resources directly mirrors the recovery time objective for the business function that relies upon that IT resource.
While some companies use dual data centres to mitigate the risk of failures, they are an expensive option that has until recently only been available to larger companies. Microsoft Azure mirrors corporate-owned data centres and can be a cost effective solution.
There are less expensive steps that all companies can take. To start, disaster recovery planning should address the potential vulnerabilities of one or more of the following system components:
-
Computer room environment: secure computer room with climate control, fire control and backup power supply
-
Hardware: create an inventory of networks, servers, computers, wireless devices and peripherals
-
Connectivity: fiber, cable, wireless
-
Software applications: create an inventory and ensure copies are available to be installed on replacement equipment
-
Data and restoration: create a strategy to ensure that all data is regularly backed up
Why prioritize IT disaster recovery?
Every Canadian business should prioritize IT disaster recovery and business continuance planning. Having an "it won't happen to us" mentality has left a huge number of companies ill-prepared for any sort of disruption. In addition, senior management teams often down-prioritize disaster recovery as the risks seem remote, and they are busier with more pressing matters or have prioritized resources elsewhere. This is a mistake. Both are crucial to business success.
For most small organizations, the most important thing is their data and retaining their data. Most organizations that have solid backups come out of disasters relatively unscathed. However, 87% of companies that have their data compromised are out of business within 18 months. Businesses in Canada that ignore business continuity and disaster recovery do so at their peril.
Often, disaster recovery plans are based on disaster scenarios, such as fire, flood, theft, and epidemics. The whole emphasis is on action, action, action. If you are reading this post and are concerned about your IT disaster recovery, contact CITI.