Share this
Disaster Recovery Planning for Small Businesses
by Bridget.Giacinto on Oct 2, 2015 10:23:30 AM
Natural disasters, mishaps, viruses and user errors happen more often than you would think. Regardless of how it happens, these types of disasters have the ability to shut down your business for good, if you are not prepared. 74% of organizations have experienced data loss at the workplace, and while 32% recover in a matter of a few days (at a hefty cost), 16% never recover. There is zero room for excuses when it comes to protecting the data that keeps your business running, yet even still close to a third of companies openly admit to not having a disaster recovery plan (DRP) in place. To be adequately prepared, disaster recovery planning needs to be done in advance with documented business processes and clear continuity steps outlined so that when disaster strikes, your company does not have to shut its doors, temporarily or permanently. While we all wish that disaster recovery planning was as easy as turning a dial, in reality it takes time and forethought to develop...but it could save your business.
A disaster recovery plan is simply a structured plan of action with detailed steps on recovering your business data and systems, so that your business can continue to function after a disaster. For small businesses that do not have the resources to dedicate personnel to handling business continuity, the challenges of establishing a disaster recovery plan can feel daunting at best.
According to Deni Connor, principal analyst, Storage Strategies NOW, "There are approximately 5.75 million SMB organizations in the United States alone, each with a unique set of challenges and requirements that must be met to protect the viability of companies."
Every Business should have a Disaster Recovery Plan
The reality is, every business, including small businesses, should have a plan. Small businesses alone account for 99% of all companies with employees in the U.S. and account for over 45% of the nation’s payroll, according to U.S. Census Bureau data. A firm commitment to planning will help small businesses, the backbone of our nation’s economy, continue to survive. Without proper disaster recovery planning, businesses cannot effectively respond to a disaster when it strikes.
Before creating a disaster recovery plan, you need to do a risk assessment to determine all possible threats, vulnerabilities, and hazards that could cause an outage, so that your small business can adequately prepare for them.
Possible Risks to Consider:
- Cyber / Virus Attack
- Physical Damage to Building (Fire, Flood, Explosion or Other Natural Disaster)
- Damage / Breakdown of Machinery, Systems, Equipment
- Utility Outage (Power Outage or Serge)
- Workplace Violence
- Restricted Unauthorized Access
- Mechanical / Hardware Failure
- Damage or Loss of Information Technology
- User Error / Accidents
- Hazardous Spill
- Terrorism
While there are a considerable number of risks to consider, it is important to look at your particular business and identify which risks you need to prepare for.
Creating a Business Impact Analysis
A Business Impact Analysis (BIA) is done in order to document the effects of the potential risks. This process will help you to predict the potential impact of a disruption of business functions or data loss so that you can gather the information needed to establish a recovery plan for the different disaster scenarios. You can get a free BIA template from Tech Target that you can customize to fit your needs.
The whole point of a BIA, is document all of the business functions and the technologies that support them, so that you can identify their qualitative impact (operational and financial impact) to your business should it face a disaster scenario. This report allows you to prioritize the order of events for restoration of the business based on the actual impact to the business, rather than just relying on your gut reaction. This analysis gives you the opportunity to look at what would happen to the business, if that business function simply stopped.
It’s important to first look at the entire business as a whole so as to pinpoint business functions that have the most significant impact on the continuation of the business. Secondly, businesses should look at which processes, functions, applications, systems and data points are most critical to the continued functioning of the business. While the financial or quantitative impact deals with the actual financial cost, it should be quantified based on the operational impacts of loss to your business in terms of:
- Lost sales
- Delayed sales
- Regulatory fines and penalties
- Increased expenses
- Customer loss / dissatisfaction
- Contractual penalties
Understanding the Differences between RTO and RPO
Once you have documented your business functions and established which systems are critical to your business, you will need to look at how quickly your business would be impacted if those functions stopped. This is done by estimating the RTO and RPO parameters for those business functions.
Recovery Time Objective (RTO)
RTO is essentially the target time you set for the recovery of the applications or business activities that are critical to your business after a disaster strikes. These recovery time-frames should be based on the consequences of not performing that business activity or function. By calculating how long your business can survive with specific systems down, you will be better able to determine what kind of preparations need to be made should an incident occur.
Recovery Point Objective (RPO)
RPO is focused on the loss tolerance of your business in relation to your data. Understanding how long your business can afford to operate without specific data, will help you to establish your RPO for your specific data sets. Put differently, RPO could be viewed as how old you are comfortable with your data being once the systems are recovered.
The more important the data set, the shorter the RPO should theoretically be. If for example, your business can only handle the loss of 4 hours of work for a specific business function, then the RPO should be set to 4 hours. In order to meet that recovery point objective, you would need to back up the data created by this business function every 4 hours. If however, your business can afford to lose a full day of work from another business function without any significant impact, you may only need to backup that data set once per day.
You may have different RPO’s for different types of data, and thus different backup schedules for different data sets. In most cases, data protection is not a continuous activity (due do the resource usage required to do so), meaning there is a window of time between protection events or backup jobs. This is where you really have to ask yourself, how long you can afford to lose specific types of data or data sets, so that you can properly time your backup frequencies according to your RPO calculations.
Backing up Critical Data
You will need to consider the time required to get your files or your applications back up and running when choosing what type of backup to use, which storage device you select and the location where the backups will be housed. The fastest way to get your applications back up and running after a disaster is to create an image backup, stored locally. Keep in mind, you should also have a secondary backup stored offsite, just in case the disaster destroys your local backup. Image backups, also known as disaster recovery (DR) backups, create an image of your entire system, including your operating system, your applications, your system settings and all of your files. This type of backup offers the shortest recovery window, although it requires a longer backup window.
Many businesses create an image backup of critical systems, then do so again whenever they make changes to the operating system or applications running on that system. It is always a good idea to do a DR image before making major system changes so that should something go wrong, you can easily recover your entire system to its prior state. If everything goes well with the update, you can always create another image backup to capture your new system state.
File backups can then be used to backup files between disaster recovery image backups. There are several different types of file backups (full, incremental, differential) that serve different functions and offer different recovery windows. For more information on the different types of backups, you can read our blog post on server backup methods.
When developing your backup strategy, you should be referring to your documented RTO and RPO times for different sets of data for your business, so you can meet your recovery objectives. If for example, you have a lot of critical data that needs to be recovered quickly in the event of a disaster, the cloud may not actually be the best fit for your primary backup due to the actual time required for recovery. Instead, you may want to look at doing a local backup with a secondary backup at an offsite location or in the cloud.
Disaster Recovery Plan
While every business will need their own unique set of procedures and processes for recovery in the event of a disaster, these steps should help you to formulate a disaster recovery plan that is perfect for your specific business.
Let’s outline the steps needed for your disaster recovery plan:
- Assess your risks
- Establish your critical systems/functions/processes
- Document the qualitative impact of those systems (based on financial and operational costs)
- Establish your RTO and RPO for each system
- Rank those systems in terms of priority
- Determine your prevention strategy
- Document your response strategy
- Outline your recovery strategy
- Test your recovery plan
While you may not formulate a plan for every threat your business could potentially face from day one, you could start by addressing those with the highest level of risk/impact to your business as a starting point. Be sure to add actionable steps to your prevention, response and recovery strategies so that it would be easy for someone else to step in and take action on your documented disaster recovery plan should you not be able to do so yourself.
Keep in mind that when it comes to your data it is imperative that you TEST, TEST, TEST your backups as part of your overall disaster recovery plan, so don't forget to build this into your plan. Backups are only as good as your ability to restore from them, so make sure testing your backups is part of your prevention strategy.
TechTarget offers a small business continuity plan template geared for SMBs, if you need a template to help you get started on establishing an overall plan for your business.
Share this
- Pre-Sales Questions (112)
- Tips and Tricks (95)
- Industry News (59)
- Reseller / MSP (37)
- Best Practices (30)
- Security Threats / Ransomware (30)
- Applications (26)
- Cloud Backup (25)
- Disaster Recovery (25)
- Compliance / HIPAA (24)
- Backup Videos (23)
- Storage Technology (23)
- Virtual Environments (17)
- Technology Updates / Releases (9)
- Infographics (8)
- Backup preparation (4)
- Products (US) (2)
- Company (US) (1)
- Events (1)
- Events (US) (1)
- October 2024 (1)
- September 2024 (2)
- August 2024 (1)
- July 2024 (2)
- June 2024 (2)
- May 2024 (1)
- April 2024 (1)
- March 2024 (2)
- February 2024 (2)
- January 2024 (1)
- December 2023 (1)
- November 2023 (1)
- October 2023 (1)
- September 2023 (1)
- August 2023 (1)
- July 2023 (1)
- May 2023 (1)
- March 2023 (3)
- February 2023 (2)
- January 2023 (3)
- December 2022 (1)
- November 2022 (2)
- October 2022 (2)
- September 2022 (2)
- August 2022 (2)
- July 2022 (1)
- June 2022 (1)
- April 2022 (1)
- March 2022 (2)
- February 2022 (1)
- January 2022 (1)
- December 2021 (1)
- November 2021 (1)
- September 2021 (1)
- August 2021 (1)
- July 2021 (1)
- June 2021 (1)
- May 2021 (2)
- April 2021 (1)
- March 2021 (2)
- February 2021 (1)
- January 2021 (1)
- December 2020 (1)
- November 2020 (1)
- October 2020 (2)
- September 2020 (4)
- August 2020 (2)
- July 2020 (1)
- June 2020 (1)
- May 2020 (1)
- April 2020 (1)
- March 2020 (3)
- February 2020 (2)
- January 2020 (2)
- December 2019 (1)
- November 2019 (1)
- October 2019 (1)
- August 2019 (1)
- July 2019 (1)
- June 2019 (1)
- April 2019 (1)
- February 2019 (1)
- January 2019 (1)
- December 2018 (1)
- November 2018 (2)
- August 2018 (3)
- July 2018 (4)
- June 2018 (2)
- April 2018 (2)
- March 2018 (2)
- February 2018 (2)
- January 2018 (3)
- December 2017 (1)
- September 2017 (1)
- May 2017 (2)
- April 2017 (5)
- March 2017 (4)
- February 2017 (1)
- January 2017 (1)
- December 2016 (1)
- November 2016 (1)
- October 2016 (2)
- September 2016 (1)
- August 2016 (3)
- July 2016 (2)
- June 2016 (3)
- May 2016 (7)
- April 2016 (8)
- March 2016 (1)
- February 2016 (3)
- January 2016 (12)
- December 2015 (7)
- November 2015 (5)
- October 2015 (6)
- September 2015 (2)
- August 2015 (3)
- July 2015 (2)
- June 2015 (2)
- May 2015 (1)
- April 2015 (5)
- March 2015 (3)
- February 2015 (4)
- January 2015 (2)
- October 2014 (5)
- September 2014 (8)
- August 2014 (5)
- July 2014 (8)
- June 2014 (4)
- May 2014 (3)
- April 2014 (9)
- March 2014 (7)
- February 2014 (7)
- January 2014 (5)
- December 2013 (4)
- October 2013 (7)
- September 2013 (2)