One crucial new year’s resolution all small business owners should make
Disaster recovery. It’s not exciting, and it’s probably not the first thing you thought about when coming back after the Christmas break. But it could be the one thing that keeps your business going should the worst happen.
And the worst does happen more than you might think. It’s fair to say that most businesses – regardless of size – depend on technology. Business disasters come in all shapes and sizes, from leaving a laptop on a train or dropping a cup of coffee, to server failures, cyber-attacks and cloud application downtime. In 2017, more than two in five UK SMEs identified at least one breach or attack. In the US, small businesses lose an average of $80k a year to cybercrime. That could be a crippling amount for many SMEs.
Let’s look at what should be in your disaster recovery plan – and how to give yours the once over for 2019.
What is a disaster recovery plan, and do we need one?
At least one in three small businesses are thought to not have a disaster recovery plan – and a staggering 90% of those without one would not survive a major breach or attack. While it’s not a legal requirement, we’d strongly encourage every business to write one – and review it regularly.
A disaster recovery plan commits to paper the policies and procedures your business will follow in the event of IT disruption. That covers every eventuality, from tech failures to criminal interference or human error. The aim of the plan is to restore your business as quickly as possible, by bringing services back online, or switching to a contingency system, for example.
What should it include?
All disaster recovery plans should cover:
- IT services – which systems support which business processes, and where are the risks?
- People – who are your disaster recovery stakeholders?
- Suppliers – who would you need to contact externally in the event of IT downtime (e.g. a data recovery provider)?
- Locations – if you can’t access your premises, where will you work?
- Process – what steps need to be taken once a breach or attack has been identified?
- Testing – how will you test the resilience of your disaster recovery plan?
- Training – how will you educate your end users and staff?
- KPIs – what are your recovery point objectives (RPO – the maximum age of a backup before it stops being useful) and recovery time objectives (RTO – the maximum amount of time that can elapse before a backup is implemented and normal service resumes)?
Like any plan, there’s no value to it unless staff are fully trained on what their roles and responsibilities are.
We have a plan - so how do we review it?
Your business evolves over time, accommodating new systems and IT services, so you’ll need to pencil in a regular review to check your disaster recovery plan still makes sense. If anything changes, you’ll need to notify any stakeholders: retrain your staff and talk to your suppliers, for instance.
Fundamentally, when you’re going through your disaster recovery plan, you need to know whether those two KPIs – your RPO and RTO – are still fit for purpose. And then there’s testing. You should at least test your disaster recovery processes in part on a regular basis. It’s also worth running through the whole plan in one go every once in a while to flag up any conflicts where several processes run – or any situations you’ve failed to plan for.
Who can we help?
You can find disaster recovery plan templates online, but it might be worth trusting the experts. We’ll work with you to define, refine and implement your disaster recovery plan. Alongside a number of leading business continuity specialists, we’ll bring you the right solution for your business, including bespoke back-up systems and rigorous testing.
Get in touch to find out how we can improve your resilience.