NovaBACKUP Security Blog

Disaster Recovery Planning for Small Businesses

Natural disasters, mishaps, viruses and user errors happen more often than you would think. Regardless of how it happens, these types of disasters have the ability to shut down your business for good, if you are not prepared. 74% of organizations have experienced data loss at the workplace, and while 32% recover in a matter of a few days (at a hefty cost), 16% never recover. There is zero room for excuses when it comes to protecting the data that keeps your business running, yet even still close to a third of companies openly admit to not having a disaster recovery plan (DRP) in place. To be adequately prepared, disaster recovery planning needs to be done in advance with documented business processes and clear continuity steps outlined so that when disaster strikes, your company does not have to shut its doors, temporarily or permanently. While we all wish that disaster recovery planning was as easy as turning a dial, in reality it takes time and forethought to develop...but it could save your business.

Disaster recovery planning.Disaster recovery planning is a must.

A disaster recovery plan is simply a structured plan of action with detailed steps on recovering your business data and systems, so that your business can continue to function after a disaster. For small businesses that do not have the resources to dedicate personnel to handling business continuity, the challenges of establishing a disaster recovery plan can feel daunting at best.

According to Deni Connor, principal analyst, Storage Strategies NOW, "There are approximately 5.75 million SMB organizations in the United States alone, each with a unique set of challenges and requirements that must be met to protect the viability of companies."

Every Business should have a Disaster Recovery Plan

The reality is, every business, including small businesses, should have a plan. Small businesses alone account for 99% of all companies with employees in the U.S. and account for over 45% of the nation’s payroll, according to U.S. Census Bureau data. A firm commitment to planning will help small businesses, the backbone of our nation’s economy, continue to survive. Without proper disaster recovery planning, businesses cannot effectively respond to a disaster when it strikes.

Before creating a disaster recovery plan, you need to do a risk assessment to determine all possible threats, vulnerabilities, and hazards that could cause an outage, so that your small business can adequately prepare for them.

Possible Risks to Consider:

  1. Cyber / Virus Attack
  2. Physical Damage to Building (Fire, Flood, Explosion or Other Natural Disaster)
  3. Damage / Breakdown of Machinery, Systems, Equipment
  4. Utility Outage (Power Outage or Serge)
  5. Workplace Violence
  6. Restricted Unauthorized Access
  7. Mechanical / Hardware Failure
  8. Damage or Loss of Information Technology
  9. User Error / Accidents
  10. Hazardous Spill
  11. Terrorism

While there are a considerable number of risks to consider, it is important to look at your particular business and identify which risks you need to prepare for.

Creating a Business Impact Analysis

A Business Impact Analysis (BIA) is done in order to document the effects of the potential risks. This process will help you to predict the potential impact of a disruption of business functions or data loss so that you can gather the information needed to establish a recovery plan for the different disaster scenarios. You can get a free BIA template from Tech Target that you can customize to fit your needs.

The whole point of a BIA, is document all of the business functions and the technologies that support them, so that you can identify their qualitative impact (operational and financial impact) to your business should it face a disaster scenario. This report allows you to prioritize the order of events for restoration of the business based on the actual impact to the business, rather than just relying on your gut reaction. This analysis gives you the opportunity to look at what would happen to the business, if that business function simply stopped.

It’s important to first look at the entire business as a whole so as to pinpoint business functions that have the most significant impact on the continuation of the business. Secondly, businesses should look at which processes, functions, applications, systems and data points are most critical to the continued functioning of the business. While the financial or quantitative impact deals with the actual financial cost, it should be quantified based on the operational impacts of loss to your business in terms of:

  • Lost sales
  • Delayed sales
  • Regulatory fines and penalties
  • Increased expenses
  • Customer loss / dissatisfaction
  • Contractual penalties

Understanding the Differences between RTO and RPO

Once you have documented your business functions and established which systems are critical to your business, you will need to look at how quickly your business would be impacted if those functions stopped. This is done by estimating the RTO and RPO parameters for those business functions.

Recovery Time Objective (RTO)

RTO is essentially the target time you set for the recovery of the applications or business activities that are critical to your business after a disaster strikes. These recovery time-frames should be based on the consequences of not performing that business activity or function. By calculating how long your business can survive with specific systems down, you will be better able to determine what kind of preparations need to be made should an incident occur.

Recovery Point Objective (RPO)

RPO is focused on the loss tolerance of your business in relation to your data. Understanding how long your business can afford to operate without specific data, will help you to establish your RPO for your specific data sets. Put differently, RPO could be viewed as how old you are comfortable with your data being once the systems are recovered.

The more important the data set, the shorter the RPO should theoretically be. If for example, your business can only handle the loss of 4 hours of work for a specific business function, then the RPO should be set to 4 hours. In order to meet that recovery point objective, you would need to back up the data created by this business function every 4 hours. If however, your business can afford to lose a full day of work from another business function without any significant impact, you may only need to backup that data set once per day.

You may have different RPO’s for different types of data, and thus different backup schedules for different data sets. In most cases, data protection is not a continuous activity (due do the resource usage required to do so), meaning there is a window of time between protection events or backup jobs. This is where you really have to ask yourself, how long you can afford to lose specific types of data or data sets, so that you can properly time your backup frequencies according to your RPO calculations.

Backing up Critical Data

You will need to consider the time required to get your files or your applications back up and running when choosing what type of backup to use, which storage device you select and the location where the backups will be housed. The fastest way to get your applications back up and running after a disaster is to create an image backup, stored locally. Keep in mind, you should also have a secondary backup stored offsite, just in case the disaster destroys your local backup. Image backups, also known as disaster recovery (DR) backups, create an image of your entire system, including your operating system, your applications, your system settings and all of your files. This type of backup offers the shortest recovery window, although it requires a longer backup window.

Many businesses create an image backup of critical systems, then do so again whenever they make changes to the operating system or applications running on that system. It is always a good idea to do a DR image before making major system changes so that should something go wrong, you can easily recover your entire system to its prior state. If everything goes well with the update, you can always create another image backup to capture your new system state.

File backups can then be used to backup files between disaster recovery image backups. There are several different types of file backups (full, incremental, differential) that serve different functions and offer different recovery windows. For more information on the different types of backups, you can read our blog post on server backup methods.

When developing your backup strategy, you should be referring to your documented RTO and RPO times for different sets of data for your business, so you can meet your recovery objectives. If for example, you have a lot of critical data that needs to be recovered quickly in the event of a disaster, the cloud may not actually be the best fit for your primary backup due to the actual time required for recovery. Instead, you may want to look at doing a local backup with a secondary backup at an offsite location or in the cloud.

Disaster Recovery Plan

While every business will need their own unique set of procedures and processes for recovery in the event of a disaster, these steps should help you to formulate a disaster recovery plan that is perfect for your specific business.

Let’s outline the steps needed for your disaster recovery plan:

  1. Assess your risks
  2. Establish your critical systems/functions/processes
  3. Document the qualitative impact of those systems (based on financial and operational costs)
  4. Establish your RTO and RPO for each system
  5. Rank those systems in terms of priority
  6. Determine your prevention strategy
  7. Document your response strategy
  8. Outline your recovery strategy
  9. Test your recovery plan

While you may not formulate a plan for every threat your business could potentially face from day one, you could start by addressing those with the highest level of risk/impact to your business as a starting point. Be sure to add actionable steps to your prevention, response and recovery strategies so that it would be easy for someone else to step in and take action on your documented disaster recovery plan should you not be able to do so yourself.

Keep in mind that when it comes to your data it is imperative that you TEST, TEST, TEST your backups as part of your overall disaster recovery plan, so don't forget to build this into your plan. Backups are only as good as your ability to restore from them, so make sure testing your backups is part of your prevention strategy.

TechTarget offers a small business continuity plan template geared for SMBs, if you need a template to help you get started on establishing an overall plan for your business.