If a company relies on computers, it is highly likely that an IT failure would have a negative impact on the business – and make you wish you had a disaster recovery policy.
It is important for businesses to understand that no matter how small they are, a disaster is inevitable at some point. Cyberattacks and ransomware target businesses of all sizes. Even if you have measures to protect your assets, you should consider the worst-case scenarios. You want to be prepared to minimize fallout when bad things happen and quickly return things to normal.
Benefits of having an IT Disaster Recovery Policy
If you have a strong Disaster Recovery Policy in your business, that will considerably reduce the negative impact of an incident. This means reducing brand damage and financial loss.
A quality policy will ensure that there is a process to identify, remediate, and communicate during the incident. And learn from each incident, all while ensuring business operations continue to function.
This policy will also increase confidence in the eyes of customers. Most professionals understand that at some point bad things will happen. How companies deal with these things is paramount in the eyes of the press and customers.
Consequences of Not Having the Policy
When an IT disaster hits and you don’t have a playbook, process, or education on dealing with incidents then people panic. That’s when bad decisions happen. This can mean increased financial loss, brand damage and even potentially a lawsuit. A poorly handled major IT incident can essentially end a small or medium-sized business.
A lesser consequence is that an enterprise customer will ask to see your disaster recovery policy in a vendor security questionnaire. Not having updated policies can lead to a loss of business, as B2B companies push to use updated security programs as a competitive edge for enterprise sales.
Where to Start in Developing a Policy / Key Components
Generally, when I work with a team to develop this type of policy, I ask them to write out all of the systems they rely on. I then ask them to list all of the negative impacts that would come from a loss of confidentiality, integrity, or availability to every one of their systems. This usually sets the stage illustrating the importance of Disaster Recovery.
Based on this list, I then coach them to building the right disaster recovery team for their business. This usually consists of someone from communications, human resources, senior management, IT and legal. Here are the key components that you should address in an IT Disaster Recovery Policy:
- Define an asset inventory
- Define members of the Disaster Recovery team
- Identify and Prioritize risks
- Backup process review and testing
- Develop a step by step recovery plan for every identified high-risk item
- Conduct tabletop exercises to test out recovery from high-impact items
While you’re developing your disaster recovery measures, you may want to consider your indicent response plan. That may include updating your policy to cover suspicious issues that aren’t considered disasters or an actual, like an influx of phishing emails.
Required Tools/Services for Disaster Recovery
The most important tools are incident detection and communication tools. You may already have all the tools you need or find other free security tools. Detection tools depend on the type of business and tech assets you have but they can include IDS/IPS; Log management software, dark web monitoring tools. It is critical that detection can quickly be communicated to key individuals. You want to vet an incident ASAP and the Disaster Recovery team can deploy with minimal delay.
In terms of services, I recommend that there is someone with in-depth experience in disaster recovery that works on or with the Disaster Recovery team in the planning and testing stage of the plan. It also makes sense to have some third-party talent available to help the recovery team out if the skill set is not complete within the team itself.
How Much Budget to Put into the Policy
This varies hugely from one company to the other depending on their size. Also by the nature of their IT systems and overall corporate budget. Generally for small businesses, developing and testing a Disaster Recovery plan may cost only a little more than the time for the individuals working on the plan.
The starting point is determining your critical systems, then building your disaster recovery policy. Finally, you need to plan the recovery steps for your team to follow.
Do you have a disaster recovery policy?