If a company relies on computers, the internet or other technologies then it is highly likely that an IT failure would have a negative impact on the business. It is important for businesses to understand that no matter how small they are and how much they do to protect their assets, a disaster is inevitable at some point. When that time comes, you want to be well equipped to minimize fallout and return things to normal as quickly as possible.
Benefits of having a IT Disaster Recovery Policy:
If you have a strong Disaster Recovery Policy in your business it will considerably reduce the negative impact of an incident. This means reducing brand damage and financial loss. A quality policy will ensure that there is a process to identify, remediate, communicate and learn from each incident all while ensuring business operations continue to function. It will also increase confidence in the eyes of customers. Most professionals understand that at some point bad things will happen. How companies deal with these things is paramount in the eyes of the press and customers.
Consequences of Not Having the Policy
When an an IT disaster hits and there is no play book, process or education on dealing with incidents people panic and often bad decisions are made. This can mean increased financial loss, brand damage and even potentially a law suite. A poorly handled major IT incident can essentially end a small or medium sized business.
Where to Start in Developing a Policy / Key Components:
Generally, when I work with a team to develop this type of policy I ask them to write out all of the systems they rely on and then get them to list all of the negative impacts that would come from a loss of Confidentiality, Integrity or availability to every one of their systems. This usually sets the stage illustrating the importance of Disaster Recovery. Based on this list I then coach them to building the right disaster recovery team for their business. This usually consists of someone from communications, human resources, Senior management, IT and legal. Here are the key components that should be addressed in an IT Disaster Recovery Policy:
- Define an asset inventory
- Define members of the Disaster Recovery team
- Identify and Prioritize risks
- Backup process review and testing
- Develop a step by step recover plan for every identified high-risk item
- Conduct table top exercises to test out recovery from high impact items
What Tools/Services are Required:
The most important tools are incident detection and communication tools. Detection tools depend on the type of business and tech assets you have but they can include IDS/IPS; Log management software, dark web monitoring tools. It is critical that detection can quickly be communicated to key individuals so that an incident can be vetted ASAP and the Disaster Recovery team can be deployed with minimal delay.
In terms of services, I recommend that there is someone with in-depth experience in disaster recovery that works on or with the Disaster Recovery team in the planning and testing stage of the plan. It also makes sense to have third-party talent available to help the recovery team out if the skill set is not complete within the team itself.
How Much Budget to Put into the Policy:
This varies hugely from one company to the other depending on their size, the nature of their IT systems and their overall corporate budget. Generally, for small businesses a developing and testing a Disaster Recovery plan costs very little with the exception of the time cost for the individuals working on the plan.