The Dangers of not having a Disaster Recovery Plan for your Company
Do you have a well thought out, current and tested disaster recovery plan (DRP)? Are you sure?
It is with some confidence that I say most of you reading this article the answer is a resounding… No.
Why? Because it is one of the more complex, hard to understand, costly, invisible and time-consuming management and operational issue a company must contend with. In many companies, it is not a priority until an incident arises and by then it is too late.
Studies undertaken by research groups like Gartner and Forester, IT industry groups and insurance companies, present some very sobering statistics. They suggest 20% of businesses will suffer some form of a disaster ranging from fire, weather (flood, hurricanes, ice storms), hardware failures, software failures, malicious software, ransomware, human error, disgruntled employees, and even terrorism.
Of those companies without a DRP:
• 43% will not reopen
• 80% fail within a year
• 93% that experience a significant data loss are out of business within 5 years
There are typically four strategies to deal with risk mitigation: Acceptance, Transference, Reduction and Avoidance.
Each risk reduction strategy adds more cost. Redundant hardware, software, backups, tools, technology and management time, IT time and line staff time.
What is a company to do? Follow a structured approach:
1. Not all systems are created equal so prioritize your recovery targets
o What are your critical systems?
o Which systems are customer or client facing?
o What does your business need to operate?
o What do your employees need to do their job?
2. Establish your recovery time (how long to recover) and recovery point objectives (how much data can you afford to lose)
o What are the risks for your organization and assign a probability?
o What are the impacts to your organization?
o What can your clients tolerate?
o What are you willing to tolerate?
3. Employ scenario-based planning to give yourself focus
o Did a finance user put the wrong date in closing the month or year?
o Did the hard drive fail? Storage device? Power? UPS? Fire suppression? Network?
o Is it a problem in your data center? Your building? Your city? Your state or province?
o Are you competing for recovery assets at your third party recover site?
o Is it malicious software or people issue?
o How long would it take to recover your critical systems using your current plan?
o What are the dependencies between systems and services?
Having a plan is not enough. You need to test the plan and adjust accordingly. For example, one company had set its recovery time objective (RTO) to 24 hours and its recovery point objective (RTO) to 24 hours. Their recovery plan depended on tapes. When the time to recovery from tape was tested it was well above those objectives by more than a week. Not a viable solution.
The good news is, you don’t need to eat the elephant all at once. I often suggest that the first recovery priority should be your communication systems. This is perhaps the easiest and most economical way to reduce your operational risk by transferring to an organization like Microsoft and their Office 365 offering.
With Office 365 you are getting portability and mobility, up to 15 licenses per user to install office suite on their work and home PC’s, tablets and phones, automatic updates, storage, redundancy, best in class security, sharing. You never worry about any of the infrastructure, security, redundancy, planning, executing and adjusting a disaster recovery plan for this service. It is all taken care of by Microsoft. Microsoft is leveraging their core capabilities to provide you with a highly scalable, secure and available offering backed up by a service level guarantee.
There are absolutely strategic ways to reduce your overall exposure.
About the Author:
Peter O’Grady is the Chief Technology Officer of INVORG.
If you want to know more information about this topic, connect with Peter at email@example.com .