How to Create an Effective Disaster Recovery Plan
When most people think of disaster recovery, they tend to think of big natural disasters, such as fires, floods, or earthquakes. However, in the cybersecurity space, not all disasters are natural. Many businesses are struck by man-made disasters in the form of cyberattacks that corrupt data or render vital assets nonfunctional.
Whether your business faces a natural disaster or a cybersecurity threat, having a disaster recovery plan (also known as a “DR plan” or DRP) in place is a vital risk mitigation measure. What is a disaster recovery plan? How can you create an effective disaster recovery plan for your business?
What is a Disaster Recovery Plan?
A disaster recovery plan is a set of tools and procedures that an organization uses to recover from a major disruption to its IT assets. Disaster recovery planning can use a variety of tools depending on the organization’s existing assets and recovery goals.
In disaster recovery planning, the “disaster” can be any event that interrupts access to data, apps, or systems. This can include power outages, data storage corruption, DDoS attacks, natural disasters that sever server connections—anything and everything that disrupts IT workflows. The goal is to overcome the data disaster and restore normal operations.
Disaster recovery plans can even be effective at mitigating certain cybersecurity threats. For example, having a DR plan in place can be highly effective for countering a ransomware attack. With a remote backup, you can simply restore the corrupted data from it instead of having to pay a cybercriminal for the encryption key.
What’s in a Disaster Recovery Plan?
DR plans often incorporate (but may not be limited to) the following:
- Recovery Point Objectives (RPO). This is a measure of how much data may be lost during recovery efforts. This is controlled by adjusting the frequency of data backups.
- Recovery Time Objectives (RTO). This is an estimate of how long it will take for normal operations to resume following a disastrous event. Faster RTOs generally require more resources than slower ones.
- Remote Data Backups. Creating a secondary offsite backup of your most important data is a core part of any disaster recovery solution.
- Accountability Chart. Who is responsible for enacting a disaster recovery plan? Having assigned roles and responsibilities in an accountability chart makes it easier to follow and enforce a plan quickly and consistently.
- DR Plan Testing. DR plans often require frequent testing to ensure that RTOs and RPOs can be met in case of an actual emergency.
Disaster Recovery Vs Business Continuity
When researching disaster recovery solutions, it’s not uncommon to come across the term “business continuity,” or BC planning. In fact, the two terms often get conflated with one another. However, while disaster recovery is an important part of business continuity planning, the two terms are not the same thing.
Business continuity planning is primarily focused on keeping operations running despite interruptions—disaster recovery is about recovering from such interruptions. So, as a general rule, business continuity plans tend to be more resource-intensive than DR plans.
For example, where a DR plan might call for a remote data backup server to store copies of critical data, a BC plan might have an entire backup production environment that mirrors your entire active production server. This backup environment can be spun up as soon as a disaster strikes to near-seamlessly take over so others don’t even notice a disruption in service.
Additionally, business continuity plans may call for specific threat management measures to prevent potential disasters from occurring in the first place. For organizations with the resources, having a complete BC/DR plan in place can be well worth the extra cost over a more basic disaster recovery solution.
Disaster Recovery Plan Steps Everyone Should Know
Here are a few simple steps you can follow to create an effective disaster recovery plan for your organization:
Step 1: Audit All of Your IT Resources
Before you can plan for returning everything to “normal,” you need to know what normal looks like for your business. Part of this is knowing what all of the disparate assets are that exist on your business’ network infrastructure.
By creating an inventory of all of the IT resources on your network—and what data each resource holds—you can begin to consolidate and streamline things to make it easier to back up and recover information in the future.
Step 2: Determine What’s “Mission-Critical”
Odds are that your business processes and stores a lot more data than you might think, and that much of that data is redundant or not really crucial for you to keep things running. During the course of your IT asset audit, you’ll likely come across a lot of data sets that just aren’t that important.
If you try to copy every bit of data from every IT asset in your network to a backup server, that’s going to take a lot of processing power to handle. By sorting out the unnecessary or redundant data, you can reduce the size of the backup file that you have to make, saving storage space and expense later.
This is also an opportunity to exercise some good data hygiene by removing extraneous files from endpoints they don’t need to be stored on.
Step 3: Establish Roles and Responsibilities for Everyone in the DR Plan
Every employee in the organization should have a role to play in your disaster recovery plan. Even something as simple as reporting cybersecurity threats up the chain of command to someone with more seniority or know-how to enact the DR plan can prove to be critical.
When everyone knows what to do in response to an emergency, your DR plan will be more effective than it would be if nobody knew what to do when a disaster occurs.
Step 4: Set Your Recovery Goals
How quickly should your organization be able to recover from a disaster? How much (and what) data can you afford to lose in case of a disaster? Setting your goals for recovery point and recovery time objectives can prove to be crucial in an effective disaster recovery plan.
You may even want to make sure that you prioritize some data over others when it comes to your RPOs and RTOs. For example, less important data that doesn’t need to be accessed right away could be given lower priority—assigning them to a longer recovery time and not prioritizing frequent backups for that information.
On the other hand, mission-critical data—such as financial data needed for accounts payable and receivable, or data required for regulatory compliance—should be assigned much tighter RPOs and RTOs so as to minimize disruption. This could mean having frequent backups of this information, or even going as far as to set up a BC plan with a backup production server to take over for the main server in case of a disaster.
Step 5: Find a Remote Data Storage Solution
When your business is hit with a disaster that wipes out your primary data storage solution, that data may be lost forever if you don’t have some kind of remote backup.
For example, say a ransomware attack strikes your business and all of the data on your primary database gets encrypted. If you have a remote backup of all the data on that database, you can simply reformat and sanitize the corrupted drives and restore the data from the backup. While time-consuming, it’s better than losing all of the information you had. Plus, paying a ransom doesn’t necessarily mean the criminals will actually give you the encryption key to restore your data.
In addition, if the assets storing your data are physically damaged, such as by fire, flood, or physical tampering, you can use the data stored on the backup to cover for the loss. This helps to minimize business disruptions.
Right now, the gold standard for remote data backup would be cloud-based solutions that can automatically download and copy data every few days (or even every few hours). Unlike older, manual backup methods requiring users to copy data to a disk or USB drive, backups via a cloud-based solution can be carried out at any time, and without having to dig out a piece of physical media.
However, physical media backups, while slower and more cumbersome to deploy, are also easier to isolate from infected systems by keeping them offline until they’re needed. This makes them less likely to be corrupted by ransomware and other malware than auto-updating cloud storage.
Of course, there are more robust solutions than simple data storage. Some companies that offer disaster recovery solutions have complete cloud computing environments that can handle traffic while your primary network is down to minimize disruptions.
Step 6: Create a Test for the Recovery Plan
Creating a DR plan for your business is one thing—it’s another thing to know that plan will work when you need it. For this reason, it’s vital to have a method for periodically testing your disaster recovery plan.
When creating this test, consider the following:
- Single Points of Failure. Are there any systems that lack redundancy in your recovery plan? If these single points of failure encounter a problem, can you still carry on with your recovery plan?
- Recovery Time. How long from the start of the test does it take to restore bare minimum functionality? How much longer for things to return to normal? Consider these recovery times and investigate how you could make them faster.
- Recovery Point. How much data was lost when switching over to the remote backup? Was the data lost critical to your operations in any way? Verifying recovery points is important for avoiding data loss during an actual disaster.
- The Type of “Disaster” Being Simulated. Are you running a test that assumes that data on your network is corrupted, or is the data inaccessible because of damage to the assets at your office/datacenter? Consider how different types of disasters may affect your recovery options and needs. This will help you create a more robust and effective DR plan.
Keeping the above in mind when creating a test can help you find ways to improve your disaster recovery plan in the long run—which can help make your business more resilient against disasters of all kinds.
Some businesses offer disaster recovery-as-a-service (DRaaS) to help organizations create and manage their DR plans. The quality and reliability of DRaaS services can vary from one vendor to the next, so it’s important to vet these services before signing on with one.
Need help setting up a disaster recovery solution to make your business more resilient? Contact the experts at Compuquip Cybersecurity for more advice!