It is hard to explain why every business and organisation should have a disaster recovery plan for its IT systems without sounding alarmist. Reach for official data and you discover there were already hundreds of millions of breached records in 2023 by the end of April.
So we caught up with managed IT experts ReformIT, to find out in simple terms why such a plan can help you regain control of your business as fast as possible after a cyber attack.
What is a disaster recovery plan in IT terms?
This is something every company should have in place in the hope they never have to initiate it. A disaster recovery plan (DRP) in IT terms is a documented, structured approach that will help your business remain online and working after unplanned events that impact the IT infrastructure, such as a cyber attacks, fire, theft and flood.
It is an essential part of the business continuity plan which aims to ensure that all areas of your business can maintain or restore key operations in the event of a crisis or emergency.
Can you give us an example of an organisation that has benefited from a DRP?
If we go back several years, the WannaCry attack was devastating for small and medium-sized enterprises (SMEs) UK and worldwide and certainly impacted the NHS. It was operating Windows 7 systems, which had been de-supported by Microsoft, and fortunately the NHS had some sort of DRP in place to help recover — although it took many months.
What wasn’t in the media was the SMEs that didn’t have a DRP and lost their business data overnight.
Most recently, Gloucester City Council has spent approximately £800,000 rebuilding their infrastructure due to a cyber attack. It’s important to note these organisations spend thousands, if not millions, on ensuring their IT infrastructure is secure, compliant and, most importantly, recoverable should the worst-case scenario happen.
So, you draw up a plan, put it in a draw and reach for it when you see a disaster coming?
The key is to understand disaster recovery and why it is essential for your business. And documenting it so you know what to do in the event of an unplanned attack is vital. However, businesses should stress-test this to make sure it works when it happens and that it meets your return-to-operations objective.
How does a busy company start to write a realistic DRP?
Managed service providers (MSPs) like ReformIT hold the keys to the safe, so it’s incumbent on us to ensure we are having these conversations with our clients documenting this and offering solutions for the client to consider. Ultimately, its down to the client to weigh up the risk and whether they wish to invest in the solution.
What steps should a business undertake to create a DRP that actually works?
Analyse the business impact to identify critical IT systems and processes. From there, work out your return-to-operations objectives, along with your recovery-point objectives and develop recovery strategies and processes for restoring IT systems and data from backups. Then, invest and deploy appropriate technologies and tools to support the recovery process, such as backup software, cloud services 'failover' and 'failback' mechanisms.
And, lastly, carry out regular testing and make sure the plan is updated, ensuring its effectiveness and that it continues to align itself with changing business needs and IT environments.
Even with a good DRP in place, should a business do anything else to prepare?
Your DRP should be in place for when it happens. However, SMEs can also put things in place to mitigate against the risk, such as aligning themselves and their security posture with the government-backed and industry-supported scheme, Cyber Essentials, that advises businesses on how to protect themselves against common online security threats.
Cyber Essentials provide five key controls that will help mitigate against a cyber-attack.
Aside from having a plan of action in place should the worst happen, are there any other benefits?
I talk to business owners and directors all the time and ask them the question, 'do you have fully comprehensive insurance on your car?' In the majority of cases, the answer is ‘yes’.
Then I ask, 'have you had an accident in the last five years?' In most cases, the answer in ‘no’, yet we renew every year knowing that fully-comprehensive insurance will cover us just in case. The same applies to business insurance, yet the biggest risk to a business in this day and age is a cyber-attack.
Investing the time to develop a DRP and solutions that will keep your business running when an unplanned event happens will help business owners sleep at night, knowing they have a DRP in place that is tried and tested.
How long does it take to put a DRP together and where do I start?
The time it takes to put together an IT DRP will vary depending on the size of the organisation and the complexity of the IT infrastructure. It is important to cover the business needs of the service regarding availability, recovery times, backup, data integrity and data confidentiality.
For example, it may be unacceptable for factory production to cease for more than four hours, but HR systems being down for a similar time won’t impact the business nearly as much.
You should start by identifying your critical assets and systems and then determine how long your organisation can tolerate for recovering normal operations in case of a disaster (for example, recovery within 30 minutes, two hours, 12 hours).
Then work out the cost of downtime, taking into account things like staff not being able to work, customers being impacted, credibility being lost, compliance and data integrity being compromised. Once you understand these costs, you can identify your return-to-operations objectives — which is how long before the business needs to be back up and running — and from here, you can look at solutions that will get the business back online and will meet those objectives.
This means, like the car insurance analogy, your DRP becomes an investment in case of an unplanned event.
At ReformIT, when onboarding new clients, these are the conversations that take place as part of the onboarding process, where we carry out an IT review and can then make recommendations that help us develop IT strategies that support the business objectives through the appropriate use of technology.