I don’t know anything about your company – and yet I can say, without a doubt, that the answer is – YES! No matter how big or how small, every organization should have a well thought out Disaster Recovery Plan.
If you have a very small company, you’re probably feeling skeptical right now, but let me use a simple example to demonstrate why my answer is ALWAYS “yes”:
For example, even if you live alone – everyone needs a Fire Evacuation Plan. Answer these questions for yourself:
- Do you sleep on the 2nd floor (or greater)? If so, do you have at least two ways to exit your home?
- Do you have pets? If so, where are they likely to be in the event of a fire, and what is your plan to get them out of the home safely?
- Do you keep legal or insurance documents in your home? Do you know where these are? Can you get them out quickly, or are they stored in a fireproof safe?
- Do you have any other possessions that you MUST get out? Whether these are photo albums, Nana’s handmade quilt, or a favorite stuffed dog from your childhood – what is your plan to get them out of the house?
If a fire happens in your home in the middle of the night you will not be able to decide these things on the spot. You’ll wake up feeling disoriented and on high-alert – this is not a time for critical thinking but for fast action! All you’ll be able to think is “I need to get out of here because I can’t breathe.” Fire experts say that you have about 2 minutes to get out of your home in the event of a fire. So, not only is it important for yourself and everyone living in your home to know the plan, it is important that you rehearse it.
So, if having a Fire Escape Plan is important for everyone, then shouldn’t you have a Disaster Recovery Plan (“DRP” for short) for your organization as well? Regardless of how large or small your organization is, there are important questions you need to ask and steps that need to be established.
How do I begin to build my Disaster Recovery Plan?
Depending on the size of your organization, there are different ways to go about creating your first DRP; for larger organizations, you should start with a Business Continuity Plan (BCP) to establish company Recovery Time Objectives and Recovery Point Objectives; I’ll cover these in a future article. To stick with the basics let’s look back at the Fire Evacuation Plan example. In the table below I’ve listed the recommended actions from the American Red Cross side-by-side with essential elements of a DRP, so take a look:
|American Red Cross: Fire Evacuation Plan||Basics of a Good Disaster Recovery Plan|
|All members of the household should know two ways to get out of every room |
|Create a list of employees and your most critical systems and assets. Establish guidelines for what personnel will do in the event of a disaster and what steps will be taken to protect your systems and assets from destruction or data loss. Train personnel on the DRP steps relevant to them. |
|Consider escape ladders for sleeping areas or homes on the second floor or above. Learn how to use them and store them near the window. |
|Your plan needs to fit your environment and your particular organization. Evaluate your environment and ensure that emergency resources will be accessible in the event of a disaster. |
|Pick a place outside for everyone to meet and make sure everyone knows where it is. |
|Establish how systems and company information will be accessed during a disaster. (Will you be able to access these in the event of a power outage, internet outage, or if your building is inaccessible?) Establish who has access to these systems and who oversees ensuring they are available to everyone that needs access to them. |
Create a call tree or other method of getting in touch with each employee to ensure they are accounted for and receiving updates about the current situation.
|Practice your home fire drill until everyone in the household can do it in less than two minutes. |
|Plan a test run through of your plan, companywide if possible. This is the best way to discover what is missing in your plan and where problems may occur. Identify if you can meet your Recovery Time Objective (RTO). |
|Practice waking up to smoke alarms, low crawling and meeting outside. Make sure everyone knows how to call 9-1-1. |
|Create step-by-step procedures so that key personnel knows exactly what to do in the event of a disaster, even if it is not their primary role. |
Additionally, keep an emergency contact list including local emergency services, vendors, suppliers, and other key services or personnel.
|Teach household members to STOP, DROP and ROLL if their clothes should catch on fire. |
|Prepare for every possible scenario; consider the potential impact, systems, and information impacted, actions to reduce damages, and how you will recover once the damage is done. |
*Reference: “A Home Fire Escape Plan Can Save Your Life”, January 26, 2015, http://www.redcross.org/news/article/A-Home-Fire-Escape-Plan-Can-Save-Your-Life
The one thing missing from the steps outlined above is how you determine when to initiate your Disaster Recovery Plan. In the event of a fire in your home, you’ll either observe a fire or wake up to your fire alarm. You’ll want to outline a sort of “alarm system” for your business as well.
If you don’t have a Fire Evacuation Plan for your home, start there. I recommend reading “A Home Fire Escape Plan Can Save Your Life” on the American Red Cross website. If other people are living with you, develop the plan together and rehearse the plan together. Fires happen every day and if you’re not prepared then you are accepting the risk of losing either life or possessions that you’re not prepared to lose.
It’s All About Evaluating Risk
Risk always exists, whether you plan for it or not. If you don’t, then you are accepting that risk, whether you like it or not. Begin thinking about what you need to know to create a Disaster Recovery Plan for your organization:
- Who will be part of your disaster recovery team?
- How will you make sure that all personnel are accounted for, and how will you reach personnel to communicate critical information?
- What systems and information are most valuable to your organization and need to be both protected in the event of a disaster, and made accessible the most quickly?
- What are the primary risks to your organization? (break-in, internal espionage, cyber theft, flood, earthquake, power outages, snow storm)
- Do you need an alternate work site in case your building is destroyed, or can personnel perform their work remotely?
- How much money will you lose if your systems or office is out of service for 4 hours, 1 day, 1 week, 1 month?
- How much critical information will you lose if your systems fail or are compromised? How much loss is recoverable or tolerable?
- Do you store any confidential or personal data that requires specific protections that could be compromised in the event of a disaster?
- Who will decide when to activate a particular Disaster Recovery Plan? On what basis will the decision be made? If conditions change, when will the situation be escalated?
Tackle these items first, depending on the size of your organization, it may surprise you just how much is involved with answering these essential questions.
If you get stuck or need some assistance getting your organization’s executives on board, reach out to our security professionals here at FRSecure. We don’t sell technology, so unlike many other companies offering DRP services, we won’t tell you what to use to reach your objectives. Our mission is to help organizations of every size protect their data and reputation. We develop, implement and manage information security programs tailored to each client’s specific security and disaster recovery needs.