Executive Summary
It doesn’t matter how good your cyber security strategy and tools are, if you don’t have a backup and recovery plan implemented, your business is at risk of a fatal event. While attacks continue to rise by the day, and cyber security is now a number one priority for businesses, the fact that 60% of companies go out of business within six months of a breach, indicates the importance of backup and recovery. This guide explores the methodology and approach to cementing your backup and recovery programme.
Introduction
The IT department has traditionally been accountable for business continuity and disaster recovery (BCDR) planning. This has resulted in recovery strategies that don’t necessarily tie up with the needs of the business. Disaster recovery planning is not solely an IT issue.
IT downtime can have disastrous consequences on a business, thus plans should involve input from stakeholders across the business in human resources, finance, legal, communications, operations, and facilities to be effective.
The purpose of this disaster recovery plan template is to provide practical steps to help you create your own strategy. Be sure to conduct thorough research on disaster recovery before beginning a plan, as it can be a time-consuming process. Your ultimate aim is to create a disaster recovery plan that is integrated, uncomplicated, dependable and fast.
Backup & Disaster Recovery: The key to cyber survival. Watch Webinar on-demand.
Plan Scope
Before starting, it's crucial to understand that developing a DR program is a significant undertaking.
The goal of your disaster recovery plan should be to ensure a quick and seamless response to a disaster, while minimising risk and costs to your information systems and business operations. The following five steps will help you achieve that:
- Evaluate business-critical data, systems, and applications
- Create a schedule of deliverables
- Test the effectiveness of your plan
- Manage and maintain to stay up to date
- Activate when necessary
Evaluate
Rather than focusing on reducing the impact of a disaster after it has occurred, it is preferable to concentrate on activities that prevent it from happening. Regardless, the DR planning process should begin with an assessment of your mission-critical data and where your company is vulnerable.
Collaborative Strategic Planning Sessions: Host planning sessions that involve the appropriate teams, including team members from all departments, with a range of job titles and responsibilities. These individuals will be responsible for ensuring adequate training and communication going forward.
Establish Goals: No two businesses will have the same goals. You need to prepare your own unique set of goals which relate to your business needs, but some examples may include:
- Minimise interruptions to the normal operations
- Limit the extent of disruption and damage
- Minimise the economic impact of the interruption
- Establish alternative means of operation in advance
- Train personnel with emergency procedures
- Provide for smooth and rapid restoration of service
Know your critical resources and functions: It’s important to put together a comprehensive list of mission-critical data locations and resources required to recover in the event of an outage.
- Define software application and hardware inventory profiles – data and voice communications, remote and personal devices, public networks
- Know volume restrictions
- Identify critical records – i.e. HR, Legal, Finance, IT
- Outline server and system interdependencies with business requirements
Once you’ve established a comprehensive list, you can tier your applications based on criticality. To help with this, you should also talk to your lines of business owners about their tolerance for downtime. Here are some considerations to make at this stage:
- SaaS applications
- Private or public cloud
- Third party providers
- Servers
- Workstations
- Mobile devices
- Departmental requirements may vary
- Number of tools
- Levels of granularity
Define RTO/RPO
From both technical and business perspectives, determine the duration your business can operate without its data and resources based on their level of criticality. This will help establish:
- Recovery Time Objective (RTO) - the length of time the business or department can function without its services.
- Recovery Point Objective (RPO) - the extent to which they need to be restored. What amount of data can the business or department tolerate losing?
| Service Tier |
IT Service or Application |
RPO |
RTO |
| 0 |
Data Center Facility |
N/A |
4 |
| 0 |
Core Routing |
15 |
10 |
| 0 |
Storage Services |
15 |
10 |
| 0 |
Servers |
15 |
10 |
| 0 |
Firewall Services |
15 |
10 |
| 0 |
Active Directory |
15 |
10 |
| 1 |
Financial Services |
30 |
20 |
| 1 |
Human Resources |
40 |
20 |
| 1 |
Email |
30 |
15 |
It is important to identify the vulnerabilities and potential scenarios that could affect your critical data. You should then plan accordingly to address these scenarios. For instance, restoring a single employee's lost email is different from restoring all data following a cyber attack.
To accomplish this, you should:
- Document current backup procedures
- Assess vulnerability
- Plan for various disaster types, including natural disasters, accidental file deletion, hardware or software failure, cyberattacks, and loss or compromise of remote devices.
Determining the total cost of disaster recovery solutions can be challenging when many factors are involved. To ensure effective disaster recovery, costs need to be evaluated against the risk of not recovering. These costs may include:
- Replacement costs for cold storage, applications, and servers
- Penalties for non-compliance with regulations
- Loss of stock value or ecommerce transactions
- Supply chain disruptions
- Indirect costs such as damage to brand reputation and employee satisfaction
Design
The design approach to your DR plan is founded on what you’ve learned and documented in your assessment phase. To design an effective DR plan, you should:
- Document the necessary resources and deliverables
- Keep the plan simple and easy to understand
- Automate processes as much as possible
Sample scenarios:
| Service |
Risk Scenario |
Recommended Technical Approach |
| Business Unit |
Loss of Facility Through Destructive Event |
Have similar network, servers, and software set up at an alternate data center. Recover data from backup. Recovery facility will function as primary facility. |
| Loss of Facility Through Non-Destructive Event |
Have similar network, servers, and software set up at an alternate data center. Recover data from backup until access to the main facility has been restored. |
| Loss of network due to Cyberattack |
Take a preventative approach by setting up protected clean backups. |
| Loss of Applications |
Have applications set up on a standby server in the data center. Restore application data from backups. |
| Loss of Employees |
Create more detailed documentation due to criticality of service. If needed, leverage a DRaaS service provider during a disaster. |
In order to enable the systematic activation of your DR plan when necessary, your design must include the following strategies and procedures:
Definitions: To define specific disaster conditions, including their type, severity, impact, and duration that will trigger the activation of your plan.
Evaluation: To assess whether the activation criteria have been met in the event of potential disaster events.
Approvals: To ensure that appropriate approvals are obtained for plan activation, involving IT, business leaders, and company executives.
Operations: To provide facility and system support for all plan activation activities, including the establishment of a "Command Centre" location where most, if not all, recovery activities can be carried out.
Communications: To inform all employees, customers, vendors, and the public (when necessary) about all activation-related decisions and activities.
By incorporating these related strategies and procedures into your DR plan, you can ensure that it will be effectively activated when needed.
Technology considerations
1. Cloud-Based Solutions
Embracing cloud-based backup solutions offers unparalleled flexibility and scalability. Cloud platforms provide secure, off-site storage, reducing the risk of data loss in the event of on-premises disasters. This approach ensures accessibility and quick recovery, enhancing overall business continuity.
2. Automated Backup Systems
Manual backup processes are prone to oversights and delays. Automated backup systems streamline the process, ensuring regular, scheduled backups without human intervention. This reduces the window of vulnerability and minimises the potential for data loss, aligning with the need for swift recovery in today's fast-paced digital environment.
3. Hybrid Backup Models
Hybrid backup solutions combine on-premises and cloud-based strategies, offering the best of both worlds. Critical data can be mirrored across local servers and cloud platforms, providing redundancy. This approach optimises speed and efficiency in data recovery, acknowledging that a multi-faceted strategy often provides the most robust defence against potential threats.
4. Encryption for Security
Data security is paramount, especially when dealing with sensitive information. Encryption ensures that even if data falls into the wrong hands, it remains inaccessible without the appropriate decryption key. When evaluating backup solutions, prioritising those with robust encryption capabilities safeguards your data during both storage and transmission.
5. Regular Testing and Monitoring
A robust backup strategy extends beyond implementation; it requires regular testing and monitoring. Simulated recovery scenarios help validate the effectiveness of your backup systems. Continuous monitoring ensures that any anomalies are detected promptly, allowing for corrective action before an actual data loss event.
6. Scalability for Future Growth
Technology solutions for backup and recovery should align with your growth trajectory. Opt for scalable solutions that can seamlessly accommodate expanding datasets without compromising performance. This future-focused approach ensures that your backup infrastructure evolves alongside your business.
Selecting the right technology solutions for backup and recovery involves a holistic consideration of factors such as data security, automation, and scalability. By embracing a comprehensive approach, organisations can fortify their data resilience, ensuring swift recovery and uninterrupted business operations in the face of unforeseen challenges.
Test
It is crucial to thoroughly test your DR plan before implementing it. Test the plan in a non-production environment and simulate scenarios for all types of disasters and lines of business. If any issues arise during testing, modify the plan accordingly.
The testing phase includes the following activities:
- Defining the purpose and approach of the test
- Identifying the test teams
- Structuring the test with different outage scenarios
- Conducting the test virtually, table-top, or at full-scale
- Analysing the test results
- Modifying the plans as necessary
The testing method should align with the defined recovery strategies for meeting the business's recovery requirements. Specific testing procedures must be developed to ensure the written plans are comprehensive and accurate.
It is crucial to emphasise the importance of testing and exercising your DR plan frequently to ensure its effectiveness.
Manage and Maintain
Your disaster recovery plan must be kept up to date. While annual testing is considered best practice, regular plan maintenance is even better. Anytime new hardware, software, systems are added, or there are changes in network access or stakeholders, it is necessary to update the plan. Otherwise, it may not work when needed.
Regular plan maintenance should include:
- Alerts and monitoring
- Emergency response procedures
- Backup operations procedures
- Recovery operations procedures
Key personnel
- New hires
- Executive briefings
Data management and DR review sessions
- Updated policies and exercise cadence
- Regulatory compliance changes
- SLA review
- Maintenance procedures
- Updated access and permissions
- Change management
- New scenarios
By keeping your DR plan current, you can ensure that it remains effective and can provide the necessary protection in the event of a disaster.
Activate
Knowing how to activate your DR plan in the event of a disaster is also important. In the midst of a disaster, there may not be enough time to react or decide what to do first. Instead, focus on the actions outlined in your plan. Your DR plan should be activated in four organised steps:
React: Specific disaster conditions have been met
Respond: DR plan goes into action
Recover: Restore operations to the extent possible mid-event and fully once the disaster is resolved
Review: Improve response capabilities based on recovery experience
Conclusion
The success of your disaster recovery plan is contingent on dedicating the necessary resources and effort. While some businesses invest significant time and money into developing recovery plans, they may fail to maintain their recovery capability. This requires a commitment to regularly testing recovery capabilities and keeping plans up-to-date.
To ensure the success of your DR program, your management team must be dedicated to overseeing and maintaining it, and ensuring that the necessary resources are available throughout its development, implementation, maintenance cycles, and ongoing support.