Disaster recovery planning and business continuity planning often get lumped together, but in truth, they’re actually very different. Navigating the ins and outs of both can be challenging, but this guide will give you the key points of what you need to know about managing your business continuity (BC) and disaster recovery (DR) plans.
Have a Disaster Recovery and Business Continuity Plan
Oftentimes, your DR planning will be part of the BC planning, but sometimes much smaller events have a major impact on your business. While those events aren’t “disasters,” they absolutely should be part of your business continuity plan.
For example: what happens if a key personnel figure goes on maternity leave, or what if an executive gets hit by a bus? You need to have a BCP that is prepared to address these or any other unforeseen emergencies within your business.
A BCP tends to be an ongoing work in progress, so start with a simple plan. Especially if your company is on the larger end, it’s just not possible to think of everything before it happens. But over time, as you add more to it and annually update what’s already there, it can start to become a very comprehensive plan.
DR, on the other hand, is usually more straightforward. Disaster recovery is usually about very specific things — mostly either physical or virtual infrastructure — and the ability to restore data or other assets if they’re lost, damaged, or attacked.
Recovery Time and Point Objectives
A business continuity plan is all about keeping your business in existence and operating as effectively as possible. That effort revolves around two things: your recovery time objective (RTO) and your recovery point objective (RPO).
RTO considers how long it takes you to get back to some semblance of normal operation. RPO determines the amount of data you need to restore if it’s compromised, and how much data loss you’re willing to accept.
RPO is also based on technical limitations. For example, if you’ve got a particular file that’s open all day long and an automated backup is run, you might not have a copy of that file from today’s backup — you might have yesterday’s copy.
You might have different RPOs for the various tools, systems, and parts of your business. But knowing your RPO is really important, because otherwise your organization may have different expectations for recovery.
Perhaps your accounting department expects that you have a zero data loss RPO. If that’s the case, your financial backups need to be more comprehensive to meet that demand. But it’s also possible that your BCP isn’t capable of managing zero data loss. So having a recovery point objective that is too aggressive can add significant cost — if finance only updates things monthly, but they have a zero data loss RPO, they’re going to be spending unnecessary money on daily backups.
Why Is BC/DR Important in the Realm of Cybersecurity?
When there is a security event, you should have two objectives: first, figure out what happened, and second, figure out how to undo it.
Having solid backups will help you understand which files were changed and which programs were compromised. They’ll also help you in undoing the damage.
So it helps from a forensic analysis perspective, because you can compare your backups to your current situation. And obviously being able to pinpoint the effects and time of the event makes recovery faster. Instead of going through file by file undoing changes, it might make sense to just restore from backup once the security team has finished their analysis.
5 Things to Consider for BCP and DRP
As you develop plans for business continuity and disaster recovery, keep these 5 things in mind:
- Keep your backups for a longer amount of time
- Test your backups
- Test your plans
- Diversify your backup storage
- Get your stakeholders on board
1) Keep your backups for a longer amount of time
Storage is fairly cheap nowadays, but if your company is large and you have a lot of data, storage costs can add up. So people look to cut costs — but cutting down the size of their backups is a problem.
Your backups should be aligned with your recovery point objective. I highly recommend keeping at least six months’ worth of backups.
The more backups you can keep, the better. It’s better to have more backups and not need them, than to have a disaster and find out you’ve deleted that data.
2) Test your backups
All too often, people are convinced they have a bulletproof backup system: they have a six-month window saved, a weekly, and a daily incremental backup. But unless they’ve tested those backups, there’s no way to know if that preparation will pay off.
I’ve seen what happens when people don’t test their backups. They thought they were covered, and when disaster struck, they found out their backups weren’t running.
Your backup media must align with both your RPO and RTO. If this is overlooked, it might take you the same amount of time to restore a single file as it would your entire business. Consider this as you create and test your backups — will it hinder recovery if your backups are all grouped together? It’s a good idea to pay extra attention to those critical files.
At a minimum, for insurance purposes and other requirements, you should be testing your backups annually. However, a year is an awfully long time between tests, so I recommend doing this quarterly.
Testing your backups is a really straightforward process. Say on Monday, you create a file — delete it on Wednesday. On Friday, see if you can recover it.
Servers — especially virtual ones — are pretty simple too. You just spin up a new instance of that virtual server and see if everything’s there. Make sure it boots up and runs, and check if you can still insert that virtual server in place of an existing server.
3) Test your plans
It’s unfortunately common for people not to test their business continuity plans. They find out in the heat of the moment that the processes or the recovery weren’t thorough enough. Perhaps the person who is supposed to step up is out of the country when a key personnel is unexpectedly out for an extended time. Clearly, they aren’t able to fill in, so you need to figure out what happens next.
Tabletop exercises are walk-through scenarios that help you prepare for an event before it happens. In a tabletop exercise, you role play as if the scenario is actually occurring and carry out your plan through a discussion. These exercises help you to be more calm in the heat of the moment, because you practiced it. You’ve been through it.
The more frequently you can afford to run tabletop exercises, the better. Keep mixing it up and run different scenarios to give people experience with as many different situations as possible.
4) Diversify your backup storage
Never put all your eggs in one backup location. A good rule of thumb for data backups is the 3-2-1 rule:
- 3: You should have a minimum of three copies of your data, including the production copy.
- 2: The two backups should be split against two different types of media. For example, you could use tape for one and an online disk for another, or put one in a cloud provider and one on-site in local storage.
- 1: At least one of your backups needs to be off-site and disconnected. If you have a fire and all of your backups are on-site, then you’re going to lose your backups for good. Plus, keeping one of your backups disconnected from your network keeps it out of the hands of ransomware attackers.
It’s incredibly important that you back up your cloud data. People assume that cloud is managed by a third-party service provider. They have good backups. They’re covered, I don’t need to back it up. Not true. Anything in the cloud you should be backing up yourself and you should back it up somewhere other than that particular cloud.
You can back it up to another cloud by another service provider, but don’t back it up to the same cloud and the same service provider. You won’t be covered if something happens to that provider.
There was recently a fire in a French data center that resulted in total loss. Hundreds of businesses had to shutter because they were relying solely on the data center’s backups and had no other plan.
Some Microsoft customers had extended outages earlier this year with various Azure and Office 365 products. The outages lasted at least a week. So if their only backup was in Azure or was through Office 365’s backup tools, then those businesses would have been dead in the water.
5) Get your stakeholders on board
Lastly, getting buy-in from your various stakeholders is key. That’s difficult to do for your BCP because it’s so comprehensive, so I suggest tackling it in baby steps. Work on the things that are the most important first — you can’t eat the elephant all at once.
Start with your C-level people and most critical personnel and get them to invest in your plan. Don’t just throw a dart and say, this is going to be my RPO, this is going to be my RTO, and this is the way the process is going to work — otherwise, you’ll be surprised when you have to execute and you don’t have the buy-in you need from leadership.
Getting buy-in is especially important with executives. An untrained executive can sometimes panic and make things worse during a disaster. This is the last thing you want, because ultimately panic has an interesting way of finding its way to the press.
Continuity, Recovery, and Climate Change
Climate change is strongly impacting the world of IT and it needs to be a part of BC and DR planning. For example, just last week Texas suffered massive rolling blackouts. Ironically, when China banned cryptocurrency mining, Texas jumped at the opportunity. Yet because of record heat caused by climate change, Texas doesn’t even have enough power to run their air conditioners—how would they be able to free up gigawatts and gigawatts of power to mine cryptocurrency? These blackouts impact businesses and can even threaten data centers in extreme temperature situations.
Climate change has also caused more annual hurricanes, so if your business is located near the coast, this is something to consider as a risk. But hurricane-causing weather also has effects that radiate hundreds of miles inland, and violent weather has become more common even in places like Michigan. Climate change does have an impact on your BC/DR, and it’s absolutely something that needs to be kept in mind.
Start Your BC/DR Planning Today
Planning for business continuity and disaster recovery is an inescapable part of running a business of any size, and it’s important that you do it right. So the next time BC or DR comes up in a security meeting, be sure not to overlook these best practices.