SECURITY ASSESSMENT:

Disaster Recovery for Businesses

Disaster recovery for businesses icon

As just about anyone in the business world can tell you, having a plan is an absolute necessity to succeed. But, what some people might not realize is that a business continuity/disaster recovery (BCDR) plan is important too. That’s why we’re taking a look at some of the basics of disaster recovery strategies  and what we at Moser Consulting offer in the way of assistance as part of our Business Services Division!

Let’s get started.

Which Comes First BCP or DRP?

Generally speaking, business continuity planning (BCP) occurs prior to disaster recovery planning (DRP). That is because a disaster recovery plan is only one component of a business continuity plan. Business continuity plan sets the foundation for disaster recovery planning. In addition to a disaster recovery plan, a BCP includes:

  • Business resumption plan

  • Occupant emergency plan

  • Continuity of operations plan

  • Incident management plan 

What Is Disaster Recovery?

Disaster recovery refers to the aftermath of major human or natural events, catastrophes, emergencies, and disasters. In a business specific context, disaster recovery involves an organization’s efforts to maintain or reestablish mission-critical IT infrastructure such as tools, communications, and more. 

One of the most salient disaster recovery examples in the last several years might be the COVID-19 pandemic. As companies closed their offices, employees experienced lockdown, and the world economy experienced a shock, many institutions were left trying to determine how they would move forward. 

  • Would they shut down for good? 

  • Would they have to make layoffs? 

  • Could they alter their business model? 

  • What was their return to office plan? 

  • How would they optimize working from home? 

In the wake of all of these questions, the need for disaster recovery procedures and business continuity planning became quite clear. 

How Many Types of Disaster Recovery Are There?

Generally speaking, there are three main types of disaster recovery: natural, physical, and technology-based. While all three can impact your business, the most likely to occur is a technology-based incident. That is part of the reason why a business continuity and disaster recovery plan for information security is so important—but more on that later. First let’s look at each disaster type.

Natural disasters icon

Natural Disasters

These are your tornadoes, fires, floods, hurricanes, etc. However, it is important to note that they don’t always have to be area-wide weather events. For example, a building fire is a natural disaster, even if it only impacts your office building and nothing else. Similarly the pandemic we mentioned earlier, or the death of a CEO for example, would also fall under this category.

Physical disasters icon

Physical Disasters

Physical disasters include things like a general infrastructure failure such as loss of power or water. It can also include building problems like a burst pipe, HVAC failures, or a collapsed roof. Break-ins and physical security breaches also fall under this category.

Technology based disasters icon

Technology-Based Disasters

The list of technology-based disasters can be fairly long. It can include things like ransomware and malware attacks, server failure, third-party cloud issues, data and security breaches, loss of data, phishing attacks, network infrastructure failure and major internet service provider outages.

What Is a Disaster Recovery Plan?

A disaster recovery plan is a set of processes, steps, and tools a company can use to continue business operations and recover IT infrastructure in the wake of a disaster. The main purpose of a disaster recovery plan is to explain the comprehensive and consistent actions that need to be taken in order to continue business operations. Generally, disaster recovery plan steps include actions that need to occur before, during, and after an incident. 

What Are Five Major Elements of a Typical Disaster Recovery Plan?

There are several elements that go into a successful disaster recovery plan. They include but are not limited to the following disaster recovery plan checklist steps:

  1. Creation of a disaster recovery team — This team is responsible for creating, implementing, and revising a disaster recovery plan. Each member of the team is also be assigned specific responsibilities. It is also a good idea to provide the team’s contact information to the company at large. The disaster recovery plan should list which members of the team should be contacted for certain types of issues. 

  2. Identification and assessment of risks — A key responsibility of the disaster recovery team and plan is to identify potential disaster risks to your organization. This includes evaluating all three types of disasters listed earlier in the article. 

  3. Determination of critical processes, tools, resources, and documents — The disaster recovery team and other key stakeholders in the company need to come together to determine what resources and tools are absolutely critical to the operation of the business, post-disaster. In the context of a disaster recovery plan, this should focus on short-term viability and survivability. This likely means analyzing cash flows and revenue, as opposed to long-term solutions that focus on returning the business to full function. One example of a critical process would be maintaining payroll.

  4. Standardization off-site and backup procedures — These steps should indicate what needs to be backed up, when, how often, at what location, and by whom, as well as how to secure them. All of the factors deemed critical in part three should be backed up. You will definitely want to include updated financial documents, employee information, tax records, customer and vendor listings and more. Everything that is deemed critical should also be backed up to an off-site location in the event that the original physical location is compromised.  

  5. Testing and maintenance of the disaster recovery plan —It’s important to understand that disaster recovery and preparedness is a continual process. Risks are always evolving, just as your business is. The recovery plan needs to be tested regularly in order to evaluate its effectiveness. If appropriate, you can make changes or revisions to the plan after testing. Additionally, certain industries like medical and banking organizations have required testing protocols in order to remain compliant with their governing bodies. 

Why Is Disaster Recovery Important for Businesses?

Simply put, disaster recovery preparedness helps businesses survive disasters and have an actionable plan for the most important steps they need to take. Think of it like the safety demonstration a flight attendant gives you just before taking off. They tell you:

  • How to put an oxygen mask on 

  • To put yours on first before assisting others

  • How to use the seat as a flotation device

  • Where the exits are located

While everyone on the plane is hoping this information will never be used, the fact of the matter is that it’s better to know it and not need it than vice versa. The same applies to disaster recovery planning for businesses. In addition to simply keeping a company running, there are several other reasons to create a disaster recovery plan.

  1. Data Loss: Data loss is always detrimental, but if your business does not have a disaster recovery plan already in place, you are risking permanent data loss. This includes information that is vital to customer satisfaction as well as company operations. Having and following a disaster recovery plan can help ensure data backups are accounted for on external devices or even cloud storage.

  2. Human Error: People make mistakes. This one isn’t breaking news, but is just as pertinent now, if not more so, than ever before. In fact, leading researchers at Stanford and IBM suggest that anywhere from 88-95% of security breaches are caused by human error. These days, phishing plots and scam emails mean any accidental click can result in ransomware attacks or data leaks. Not to mention, one little oversight can cause security risks that can throw any business into chaos. With a disaster recovery plan in place, data backups will come in handy when mistakes inevitably do happen. 

  3. Customer Re-Acquisition: Customer acquisition and customer retention can be pricey yet fruitful endeavors, but customer re-acquisition is almost certainly going to be more expensive. For example, it can be difficult to earn a customer’s trust in the first place, but once you do it can generate loyalty. However, the moment that trust is lost, it’s going to be incredibly difficult, time consuming, and expensive to get it back. The best way to address this issue is to be proactive in preventing issues like data loss or breaches in security. This can all be accounted for in a disaster recovery plan. 

  4. Reputation: Similar to trust, a reputation can take weeks, months, or even years to develop, but only moments to tarnish. In addition to losing existing customers, a damaged reputation can also prevent you from acquiring potential new customers. Plus, with the likes of social media, any unhappy stakeholders can wield word of mouth pretty effectively. While disaster recovery plans can’t guarantee that your reputation won’t take any hits after a disastrous event, they can help mitigate the risk by ensuring you follow the right steps after the fact.

  5. Costs: When disaster strikes, it can be expensive. If you aren’t prepared for it, you can bet that it gets even more expensive. The cost downtime plus recovery expense can range from several thousand to several million dollars per hour

  6. Compliance: Aside from all the intrinsic benefits to disaster recovery planning, another kicker is that certain industries are required to do it. In particular, regulated industries like healthcare or finance have stringent requirements when it comes to testing and implementing disaster recovery planning.

Disaster recovery plan process timeline

Evaluate Your Disaster Recovery Preparedness with Moser!

When it comes to disaster recovery planning, at Moser we always like to ask: “Are you ready for a disaster? Are you sure?,” because frankly the stakes are too high not to ask twice.

There are two types of Disaster Recovery Exercises that Moser can help your organization conduct to ensure your organization is ready to manage the unexpected. 

Moser offers the following exercises:

  1. Table Top

    A tabletop is a role-playing exercise that allows an organization to begin testing its existing Disaster Recovery and Business Continuity documents. This first step allows for a non-intrusive rehearsal of the actions and measures taken during an actual incident. 

    This exercise is beneficial because it allows the team members to walk through a simulated incident and identify potential gaps in the process and plans as documented. This exercise is conducted in an interactive format that encourages cross-departmental communication and engagement.  

    This exercise does have a few drawbacks in that it can be time-consuming for the employees involved. The exercise requires thorough documentation as the scenario unfolds and being guided by a professional who has experience conducting and managing the exercise. 

  2. Walk Through / Simulation

    A walk-through/simulation test builds on the Table Top Exercise. It presents the opportunity to conduct a company-wide testing event to test the updates from the tabletop and identify new gaps that this more intensive exercise identifies. 

    The benefit of a walk-through/simulation test is that it provides a real-life, hands-on emergency environment to conduct the test. All plans associated with the scenario are tested, and the practice can lead to the identification of gaps or oversights. The outcome is updated documentation and a staff further trained in responding to an incident. 

    The drawback to this type of exercise is that there is a considerable investment in time and effort to plan, set up, and execute a test of this magnitude. 

Make a Disaster Recovery Plan with Moser

At Moser, we pride ourselves on being more than a third-party tester. We are a true partner, collaborating with your team to find the best possible solution to your needs. We’re not here to pass blame or take control. We simply act as an extension of your disaster recovery team to ensure you are prepared for anything. 

Our after action report will highlight potential remediations and suggestions to guide you in the right direction. If you decide to move forward with Moser after the report, we have several disaster recovery plan examples that are plug and play (like ransomware or inside malicious actors). Alternatively we can work with you to create custom plans to meet your unique needs. 

With so much on the line, you literally cannot afford to be unprepared when disaster strikes. Contact us today to get started.

Disaster recovery for businesses white paper cover preview

WATCH FOR THE NEXT ARTICLE IN THIS SERIES:

Cyber Insurance Assessments

As cyber incidents continue to increase, it is becoming abundantly clear that cybersecurity is one of the most critical business services available. In order to ensure robust and comprehensive protection, companies must regularly audit their existing digital security infrastructure and pursue protective measures like purchasing cyber insurance. 

Employee working on her computer to protecting her company from cyber incidents