Planning for disaster: 5 steps to a painless recovery

Are you prepared for your business’ worst nightmare? It could come in the form of a virus or a natural disaster. It could be caused by someone inside your business or by a total stranger. Regardless of what you want to believe, it can happen.

According to a 2014 study, data loss and downtime cost companies $1.7 trillion every year. For smaller companies the prospect of a disaster is potentially deadly, but bigger organizations shouldn’t take it lightly.

About 93% of companies with downtime lasting 10 days file for bankruptcy. That’s not 93% of small businesses – it’s 93% overall. Clearly, you can see that downtime is something to be taken seriously.

The fallout from a data disaster can include everything from lost productivity to an irreparably damaged brand if customer information is lost. The worst part? It’s not only possible but likely.

According to one study, 70% of businesses have experienced or will experience data loss due to accidental deletion, disk or system failure, viruses, or fire. That’s a huge percentage of organizations, and that should be enough to scare everyone into action. Yet, 75% of companies are not prepared for this type of incident.

With consequences so dire and an incident so likely, why would such a high percentage of companies neglect preparations? Establishing lines of action for a worst case scenario ahead of time could save not just a few documents but the life of your entire company!

Are companies failing to prepare because they have no choice? Because there’s nothing they can do but wait?

Absolutely not. There are many steps you can take ahead of time to minimize the damage from a data loss disaster. Some of them may require investment of time or money up front, but if that seems like a problem, then just remind yourself of what’s at stake.

Here are 5 steps to a painless recovery:

1. Have a plan

This should go without saying, but as the stats presented above indicate, many companies are planless in the face of disaster.

It’s critical that your plan cover several areas. First and foremost, your plan should include tech. We’ll get into that in more detail with the rest of the steps in this post, but the best offense is a solid defense when it comes to data loss and downtime.

However, tech isn’t the only area that your plan needs to cover. Even the IT department will need to hone their communications skills to plan for disaster preparedness. Employees and customers alike need to understand the situation, as well as the process and timeline for recovery. If not, the workplace could descend into chaos and the business could lose customers.

All of that means that establishing communications plans ahead of time is just as important as knowing what will happen on the technical side of the recovery. After all, if you complete your recovery but destroy the stasis of the company, the problems are going to follow you into the future.

2. Establish a Recovery Point Objective

Your Recovery Point Objective, or RPO as it’s commonly called, is essentially a measurement of how often you back up your data.

If you have a 48 hour RPO, that means that it’s unacceptable to lose any data from 48 hours or more prior to the incident. Likewise if you choose a one hour RPO, that means that losing data that’s one hour old may be inevitable but anything older is untenable by your business’ standards.

Not all RPOs are created equal, and they require IT staff to have a keen understanding of business objectives. Less forgiving RPOs, such as the one hour RPO in our example, are much more technically complex. They require different technology and are more expensive than longer RPOs.

Some businesses will naturally need less forgiving RPOs than others. These include businesses for whom data is especially sensitive – those who deal in financial, legal, and healthcare data, for example. Any amount of data loss is unacceptable to them, so investing in a short RPO is a good idea.

3. Establish a Recovery Time Objective

RTOs? RPOs? How many acronyms is too many?

Let me illustrate the difference between an RTO and the RPO we just discussed. While RPOs look into the past, at how often you do backups to protect against future data loss, RTOs look into the future.

An RTO establishes how much downtime is acceptable (obviously no downtime being ideal, but relying on that gets in the way of necessary planning). So an RTO of a half hour means that you need to have your systems back online within a half hour of the incident. A 12 hour RTO means you need to be back online within 12 hours of the incident. You get the picture.

Just like with RPOs, less forgiving timelines are going to be more complicated and more expensive but worth the investment depending on what type of business you are. It’s even possible to have an RTO of no time at all, with all your data duplicated so that in case of data loss, you can resume work with no interruption of service at all.

RPOs and RTOs are both important and both require liaising with others in the business to align IT objectives with wider business objectives.

4. Encrypt, encrypt, encrypt

The threat of hacking isn’t the only thing to be cautious of when planning for a data disaster, but it certainly is a real threat. If you do get hacked, you’ll want to make sure that no one is able to use the data they get their hands on, stealing customer or other sensitive information.

It’s important to encrypt all your data, including all backup and replicated data. This means encryption of data both at rest and in transit. If you use any sort of cloud service, make sure you completely vet their security and encryption processes to ensure that they are up to your standards.

Encrypting data, ensuring that it won’t fall into the wrong hands, will save you a lot of grief in the event that you’re hacked. Think of all the high profile hacking stories from the past couple years. Customers were mortified. Compromising customer information alone is enough to place your business in serious jeopardy.

5. Got a plan? Good. Test it.

This step is just as important as having a plan in the first place. After all, what good is a plan if you don’t know whether it works – or its weaknesses?

It’s important not just to know in theory how you’ll react in a disaster situation but to play out those situations to see how your team performs. Test your plan periodically to ensure that it always stays up to date. Poke around for weaknesses and fix them.

This list only scratches the surface of disaster recovery preparedness, but accomplishing all of the steps will go a long way to making any data loss incident you face as painless as possible.