Does your business need a business continuity plan?
If there are parts of your business that you can’t afford to lose – such as stock, premises, IT systems and staff – then you need a business continuity plan. If you’re not sure what you would do in the event of an incident (small or large), now is the time to make a plan to ensure the smooth operation of your business.
Additionally, 99% of all small and medium businesses are reliant on digital technology these days and 85% report that using technology aids their success. With so much riding on the effective and continual use of our IT systems we’re going to show you how to plan for business outage. And more specifically, how to limit downtime and plan for a disaster recovery.
What is a business continuity plan?
A business continuity plan (BCP) details how a business will continue to operate in the event of an unplanned disruption to service. It’s a survival guide! A guide that should consider every area of your business and how to maintain services should an incident occur.
More importantly, a business continuity plan should provide solutions for minimising downtown and getting back to business quickly! Because so many businesses are reliant on IT and technology one of the most fundamental parts of a business continuity plan is how to restore IT and systems, also known as a disaster recovery plan.
Creating an effective business continuity plan (BCP).
Creating an Effective Business Continuity Plan (BCP) is simpler that you might think. A BCP can be put together by considering the following:
- What are your organisation’s key products and services?
- Are there critical activities and resources required to deliver these?
- What are the risks to these critical activities?
- How will you maintain these critical activities in the event of an incident (loss of access to premises, loss of utilities etc)?
To put the theory into practice it is important to:
- Assign responsibilities: Get full support from senior managers and assign roles so that staff can take ownership
- Implementation: Once the policy has been developed and agreed, it will be the task of the individual or team to ensure the policy is implemented.
- Ongoing management: Making sure the company’s BCP is regularly reviewed and continue to promote the BCP across the organisation.
For more information on how to create an effective BCP, GOV.UK have a great toolkit. etur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
What is a disaster recovery plan?
While a business continuity plan looks at planning and mitigating outage to any area of the business, a disaster recovery plan looks specifically at how IT infrastructure (from mobiles, computers and systems) can be restored, backed up and basically recovered.
For many businesses a disaster recovery plan which protects IT infrastructure and data will be vital to ensuring:
- minimal downtime
- Minimize delays
- Establish and guarantee the reliability of back up systems
- Reduce potential legal liabilities due to things like data breaches.
We’ll also be providing pointers that will allow you to baseline your current situation and match any solutions or IT support for your business.
Creating an effective disaster recovery plan
Here are the key considerations to points to address when formulating a disaster recovery plan.
Get your senior team on-board: Don’t try writing this alone and don’t hand it our to your administrator or IT guy (or girl). You need sign-on from your most senior people to make it work.
Keep it simple: Best practice for larger companies might be a separate incident management plan, business continuity and disaster recovery plans. We suggest keeping it simple and try combining the core elements of these into 1 working document.
Scenario planning: Use a range of scenarios to influence and test your recovery plans, getting your group to ‘imagine’ this or that incident and let that lead your planning.
Know your key processes: Understanding from technical, commercial and financial perspectives will help prioritise how you address recovery.
Understand your IT: You need to fully understand your IT systems and applications and how these support your critical applications. Even if you are cloud based, don’t assume everything is ‘fine and dandy’ – check and make sure provisions are in place and you know how to recover.
How long can it take? Start thinking about recovery point objectives. i.e. the time you need to get that machine back on-line or that customer web portal restored. If you fully understand the impact to your business, establishing a recovery time should follow.
Who are the key people? Who else is needed from your list of key stakeholdering including staff, vendors, suppliers, etc.
Step-by-Step: Lay it out, step-by-step so that everyone knows the key steps and sequencing of events
Mistakes to Avoid
- Lack of support – You need to have management on-board, including the resources and funds to implement a successful plan
- Don’t ignore the risks – It’s easy to ignore the potential risks, but the more work you put into scenario planning and identifying risks the better. Its also no good just identifying the risk, you need to mitigate risks whenever it is practical to do so.
- Keep testing – We suggest testing once or twice per year and always documenting your test.
- Blow off the cobwebs – So you have a plan, but no one has reviewed it for years! Key contacts left the business years ago and systems have changed. Make a schedule task to revisit and update your plans
Understanding your Data
At Charlton Networks, we recommend that customers spend time to truly understand their present environment. This may include the applications they run each day and the data that sits within these apps. In the event of a serious incident, such an understanding is critical to the survival of the business.
We then ask our small & medium business customers to assess the risk and reflect on the negative, grading likely / possible / improbable risks and exploring worse case outcomes. Our intention is not to create ‘Project Fear’. Instead we want you to create a ‘mind-map’ of what’s essential to business trading. For example, thinking about your local physical environment, such as extreme weather conditions, their rising regularity and if mitigation is needed. Or perhaps human resource issues, such as an ex-employee with knowledge of your IT system set upon vengeance against your business.
To help generate such ‘risk scenarios’, we also ask customers to consider recent events and explore how their organisation would have coped had this happened to them. For example, the Wannacry ransomware outbreak in 2017 is a classic example of how such reflection can really help. Businesses were gripped with fear of arriving at their office each morning to infected systems. However, as customer confidence grew that the immediate outbreak was protected against, our conversations with SME business owners shifted toward planning and getting the latest expert advice on how to build a solid last line of defence around backup & recovery.
Planning to Succeed
If all this reflection sounds pretty negative, take comfort that good planning and committing your ideas to paper is far easier, more likely to be more effective and cost less than just installing the first solution you come across. Such a planning exercise invariably opens the eyes to the types and levels of threats facing your business for both owners and their management teams. In the same way board members would not dream of leaving your premises unsecured, a well-constructed vulnerability plan will quickly highlight gaps in your data & application protection and focus your whole team on what is important.
We recommend keeping your plans simple and suggest developing a ‘roadmap’ to capture these ideas. Focus your attention on the most important and the immediate activity. The detailed planning is about the next 3, 6 or 12-months, beyond this keep it short, simple and allow yourself the scope to change, adapt or develop your planning as you progress.
Larger companies, operating multiple sites can justify geographical resilience, inter-site backup & replication and an off-site recovery site. This won’t be possible for most SMEs, but with good planning and design, similar results can be achieved with hybrid solutions, mixing public & private cloud, on-site and off-site solutions that give the highest levels of resilience where the business most needs it.
Disaster Recovery Solutions and Deployment
Extending the idea of ‘keeping things simple’ should also be applied to any backup & recovery solution you select. For example, look to deploy a seamless set and forget backup software layer that can automatically notify you in the event of problems and present a simple ‘top-level’ view of your data & application protection.
But backup is pointless if recovery is difficult and slow. Speed of access doesn’t have to cost the earth and make sure that you don’t over-egg what you need as you can become quickly blinded by the latest technology ‘must have’ features and the whole ‘up-sale’ process.
Here are some tried and tested things to consider when looking for a backup & recovery solution
1. How easy is the backup solution to use? Is it really set and forget? Does it require distinct amounts of customisation for rollout? Does it suit the amount of data you have and do you need enterprise features like Disaster Recovery
2. Compare costs: Gone are the days of having just one or two vendors supplying niche backup solutions, now you can really shop around and buy a reliable backup solution that does what you need without over-doing features and complexity.
3. Remember your needs: Keep checking what problem you are aiming to solve. Are you trying to alleviate the chore of backup with automated, reliable, failsafe recovery?
4. What do others say: How many companies are already using the solution? Perhaps the most candid advice can come from your peers and what they truly think about everyday usage. Most of which are shared warts and all on sites such as SpiceWorks, Gartner Peer to Peer, IT Central Station to name but a few.
5. Understand your solutions: Don’t overly trust Cloud based apps to be automatically ring-fenced – for instance, who knew that Microsoft are not responsible for backing up Office 365 mailboxes? Who then is? Yes, that also falls to you!
6. Give it a try: – Download trial software and actually stretch test it – any software company of repute will want you to test the software in your own non-production environment.
Business Continuity & Disaster Recovery Glossary
Altaro is a complete backup and recovery solution for your IT systems. It provides a wide range of features that help protect your data and recover it quickly. At its heart is a web-based centralised management function making it easy to configure & manage from any location. Data is fully encrypted, with options for both on-site and off-site backup. Mostly importantly, Altaro recovery time is super quick, ensuring system outrages or data loss is kept to a minimum.
Microsoft Azure extends the functionality of the Altaro backup & recovery system, providing the ability to simply add and automate off-site backup, with unlimited capacity, encryption, choice of geographical location. The Azure ‘plug in’ for Altaro means we can recover clients data or systems from this off-site storage location. This is crucial in the event of a total on-site disaster, such as a fire or major cyber-security incident. Off-site Azure backup provides the ultimate recovery if your local data is encrypted via a ransomware attack.
Backup describes the processes and regime for the on-going backup of your company data and systems.
Business Continuity (BC) is concerned with identifying, managing and reducing business risk. This is done via a defined process / methodology that identifies and prioritises improvements to overcome these risks. An effective BC plan will support the strategic aims of the business and build the capabilities to keep the business running in the event of a disaster through a process of continual development. Key elements will include Business Impact Assessment, design of mitigation strategies, planning and implantation, testing, maintaining and developing.
Storage provided in the cloud and accessible via the public internet. Examples include Microsoft Azure and Amazon Web Services.
This general term refers to systems whose management and operation is based in the cloud, through to the storage of off-site backup data in public cloud services, such as Microsoft Azure.
Disaster Recovery (DR):
Disaster recovery planning looks to identify IT system risks, develop potential mitigating actions and create a testable and repeatable plan for your system recovery. This is done by creating disaster recovery scenarios to identify risk and the processes required for recovery. At its core, plans are created that regularly test the full recovery of systems, such that recovery processes become known and can be refined and improved over time. All businesses should undertake this planning process, even small businesses, resulting in actions ranging from backup testing & review, test restores, through to full disaster recovery of key applications and systems.
The process by which your company data is ‘scrambled’ and can only be ‘unscrambled’ using an encryption key. The encryption key is the password to unlock the data and is also known as the ciphertext. Making the data unreadable, means that unauthorised persons cannot access the data. It is imperative that data backup on-site and off-site is encrypted both ‘in-transit’ and ‘at rest’. ‘In-transit’ refers to the data as it is moved and ‘at rest’ refers to its final place of storage.
Incident Response Plan:
An action plan that covers the immediate response and actions required for your organisation to respond to a major incident. This can cover issues such as a cyber-attack, closure of an office or other serious incident impacting your business, but can also include major operational issues such as server outages or a production line failure. For small & medium sized companies we recommend including this incident response plan within your overall business continuity or disaster recovery plan. Typically plans cover the initial responses, who needs to be involved, which stakeholders to be notified and the key actions required to respond to the issue at hand.
An IT asset inventory allows an organisation to understand what devices it owns, what software it runs, where company data is being stored and a range of other factors from finance, through to risk management. Maintaining an accurate IT inventory is essential in many aspects of disaster recovery and business continuity They enable plans to be developed and maintained. Key to this is regular auditing or the use of on-going Remote Monitoring and Management (RMM) tools that provide a virtual ‘real-time’ inventory to be maintained.
IT Life Cycle:
IT Life Cycle covers introduction, adoption, growth, maturity and decline / obsolescence of your IT products, systems or services. All systems go through this process and your business needs to understand where your current systems sit within this cycle. This enables effective use and planning to be done and Charlton Networks recommend our IT Roadmap process. This means that IT Risk planning is more effective and businesses can understand these risks and mitigate their potential impact.
IT Risk Management:
IT risk management assesses the business risk associated with using, owning, operating or adoption of IT systems, services or processes. Risk management covers many aspects and processes, from initial Incident Response, through to scenario planning, disaster recovering and business continuity planning.
Managed Backup refers to the management and monitoring of your company backups or ‘outsourcing’ of this process. Service Providers will ensure backups and restores are monitored, regularly tested. It also ensure your DR plans can be implemented if called upon.
Refers to establishing a copy of your backups away from the main site where the data exists. This can be a secondary company location or a cloud based backup solution.
Refers to establishing a copy of your data on the main site where the data exists. This tends to be the minimum and default position, with the potential to have secondary copies of backup stored in an off-site backup location.
Recovery point objective / RPO:
A recovery point objective (RPO) is the age of the file(s) to be recovered from a backup process / operation. This is required when a computer system or network goes down and live data is lost. RPO is important when planning backup and disaster recovery strategies and should be influenced by the business need and the impact to customers. Understand the impact of data recovery also includes understanding the commercial value in terms of lost manhours, productivity of revenue.
Recovery time objective / RTO:
The recovery time objective (RTO) is the estimated time needed to restore an IT system or IT services following a disaster or disruption incident. The RTO defines the estimated time to recover an entire system. As opposed to the RPO which defines the age of the files to be recovered. Understanding RTO determines the backup and recovery systems used and ensures that the business needs are matched to the underlying IT systems. Disaster Recover (DR) testing helps confirm the RTO and actual recovery time, giving the opportunity for continual improvement and minimising business disruption.
Refers to either a single file or a complete system being restored from a backup set.
Refers to how long copies of backup data are held for. i.e. The longer backups are retained, the further back in time data can be recovered.
A risk analysis systematically identifies critical system resources and threats. It quantifies potential impacts / losses of productivity and recommends how to mitigate such risks. To eliminate or minimize exposure a number of countermeasures will be used.
Uninterrupted power supply (UPS):
A UPS is a device that allows your computer system to keep running. It may only be for a short amount of time when the primary power source is lost. It provides protection from power surges and contains a charger/battery system that kicks in when the device senses a loss of power from the primary source.
Our team at Charlton Networks includes several experts in both Altaro and other backup and recovery systems. Eric Gore is one of these leading experts. He’s a veteran of recommending automated backup solutions that do what they say on the tin. Eric is a Certified Altaro Engineer, who along with others helps Charlton Networks maintain the Altaro Gold Partner status.
After reading this article, perhaps you have more questions you’d like to ask? Or perhaps you’d like a free assessment of your current Business Continuity, Disaster Recovery capabilities or your existing backup & recovery. Why not drop Eric a line (firstname.lastname@example.org) with your question? Alternatively why not download our Backup 30 Day Trail Free Download of choice – Altaro VM Backup