Hello, and welcome back to this next TomCast from GuardSight, an Iron Bow Technologies company; we are a tactical cybersecurity-as-a-service organization dedicated to helping businesses protect their data, their assets, and their endpoints.
Today we are going to discuss a topic that many have heard of, some actually spend time one, but many should focus more time on. That topic is disaster recovery. Now, some of you might have just rolled your eyes thinking that disaster recovery is a waste of time and money. This discussion is mainly for you.
What is disaster recovery? Well, just as it sounds. The ability or plan that helps a business recover from a disaster. Now, a disaster can be categorized as several different types of events. Let’s say your organization is in a busy metropolitan area and there is a mishap at the power station that takes the power offline for several hours. Your business has no power, no way to keep the systems online or connected to the web, and you rely on e-commerce. This could be a disaster that you need to have a plan for.
What about natural disasters? Depending on the location of the organization, that could be a hurricane, tornado, earthquake, or any other type of emergency event. If your organization is located in an area that has been or could be impacted by an event of that nature, you need a plan to recover from that event.
How about an insider threat event that causes a disaster? A disgruntled employee with far more access than they should have just releases chaos in your network, taking the organization offline. What is your plan to recover from that scenario?
All too often disaster recovery makes people think of one specific type of disaster or something that has yet to impact the business, so they find it a waste of time and money to place any focus on the creation of a plan. Now, the blessing of a disaster recovery plan is that you’ll never have to use it. The flip side of that coin, however, is not having a plan and experiencing a disaster.
Unfortunately, that is typically what causes organizations to place focus on a disaster recovery plan. Experiencing a disaster and realizing there is no plan in place is a sobering moment to experience. No executive leaders out there particularly enjoy an “I told you so” moment. The best you can do is bring more awareness to leadership to provide better context and perspective on the priority of a disaster recovery plan.
So, what does a disaster recovery plan consist of? Well, the short answer is a plan that helps the business recover. Focusing on the most important asset any organization has, their people, the plan addresses their safety and security first and foremost. Accountability exercises, alternative work locations, and communication methods to make sure each and every employee is accounted for.
Next, you need to understand the critical business objectives. What does your business absolutely have to have in order to perform the necessary functions to keep business progressing? Those critical business objectives are the next focus. If you are in a busy metropolitan area, consider a secondary location far away from your primary location. A secondary data center (if you are not using a cloud computing platform) could be another piece of the puzzle. Look at employing a secondary internet service provider to ensure your critical objectives can be brought back online as quickly as possible.
Also look into your recovery point objectives and recovery time objectives, otherwise known as RPO’s and RTO’s, What is the maximum allowable time your organization can be offline before you start losing revenue? 1 day? 3 days? A week? These fall inline with your RPO’s and RTO’s, and they are outlined in the plan to make sure recovery personnel stay focused on getting things back online efficiently and timely.
Education is a vital part of any disaster recovery plan. Having all the locations and circuits/network pieces in place is great, but if no one knows how to use them or what to do, it is all for naught. Once the plan is in place, test the plan regularly. This is not a compliance item that checks a box and is forgotten. Technologies change frequently, so disaster recovery plans need to be tested at a minimum annually (preferably every six months) to make sure the plan is effective. If something has changed, if a network segment or cloud computing connection has changed, that is the time to update the plan so everyone knows the updated process.
See, organizations like GuardSight and Iron Bow have helped educate several organizations with the cost benefit analysis of disaster recovery plans. They have seen organizations that have been caught without a plan, that struggle with how to recover and what to do. If you aren’t sure of how to get started, reach out to one of the professionals there. They are more than happy to help you get started on your own disaster recovery plan.
We here at GuardSight thank you for taking the time to listen to this TomCast. For more information on various cybersecurity tips head on over to our website and check out more TomCasts. Those are located over on www.guardsight.com/tomcast. Or, if you would like more information on what GuardSight or Iron Bow can do for you, head on over to www.guardsight.com or www.ironbow.com and contact us. There are several free cybersecurity tools out there that can help you improve your overall security posture. We’d love to hear from you! Thanks!