What kind of business protection do you have in place? Public liability insurance, business premises and assets insurance, professional indemnity insurance? No doubt your business has a host of insurance policies, but what about your information technology – what’s protecting that?
When something goes wrong – whether it’s a natural disaster such as flood or fire, a criminal attack like a burglary or cybercrime, or human error causing a system failure or other incident – you need more than insurance policies to protect your business.
Disaster recovery and business continuity planning is your first line of defence when an incident occurs. While insurance companies sort out claims, it needs to be ‘business as usual’ for most companies, there’s no time to wait for paperwork to be completed and this is where your disaster recovery and business continuity planning are vital.
What is disaster recovery and BCP?
Disaster recovery (DR) and business continuity planning (BCP) are often used interchangeably, but they are distinctly different. However, they have a close relationship with disaster recovery being an important aspect of any business continuity plan.
DR refers to your ability to restore the data, IT systems, and applications that run your business if data centres, servers, or your IT infrastructure suffers damage or attack.
BCP on the other hand is the strategy a company uses to reduce downtime or services outage, and ensure that incidents do not adversely impact on the business. Whereas DR is naturally reactive when disaster strikes, BCP is proactive minimising the risk to the business using a combination of prevention and failover plans should an incident occur.
While BCP and disaster recovery affects all departments within a company, the IT department is usually most prepared. However, often this is limited to planning for events that only impact on systems and the IT infrastructure – for example cyber-threats and IT incidences. They may be less prepared for more far reaching disasters such as fire, terrorist attack etc. Below are some common business continuity mistakes that people make.
5 common IT business continuity mistakes
1. Underestimating the scale of disaster
Incidences such as power outages, storms or the emergency evacuation of an area can affect large parts of a town or city. Therefore recovery sites should be situated away from your business so that in the event of a large scale disaster they remain unaffected. We’ve come across businesses using a recovery server in the same building as the main server, demonstrating a failure to appreciate that a disaster will not discriminate between different servers and data centres.
Cloud continuity does offer additional protection from geographic threats, however data is still located in a physical place so we would recommend that data centres should not be in close proximity to the business.
2. Not testing the plan
Your business continuity plan is not an insurance policy to be claimed on when something goes wrong. Instead it’s a living document that needs to be tested to ensure that it really does work. A robust plan must stand up in all kinds of different scenarios, addressing a multitude of different variables from the type of disaster, to what happens if key staff are not available when disaster strikes. Testing may be laborious and need significant resources, but your business continuity plan is really not worth the paper it’s printed on unless it’s tested.
3. Not factoring in supply chain
If your business continuity plan states that in the event of damage all computers will be replaced by the IT team, it also needs to factor in the time it will take to order these, receive delivery and set up so that employees can use them. Replacing just a few computers is relatively easy – suppliers are likely to have them in stock, and your IT department can quickly install software, applications and get them up and running. However, if you have to replace an entire floors’ computers you will not only have to find a supplier, or suppliers, who can fulfil your order and deliver quickly; but you will also need sufficient manpower to get these ready for employees to use.
Therefore your business continuity plan must address where assets will be bought from, prioritise key employees who need new hardware first, and ensure your IT team have enough resource to get employees back up and running in a specific period of time.
4. Not reviewing the plan regularly
Few businesses stand still, most are evolving continually. This means that your business continuity plan is already out of date as it only tells you how to preserve the business at the time it was written. Therefore, it must be reviewed regularly to keep it current and workable.
While setting a regular review period is a good idea, changes to the business should instantly flag up a need to review the plan. Those charged with business continuity planning must identify the type of changes to strategies, processes or other changes that would make your plan redundant.
5. Assuming that key people will be present in a disaster
Any employee that has a role in implementing a disaster recovery plan or ensuring business continuity must also have a back up. Disasters, whether on a small localised level or across the entire business, do not wait to happen until all key people are present. This can be a challenge if you have a small IT team with only a few individuals with the expertise to put measures in place.
An external provider can be an invaluable asset when disaster strikes, ensuring that sufficient resource is available to implement plans, as well as managing recovery from their site if yours is affected.
Bruce Penson is the managing director of Pro Drive IT.