While most CIOs understandably prefer to focus their time on high level strategy, companies driven by technology are rife with potential security and stability problems, so preparing for the unexpected needs to be an executive priority. Yet a 2016 Zetta survey discovered that around 40% of organizations do not have a formally documented disaster recovery plan (DRP). And yet, when an unexpected event occurs, nearly half of all businesses must close their doors.
Still, DRP's have a bad rep, with 54% of IT pros believing they are too expensive and 37% feeling they are too difficult to use. But the risks of not creating one are unavoidably high. More than half (54%) of the companies in the Zetta study reported they had experienced a downtime event that lasted more than eight hours in the past five years. The associated risks include the potential loss of customers, reduced productivity and reputational damage. What's more, a Gartner report estimates that, on average, an hour of computer system downtime costs an enterprise $300,000. Unsurprisingly, a Touche Ross study revealed that when a company without a DRP is hit with an unexpected event, the survival rate is less then 10%. Evidently, an airtight plan is crucial. But how can CIO's ensure they have an effective DRP?
First of all, your DRP needs to identify the names of the people who are charged with responding to the crisis so employees discovering an issue will immediately know who to speak with. This will likely be the CIO among some other higher-ups and IT professionals. Included should be all contact details for work and home, with complete clarity as to who will be called in to work during an unexpected event. Its also advisable to decide in advance who will speak on behalf of the company to those effected by the disaster. Speaking to CSO, John Iannarelli, a security consultant and speaker and former member of the FBI Cyber Division he advised that you 'know what you plan to say, how much you plan to reveal, and how you’ll reassure those who might be nervous of continuing business with your company.'
A successful DRP clearly explains how to prevent, detect and correct any disaster that might befall your organization. This is to ensure that the infrastructure and applications can recover from outages. Your plan needs to plainly document the actions necessary to minimize the impact for the business and, where relevant, list the responsibilities of staff members when responding to disasters.
Preparing your staff is key. A CIO needs to ensure that all employees are aware of how to act if there is an outage to limit the downtime. Arranging a morning or afternoon at least once a year, or preferably whenever changes are made to the plan, to outline the DRP and formally train staff in case of a disaster is vital to getting the company back on track after an unexpected event.
It's important to be aware of all of the factors that go into a successful DRP before you write it up. A robust plan must take into consideration all the possible types of disaster. According to Zetta, the most common causes of IT downtime are a power outage (75%), hardware error (52%), human error (35%), virus/malware attack (34%), natural disaster (20%) and onsite disaster (11%) - (% based on the downtime events CIOs have experienced in the past 5 years). A DRP also needs to consider all of the business's locations and the effect the downtime will have across these.
The length of the disruption is something that often goes overlooked, even in the most robust DRPs. A Gartner survey found that nearly 60% of organizations plan for their longest outage to be seven days maximum. This leaves the company vulnerable and uncovered if the outage goes on for longer. Even if it's unlikely that an unexpected event will last that long, an airtight DRP prepares the company for the worst-case scenario.
Conducting a Business Impact Analysis (BIA) is probably the most effective step a CIO can take towards creating an effective DRP. Conducting a full audit to evaluate your resources and activities can allow you to fully understand the functions of your IT systems and appreciate exactly how each specific disaster scenario would disrupt them. It's important that, while outlining the impacts on these systems, you reach out for input from all departments so that you can ensure full coverage of problem areas. You may have blindspots that your staff can help you understand, and, after all, a disaster would affect everyone in the business. During this audit, it's also worth checking with your external vendors how a disruption would effect the services you receive from them. Reviewing the Service Line Agreements with your third-party vendors will allow you to assess the risk more effectively.
The best place to start when creating your DRP is by looking at your own vulnerabilities and identifying the potential setbacks particular to your company. Carefully document the risk attached to each of these issues occurring, the likely impacts and what will need to be recovered as a result. This will aid you in taking steps to reduce the risks the company faces by setting up support systems and strategies, such as adopting a multi-cloud strategy. According to StorageCraft, 53% of organizations in their study reported to not backing up their data on a daily basis. What's more, 75% of organizations claimed that daily backups actually threaten workplace productivity. This is a dangerous attitude to have. While backups take time, ensuring there is redundancy built into your data will mean it is more secure, speeding up your company's ability to get back on track after an incident. Your DRP should always include the backing up all data and regular evaluations of the company's IT assets.
Finally, testing the DRP regularly is paramount. The Zetta survey found that 28% of companies rarely, if ever, test their disaster plan. Regular trials of the DRP mean that you can analyze whether it is as effective as it needs to be and can allow you to adjust where needed. In just one year, a company experiences so many upgrades and the introduction of countless new technologies, so testing, making required adjustments, and then re-testing is a must so that the DRP goes smoothly when disaster hits.