Have you spent time revising or planning your business continuity IT strategy yet?
Business Continuity Planning is something you ideally do before a crisis occurs. Let’s set the scene for this post: it’s June 2020, the middle of nationwide protests and an international pandemic due to covid-19. We want to make sure businesses have the info they need to prepare and rebuild as quickly as possible from the upheaval they are experiencing. What better time to give tips to local companies? We set up a complimentary Business Continuity Planning webinar with PBO Advisory Group, tW2 Marketing, and Rad-on-Point Consulting.
The day we gave the webinar, yet another threat appeared as wildfires broke out in San Diego county. The moral of the story? Business continuity plans are not just important, they are critical, and they should be robust enough to cover a range of potential crises.
Here is how to plan your business continuity IT strategy.
Threats & IT
IT systems are vulnerable to all of the potential threats to a business.
Natural and human-made disasters are dependent on the location of the facility, with emergency plans customized for that location. Utility failures, such as region-wide outages in electricity or internet connection, can put all work to a stand-still and damage critical systems if proper precautions are not in place. Lastly, there is the human element: intentional sabotage from internal actors can cause devastating results. Cybersecurity attacks are also on the increase, both with their frequency and sophistication (and the best time for bad actors take advantage is during a crisis). All of these threats are very different, with one commonality. Using best practices to protect the business’ IT assets can protect against all of them.
SMBs in the Crosshairs
Cyber attacks on small and medium-sized businesses are on the rise. Why? Cybercriminals know that small and medium-sized businesses are less likely to have security systems in place or to have practices that are several years out of date and not sufficient for modern forms of cybercrime.
There has been a significant increase in the number of cyberattacks on small- and medium-sized businesses since 2011
Sadly, SMBs are also the most likely to go out of business in the case of a major incident. The monetary cost or hit to a small or medium-sized business’s reputation is often impossible to recover from. Speak to your IT cybersecurity manager about what your risks are to reduce the chance of an attack. Plan ahead and use the backup methods described below to establish a continuity plan for your data in case a cyberattack does get through.
3-2-1 Data Backup Rule
What is the No. 1 way of ensuring your data makes it out of a crisis? Backups. Following the 3-2-1 rule for backing up data will help you recover.
- Three copies: First, create three (3) copies of your data ‒ one (1) primary and two (2) backups.
- Two Types of Storage: Keep the data on at least two (2) different types of storage media e.g. local drive, network drive, SAN, NAS, removable media, etc.
- One Offsite Storage: Store one (1) of those copies of data in a geographically remote/offsite location in case of a disaster that affects your facility. A couple of great options are secure storage and cloud storage. For cloud storage, use a different cloud service provider than your primary provider where and if possible.
- Zero Errors: The goal is to ensure zero (0) errors after the backup recoverability validations and verifications. Your data is ready and available in case of a disaster.
Backups are the No. 1 rule for saving your IT data. Has fire or water damaged your facility? The geographically remote copy ensures your data is still secure. If the disaster is purely an attack against your IT systems, such as intentional sabotage or cybercriminal activity, the best practice is to restore it from a backup.
On-Prem vs. Cloud
Each business, its applications, and the requirements for those applications are unique. Your systems will be architected to support whatever unique design your business has. Three main IT architectures used for companies are on-premise, public cloud, and private cloud.
- On-premise: Your systems, data, and applications are physically located at your facility
- Public cloud: You utilize many SaaS-based applications hosted in a public cloud (e.g. Google, Azure, AWS)
- Private cloud: Your applications are sitting on a server co-located in a data center, or you have a contract with a private cloud company where the cloud environment is dedicated exclusively to your business. Private cloud works well for regulated companies that are required to follow certain types of guidelines and are required to demonstrate data sovereignty to an auditor.
Each of these different architectures requires different data continuity plans. On-premise architectures require offsite backup plans. Public cloud is technically already offsite, but the default backup options are different depending on each provider, and further options considered according to each business’s unique needs. Private clouds are usually in a geographically specific location, so find a geographically separate site for the backup.
Critical IT Systems
You might be asking, “how do I know which IT systems are the most critical?” Sit down with your team and determine which IT systems and applications affect your business operation the most, or if compromised, would cost your business in loss of funds or reputation. Different applications will have different levels of significance to your company and can be classified according to their Recovery Time and Recovery Point Objectives (RTPO).
- Recovery Time Objective (RTO): How long can your business function without that app? RTO applies to downtime, specifically how long you can function without an application before significant business damage occurs.
- Recovery Point Objective (RPO): How much data can your company afford to lose? Your RPO is determined by how much data you can lose before your business experiences significant harm.
You can use an RTPO ranking system to figure out what the relative levels of criticality are for your different applications. A simple Tier1/Tier2/Tier3 method of classification to determine the criticality is as follows:
- Tier-1: Mission-critical applications that require an RTPO of less than 15 minutes
- Tier-2: Business-critical applications that require RTO of 2 hours and RPO of 4 hours
- Tier-3: Non-critical applications that require RTO of 4 hours and RPO of 24 hours
Your final backup plan will be a combination of criticality and your budget.
Backup, Test & Restore
Now that you have your IT backup system in place, you’re good to go, right? Wrong. You must test your backups. In case you didn’t catch that…you MUST test your backups. Regular tests to ensure the data is backed up correctly should be performed annually, at a minimum. Since a lot can change in six months, we recommend that you perform once per quarter. This quarterly backup and test restore will ensure that you meet the defined RTOs and RPOs. If the backup fails, this gives you time to identify root causes and create a corrective action plan. In the case of an actual disaster, your backups will function as intended, and your systems restored as designed.
It’s never too late to plan your business continuity IT strategy, even if you are already in the middle of a crisis. Set yourself up for success in case disaster, or further disaster, strikes by determining your critical IT systems and developing a data backup plan that is appropriate for your business. Ask questions like “how much does one hour of downtime cost me?” to determine how much of your IT budget to allocate to your backup plan. Then test your backup systems to ensure they are functioning properly, and your valuable data is safe in case of a disaster.
Always have a back-up plan for your IT assets