Technology Section Council: Business Continuity & Disaster Recovery Primer
Wednesday, October 2, 2019
Business continuity and disaster recovery are not the same. Anyone who thinks otherwise needs a better understanding of which strategies keep companies viable during which kinds of crisis.
For example, some areas are more susceptible to hurricanes, like in Florida and Louisiana. Some are more likely to face a tornado, like in the Midwest. All locations can potentially be affected by a power outage, building fire, or a broken water pipe. All organizations are also susceptible to a cybersecurity breach, which could result in the loss of data, organization reputation, and business credit.
No, business continuity and disaster recovery are topics are not the same nor are they tools used exclusively for global organizations. Everyone should know that natural disasters aren’t impressed by size or scope of a company and cyber criminals see small organizations as low-hanging fruit.
What’s the difference between business continuity and disaster recovery?
Essentially, business continuity is a plan that ensures business operations and processes may be completed during a weather event, natural disaster, cyber attack, or any event that has the potential to critically interrupt business. Disaster recovery, on the other hand, is your road map for getting business processes back to normal after such an event.
For instance, part of a business continuity plan may call for employees who normally work inside an office to work remotely until an area recovers from a natural disaster such as a flood. Such a plan would direct the organization on how it intends to do business, even when forced to operate in an abnormal working situation.
Conversely, disaster recovery is the plan in an organization that will guide temporary remote employees back into the office. In fact, it could also address how all critical services will return to the headquarters after an initial crisis has passed.
Know the risks.
While you may be able to plan for a weather event or natural disaster — and even anticipate which systems might be impacted — it may be more complicated during an unpredictable event such as a cyberattack or any other unanticipated event. For example, there may be a lengthy investigation attached to a cyber security issue that delays normal operations for months. This won’t likely be the case for a natural disaster, but some super storms have proven to disrupt operations for extended periods of time or even indefinitely. In such cases, both business continuity plans and disaster recovery plans need to follow flexible processes.
Business Continuity Plan Checklist.
- Determine which systems, software, and networks are critical for business operations (and which vendors may be responsible for each).
- Examine which types of events are more likely to impact your employees, systems, software, and networks.
Identify the third-party partners that are crucial for your operations and talk with them about their business continuity strategies.
- In the event that a provider, third-party business partner, or other party experiences a business interruption because of an event, develop solutions that will prevent your processes from being adversely impacted.
- It is also recommended that an organization investigate off-site facilities and services, such as critical data backups, to preserve and protect data.
These steps can help you establish a reliable business continuity plan in the event of a disaster. Once adopted, test the plan under pressure during a variety of scenarios. When a real event occurs, your team will be better able to execute the business continuity plan.
Cyber criminals have sophisticated attack strategies and they don’t care how large or small an organization might be. When IT professionals and executives think about the disaster recovery process, their first concern involves getting hacked. However, there are other cyber criminal attacks that require a disaster recovery strategy. Prepared organizations always consider all possible threats.
Depending on the area of operation, hurricanes may be a primary concern. In other parts of the country, floods and earthquakes pose more significant risks. It is incumbent on the organization to consider all other types of natural disasters that can hit any part of their service area or impact another part of the world causing other compromises. In fact, just as no interruption or disaster is too large, no disaster can be too small. Sometimes human error can be a culprit or a power outage or a complex hardware malfunction.
The bottom line is that all of these risks pose a threat to the business and its data, which means there must always be a strategy in place that plans for the worst.
Customizing Your Plans
The strategy the company down the road came up with might be an excellent fit for them, but it’s not likely to address all unique needs. All MLSs have different infrastructure, which requires a customized disaster recovery process.
Start with some basic questions. Do you currently have your data on site in your own data center? Is your data being stored offsite with a third-party cloud provider? Are you taking a hybrid approach?
The disaster recovery solutions you choose are contingent on how you answer those questions and can also impact how you implement a new process. For example, more and more organizations are turning to multiple data centers in different geographical locations, with several sites storing the same data for redundancy. This approach makes sense because if a disaster occurs in one center, the data is still preserved in another area. However, even organizations that store data onsite or as part of a hybrid model have options to address disasters.
RPO and RTO
Two important aspects of any disaster recovery plan include: recovery time objective (RTO) and recovery point objective (RPO).
When looking at RTO, consider the time required to get business services back up and running after experiencing an outage. With RPO, look at your organization’s tolerance for data loss. It’s recommended all organizations work with vendors to develop agreements regarding the RPO and RTO.
What more organizations with onsite solutions are finding is that a cloud-based approach reliably serves customers and addresses the most important aspects of RPO and RTO. This solution may even provide cost savings along with ease of use.
Disaster Plan Example.
The Royal Palm Coast Realtor® Association located in Fort Myers, Florida, has created and maintains a hurricane disaster preparedness plan. The following is an outline of its plan.
- Address and describe all facilities, offices, and training locations
- Publish the authority and scope of their disaster plan
- Outline the responsibility of preparedness and regularly update plans
- Define responsibilities of executive management; emergency management
- Draft hurricane and tropical storm watch and warning procedures
- Detail all evacuation routes from their facilities
- Provide emergency shelter information
- Include a list of ‘family needs’ items
- List which essential business information is stored offsite
- Reminder to shut off all main power, gas, and water at the facilities
Post hurricane actions
- Define management and employee reasonability:
- Call in their location and status of the association
- Inventory the business for any damages
- Inform association president or another officer of any situation
- Develop communications protocols such as a fallback cell number for emergency use
- Publish all emergency phone numbers for critical city and county services
This article was by submitted as a special collaborative effort on behalf of the CMLS Technology Section Council.