One of the key facets of business continuity and disaster recovery (BCDR) is that it is not sufficient just to run backups.

A solid business continuity plan should do the following:

• identify where all critical business information is stored

• identify how the information is backed up (i.e. how frequently, where the data is stored, where the backups are stored, how quickly the data must be able to be recovered

• Backups must be encrypted (so they cannot be easily stolen)

• Backups must be isolated from the network at all times (so that they cannot be easily damaged by attacks like ransomware)

• Backups should be pushed offsite using high level encryption (so that the data cannot be “sniffed/stolen”)

• The backup copies should be stored offsite, encrypted at rest, in such a way that even the storage vendor does not have the encryption code (so that the data cannot be stolen). In this way if your local backup copy were destroyed, the data can still be recovered.

• Your IT group should be testing major recoveries monthly, to refresh procedures and skills, and to verify your backups are tested and recoverable.

• Your business continuity plan should identify what you believe are the most likely ways your data can be damaged/destroyed (insider theft, ransomware, fire, etc…this varies based upon your business situation)

• It is reasonable to work with your IT team to “game out” how these situations could occur, what the most likely damage would be, and how you would recover from each scenario. Keep it realistic (no need for asteroid strikes, bubonic plague, or zombie apocalypse).

• “Play out” a key scenario with a tabletop exercise…this is a walk-thru with key players, limited to 2-3 hours. Document what was learned. Document what needs to change. Update your plan.

• “Play out” a key scenario with a practical exercise…during a low impact timeframe shut down a designated server and walk through the recovery. In many cases a complete (and temporary) server recovery should take no more than 15-30 minutes to “fail-over” to the recovered server. Do at least a basic list of tests to ensure that the recovered server fulfils its normal function. The “fail-back” by shutting down the recovered server and bringing back up the normal production server. Document what was learned. Document what needs to change. Update your plan.

The steps above are the different between backups (a second copy of your data) and business continuity (your business survives a data issue in a reasonable period of time with reasonable effort).

Bear in mind that according to the National Cybercrime Alliance statistically 70% of businesses who suffer a major data loss will cease operations within two years

Are you currently part of the 70%?

Reach out to Dolce Vita today at 405-822-7912 if you want to give your business the best chance to be part of the other 30%.