Establish a Plan to Master the Disaster

In March 2021, a massive fire severely damaged Europe’s third-largest hosting company’s data center and rendered two others temporarily inoperative. Thankfully, no lives were lost in the fire, but countless websites around the world were knocked offline for days;, an eternity for many companies whose survival is dependent on their online presence. While a catastrophic event of this magnitude may be mercifully rare, a multitude of other disasters are not, and being unprepared to respond and recover can pose an existential threat to a business.

Attempting to quickly cobble together a response after a disaster occurs is almost destined to fail, as a hastily executed reaction will undoubtedly miss key measures needed for a successful and rapid recovery. Proactively preparing, however, will save critical time and resources when attempting to return to normal operational status after a disaster. Since every minute of downtime can have a severe impact on revenue, a well-designed disaster recovery plan can be the difference between a temporary interruption and absolute ruin.

The frequently asked questions below have been answered to help a business understand and prepare an effective plan.

What are some of the benefits of developing a Disaster Recovery Plan (DRP)? 
A DRP can significantly reduce the exorbitant costs associated with a disaster by providing the necessary steps to streamline the recovery process. Also, if a business can rapidly recover from a disaster, it will minimize the reputational damage and erosion of customer confidence associated with a drawn-out response.

What types of disasters should a business plan for?
A DRP should consider a wide array of conceivable disaster scenarios. Examples include: data center disruption, power outages, cyberattacks (particularly ransomware), natural disasters, and human error such as the accidental deletion of a network share. Responding to disasters impacting critical third-party resources and supply chains should also be considered when developing a plan. 

What are some of the key elements of a DPR?
For each disaster scenario, the plan should include safety and communication protocols (e.g., who is authorized to enact the plan), contact information for employees and third parties, clearly defined roles and responsibilities, recovery action steps (e.g., offsite backup restoration instructions), network diagrams, and inventories of backups, data, applications, and hardware. The plan should also include an estimate of downtime for each disaster recovery scenario.  

If a business already has had an incident response plan (IRP), should they develop a DRP?
Yes. A DRP provides guidance related to business continuity after a disaster, while an incident response plan provides steps related to responding when sensitive data has been compromised. While the plans may share some similar elements, they should be developed and tested separately. 

Is a DRP the same thing as a Business Continuity Plan (BCP)?
No. While there is overlap between the two plans, the primary difference is that a BCP is focused on maintaining operations during and immediately after an unexpected interruption, while a DRP focuses on returning the business to normal operational status after an unexpected interruption. While similar in nature, think of a BCP as a roadmap to temporarily function until the DRP helps a business restore operations to how they were before the interruption occurred. 

Should the development of a DRP be handled solely by IT?
No. If possible, the development of a DRP should include key members from each of your organization’s departments. By involving team members from different departments, light will be shed on otherwise overlooked disaster scenarios. Another benefit of taking a holistic team approach is that all departments understand the approximate recovery time needed after a disaster, as well as their responsibilities during the recovery process. 

After a business has created a DRP, can they let their guard down?
No. While developing a DRP is a critically important accomplishment, there are additional steps required to maximize the chance of successfully recovering from a disaster. Once the plan has been prepared, it should be tested on a regular basis. These tests will help to identify areas of the plan that need improvement or that are obsolete due to technology or personnel changes. Since a full-blown disaster recovery test may not be feasible, table-top simulated testing is an acceptable alternative.

To help prepare for a disaster, consider setting up a meeting to discuss how Citrin Cooperman can help your business. To get started, please reach out to Michael Camacho at mcamacho@citrincooperman.com or Kevin Ricci at kricci@citrincooperman.com.