BCDR Plans: Why They Matter and Why Your Business Must Have One CEO Insights 02-24-2023 By Jim Steinlage President & Chief Executive Officer Business continuity and disaster recovery (BCDR) – why should we as business owners or stakeholders care about what the acronym initials mean or why they should be important to us? We may assume our internal IT business unit or outside managed services have it all covered with our traditional backup processes. Unfortunately, the words “assume” and BCDR plans used together in data protection can be dangerous. The definition of assume is “to take something for granted”. Business owners and stakeholders are still doing this today. As technology providers we regularly hear phrases like; “It’s too expensive”, “it won’t happen to us”, “our IT department has it covered”, and/or “our managed solutions provider has us protected”. Have you asked the question, “What if?” What if we are victims of a cyberattack, have a natural disaster, or have a major outage happen? Do you feel confident in your plan and that everything is covered? Data loss is a serious threat to organizations, yet many still don’t have an adequate plan in place to mitigate the damage of a natural disaster or cyberattack. We live in a world where so much dependency is on digital data for everything we do. As an organization, if you don’t have a formal business continuity and disaster recovery (BCDR) plan, and your network functionality is crippled, you could find your organization’s survival in jeopardy. Downtime will cost your organization short-term loss of immediate revenue and the ability to provide services, but long-term, it could cost you your organization’s reputation, your customers, and your ability to survive. Smaller organizations often lack the necessary talent and time to create a solid BCDR plan. If you are an owner or stakeholder, don’t assume your IT has it covered. Be sure to ask questions and make sure it is tested regularly. To those who outsource to managed service providers (MSP), your MSP should be able to help with your BCDR solutions. Don’t assume your MSP services include BCDR solutions unless it is in your contractual services. MSP’s during initial discovery calls or later during Quarterly Business Reviews (QBR’s) should be asking those in your organization who have a vested stake about the desired RTO’s and RPO’s (will explain later). If you don’t have a comprehensive BCDR solution because you don’t feel you can afford it or need it, you should expect your MSP to issue you a disclaimer that they are not liable for outages or loss of data if you have a disaster or cyberattack. If you are looking to buy cyber insurance, expect questions about your BCDR plan to be discussed. Why You Need a BCDR No matter what size your organization is, you face the same risk of fire, flood, and ransomware that enterprise-class businesses do. It’s critical that you protect your organization from these and other potential disruptors to assist with the following: Minimize downtime – When networks go down for any reason, the entire business is affected. Sales reps can’t prospect, billing can’t process invoices and payments, and remote employees can’t access the information they need. Be prepared – Is there anything worse than being struck by a network disaster? Yes – not being prepared to resolve the consequences timely. Without a BCDR plan, it’s risky to assume your IT team knows what to do. While a BCDR plan can’t prevent cyberattacks or network outages, it can help minimize the time your business operations are negatively impacted. Protect sensitive data – How many critical sensitive files would your business lose if data wasn’t properly backed up regularly? What if you permanently lost access to client, financial, or legal documents? A BCDR plan that includes automatic copies of backups, takes snapshots multiple times per day (including offsite backups), helps your business avoid severe data loss in the event of a network outage or cyberattack. This should be regularly verified and audited by someone outside of IT. Business Continuity Plan vs. Disaster Recovery Plan Since you can’t guarantee your business will never face a disaster, it’s vital to take measures to mitigate damages and quickly restart operations should a disaster occur. Disaster recovery plans and business continuity plans work together to reduce downtime and loss of data. Some may think of disaster recovery and business continuity as the same thing, and although both work together, they each have different purposes. Business continuity plan is a list of procedures that enables your business to continue to operate and resume mission-critical operations as quickly as possible after a disruptive event. It is a list of processes that specify individual and organizational responsibilities and tasks. It also details how essential services like IT and communication channels are maintained during disruption. Disaster recovery plan is a list of processes you go through to restore essential business activities as soon as possible. It usually focuses on IT for recovery from a disruptive event with technological components like loss of data or infrastructure. It is much more specific than business continuity plans; a disaster recovery indicates steps and technologies needed for recovering from a disruptive event. How to Build a Business Continuity (BCDR) Plan Based on your organization’s unique structure, goals, and weaknesses, your BCDR plan might encompass the entire business or just sections of it. Many companies will focus on protecting their digital data as it is the heartbeat of the company and is a necessity for survival. There are other critical areas as disasters differ, too, and it’s important to consider all possible scenarios. Here are essential steps to take when creating a BCDR plan: Evaluate Operations and Identify Weaknesses Begin with a business impact analysis (BIA) by: Gather information about the kind of threats to which your organization is vulnerable. (cyber, fire, flood, hurricane, internal) Prioritize the probability factor of each threat happening. Prepare a list of the type, possible effects, and how to manage during each kind of disaster event. The analysis should be signed off by all decisionmakers before assigned response team training takes place. Build a Response Team Every BCDR plan needs a designated team to effectively tackle disasters after they strike. The team can only minimize your potential losses if it’s prepared and ready to act when an event happens. Three things to ensure your team is prepared are: Resilience – This involves identifying business-critical operations, mitigating risks and engineering systems that ensure you can return to normal as quickly as possible. Recovery – The focus is relocating systems and determining at what point a system can be deemed clean and recoverable. Contingency planning – Contingency planning begins by determining the Business Impact Analysis (BIA), putting preventative measures and controls in place, developing backup plans for data systems, and developing testing and training. Building resilience, recovery, and contingency into your BCDR plan significantly reduces downtime and ensures team members are fully aware of their roles and responsibilities. It is important to conduct regular plan reviews and test runs. Identify Critical Data and Workloads Data should be classified by its level of importance. Higher value should be given to workloads critical to your business staying operational and generating revenue. Developing a recovery time objective (RTO) is the maximum time allowed to restore a business to its full function mode post-disaster. This keeps downtime acceptably low and helps you avoid undesirable consequences associated with the disruption. Few stakeholders or owners have awareness of the length of time they may face with outages. This is an area where ownership and stakeholders assume too much. Defining Recovery Time and Recovery Point Objectives Once you specify which data is critical for business continuity, you can then define recovery targets and times for each. Recovery time objectives refer to the maximum amount of downtime your business can tolerate. Recovery point objectives (RPOs) measure in hours or minutes how up-to-date recovered data must be to ensure normal operations (i.e., loss of billing, inventory, payroll, production etc.). Together these two considerations represent how much downtime and loss of data you can reasonably tolerate before services are restored. Regular Testing and Review Recovery procedures documents and checklists explain the process to implement when disaster happens and how to recover from its effects. They primarily focus on IT team responsibilities and should identify: Proper backup for fast and easy data restoration Routinely doing failover testing to ensure all data is recoverable meeting RTO and RPO requirements. Regular inspections and walk thru of recovery processes. A comprehensive checklist is the ideal planning document to help stakeholders ensure their business’s IT systems comply with established recovery procedures. Response and recovery logs are records that detail possible hazards. Response logs list things like the type of hazard, who or what was affected, the damage that occurred, and if the BCDR plan was followed correctly. Recovery logs record the steps carried out, a breakdown of recovery times for different operations, and time it took the business to restore itself to normalcy along with (RCA) root cause analysis. BCDR Testing A business continuity and disaster recovery plan is only effective if subjected to continual testing and improvement. Methods you can implement to test a BCDR plan’s effectiveness are: Reviews – BCDR plans should be reviewed with stakeholders. Simulations – Planned failovers can be effective way to prep team members for any unanticipated event and identify possible bottlenecks. Resources – Using outside resources can help identify things and training you might not have considered. Managed Service Providers: A Source of Expertise for BCDR Planning Many cost-conscious small to mid-size organizations don’t reach out to a managed services provider (MSP) for help until after a disruption. It’s typically more prudent and cost-effective to partner with a qualified MSP who can provide proactive measures like BCDR planning. MSP professionals have the knowledge and experience to quickly identify possible points of failure that aren’t always obvious to company stakeholders. They can suggest improvements and provide multi-site backups, malware protection, and monitoring solutions, including: Business impact analysis and defining RTO and RPO objectives Emergency response personnel contact information and processes Employee training Equipment inventory Risk assessment Is Your Business Prepared to Avoid Downtime in a Disaster? Most small to mid-size organizations need assistance in establishing a plan that ensures operations continue with as little disruption as possible following a natural disaster or cyberattack. A qualified managed IT services provider can be your trusted advisor on all things BCDR-related, saving your business from doomsday scenarios that threaten continuity. Don’t assume you are covered; you work too hard to potentially lose so much.