While business continuity (BC) and disaster recovery (DR) are beneficial to organizations of all sizes, they can be a tough sell for small- to medium-sized businesses (SMBs). And despite rumors to the contrary, the U.S. economy is still struggling, which makes acceptance of BC/DR even more difficult. But with some careful planning, smaller businesses can ensure their continued operation following a disruptive event and develop a successful disaster recovery procedure.
Large companies with complex IT infrastructures typically develop data recovery plans for disasters of all types -- natural or otherwise. By contrast, SMBs must often focus on protecting property, inventory and employees, and may overlook the importance of a disaster recovery plan to protect their critical information. A disaster such as a flood, fire, or computer virus attack can close SMBs for days, resulting in lost customers and competitive position. Without a way to recover quickly, many SMBs simply won't survive.
When developing a small business disaster recovery plan, it's important to get a realistic idea of the risks the business faces. For example, it may not be necessary to back up everything stored on your computers; operating systems and software can be replaced. In this tutorial, learn how to develop a disaster recovery procedure for SMBs and how to get started with DR planning and earn how to develop a small business disaster recovery plan.
Small businesses need to keep their disaster recovery plan simple
DR plans for smaller businesses and SMBs should focus on the following:
- Customer information
- Email correspondence
- Financial information
- Legal documents
- Intellectual property
- Sales and shipping records
- Other irreplaceable data
The above list may seem similar in many ways to the situation with larger organizations. The difference is more a case of scale rather than scope. Large organizations think in terms of terabytes of information, whereas SMBs may only need to protect gigabytes.
If you're concerned about enterprise data storage issues in your SMB, consider devices like plug-in zip drives or external hard drives (using a USB interface). These low-cost devices can store many gigabytes (and even terabytes) of data, and are easy to transport and store. For example, a 16 GB plug-in drive can cost under $50 at an office supply store. That's sufficient data storage for many SMBs, unless the data files are very large, such as images, photographs, maps, etc. In this case, be sure to buy two devices, so you can have a backup.
Something as simple as the above example could be the foundation of an SMB disaster recovery plan. After that, a very basic DR plan should include a list of assembly areas where the staff can meet following a building evacuation. Additional items for the DR plan should include a list of suppliers and a list of all contacts for the firm (both internal and external). For instance, let's assume your firm's technology infrastructure is based largely on Microsoft Office products, plus Exchange for email. Assuming the CDs with system files are protected (maybe even stored in someone's home), the process of restarting these applications is relatively straightforward.
In a disaster situation where your phones are inaccessible, getting phone service moved to an alternate location is pretty simple, and can usually be done by calling your local phone company. However, if you own your office phones and cannot get to them (of maybe they are destroyed), you can go to most office supply stores and purchase a replacement. Naturally, if the staff has cell phones, those can be used for communication in the immediate aftermath of an incident, e.g., contacting all team members, and contacting clients and suppliers.
What many businesses -- both small and large -- often overlook is to document recovery procedures, lists, data-related information and other important details. This doesn't take volumes of paper, and it certainly doesn't take a lot of time to compile. Much of it can be printed on laminated wallet cards that everyone can carry. A document recovery procedure can also be printed on a few sheets of paper that can be stored in personal motor vehicles and at home.
Creating a formal disaster recovery procedure
The items we suggested above are usually the minimum a small business needs to recover itself following a disruptive incident. As you can see, the financial investment is nominal. The challenge is to make the effort.
Suppose you decide to develop a more formal disaster plan. Begin by identifying what needs to be protected. Perform a risk assessment that takes into account all the possible risks to your critical data and business operations. Rank them by 1) the likelihood of occurring and 2) their impact on the business. Be sure to address human disasters such as theft, the potential of a flu pandemic, death and workplace violence, plus computer hacker attacks. This process is nearly the same as with a larger firm.
Click here for part two on our series on small business disaster recovery planning.
About this author: Paul F. Kirvan, FBCI, CBCP, CISSP, has more than 20 years experience in business continuity management as a consultant, author and educator. He is also secretary of the Business Continuity Institute USA Chapter.