What are Data Disaster Recovery Plans?
Data disaster recovery service plans are like the insurance plans of information technology. Whilst technology has managed to give us laser precision in analyzing and organizing our data sometimes we have had to recover lost data because the systems are not infallible yet.
The more we grow our digital assets the more we need efficient and reliable backup solutions for our information.
We need plans in place to prevent harm to the devices that host the data. We also need software applications and frameworks that can prevent malware based data violations.
So we are essentially talking about data insurance. A lot of institutions now create a large amount of data in a short space of time. Especially organisations in the financial sector that have to keep an accurate record of transactions being made in real time.
An IT specialist doing data management for an entity such as a financial or health institution is now required to have a frequently updated and detailed data disaster recovery plan and this guide will set the risk management principles of managing digital assets.
This article intends to highlight the important components that should be considered when drafting one and also provides an explanation of each idea so that the logic of implementing the strategies is understandable.
The article may not possibly outline all solutions that exist but it will give the reader a place to begin.
Firstly we will give an overview of the importance of such a plan.
Why It Is Important to Have A Data Disaster Recovery Plan?
It is a public secret that in the digital age big data is the new gold. Organisations that handle big data, especially that of third parties invest billions of dollars collecting as much data as they can, making big data a big asset. Like any big asset, data thus needs risk management and insurance plans in place.
Thus the most successful businesses are investing in cloud disaster data recovery solutions cyber liability insurance and other back up plans as a pre emptive measure.
Unlike insurance on tangible assets, data is an informational asset and no amount of monetary compensation can bring it back once it’s lost.If you had insurance on a car and something happened to it, the insurance would probably buy you the same make, in fact it would be newer. The same cannot be said for data unfortunately unless you have strategies before hand to mitigate the risk. Of course part of a well thought out data recovery plan is to assess the legal risk where data of third parties and other entities risks being compromised.
This is why one has to read that long boring page of terms and conditions to sign to any web service. The service may be handled by well meaning people but there is a fair chance black swan events that may happen and end up disrupting the service.
With tried and tested disaster recovery solutions on the market the vigilant IT administrator wants to know the most cost-effective strategies to ensure total data recovery in a worst-case scenario or prevent any loss from happening at all.
The insurance and risk management for data is in enforcing a disaster recovery plan from the onset for your entity. Imagine if all the leads and client databases you have accumulated over the years are reduced to nothing in a second. People spend large sums of money to acquire that data in the first place.
They say Rome was not built in a day but it can certainly be decimated in seconds.In computing we’d have to say ROM was not built in a day – pun intended.
To encapsulate the famous war strategy book, “The Art of War” Sun Tzu, the best way of winning any war is to mitigate it or prevent it. Would you rather search for “How to recover my data” after the fact or avoid the experience at all?
Not having a comprehensive IT disaster recovery plan for your business is like keeping gold in a transparent plastic bag. Investing in a data recovery plan or buying a data recovery serviceis not an expense but rather an investment to protect your valuable digital assets.
A Step-by-Step Guide on Elaborating A Disaster Recovery Plan
As with anything not all risks are the same. An organization has to sit down and do a SWOT analysis to assess the types of risks associated with their data collection. Certain organizations collect a large chunk of data in a space of an hour.
The risks experienced by a bank may not be the same as those of an independent music producer who may from time to time use a cloud storage system to back up mixes, photos and jingles.
Large business applications may incur large losses even for temporary downtime. They may utilize multiple data centers capable of handling all data processing needs, which run in parallel with data mirrored or synchronized between the two centers. This is a very expensive solution that only larger companies can afford.
There are solutions available for small to medium enterprises. The IT consultant(s) of the organization have to assess the risk. We will expand on the risk register later on.
Assess vulnerability to those risks
Create a risk register which essentially is a document with a list of the risks your data may face. Have a value system in the documentation that weighs risks from low to high priority. This will inform your budget allocation when you request equipment or services from the finance department.
This is a list that you will review on a periodic basis based on your experiences with items on the list. It is wise to allocate many resources to the aspects that would disrupt the business the most if they were not catered for well.
Determine the impact on the business
With each item on your risk register you basically have to assess the impact of things going wrong by identifying critical business functions and the health of the infrastructure that enables those functions. Certain infrastructure whether it is hardware or software has to have ongoing periodic maintenance.
Design and implement mitigation strategies
After identifying the major components that affect the continuity of business, it is essential to compile a table which lists the component, its priority level, its frequency of use and its back up plan.
Strategies must also be put in place during servicing or general maintenance such that all operations do not stop but rather that one segment is serviced at a time. To reduce total down time as employees may not be able to work whilst the components are being serviced.
Not only digital components are not limited to computing systems. Power supplies, cooling systems are some of many possible items that can affect data systems.
In days of the pandemic where some people may work from home, transport may need to be made available to IT support staff in the event that an employee’s computer needs attention. It is best if they have licenses and cars. The company may work on encouraging them to get licenses and may provide fuel or company cars.
Cloud storage and paying services that back up data is also crucial where data is backed up at a reasonable frequency, depending on the volumes of data to be dealt with.
Notes On Data Risk Management Strategies
System Account Administration
It is critical to perform password resets and account extensions for staff. The IT ServiceDesk can perform this service in the event general staff cannot.
Shared Network Drive (Server Data)
A weekly backup of data is kept offsite, and a daily backup is kept onsite. Data can be restored from these in the event of a server failure. There can also be implementation of parallel servers
Additionally, units may have software such as Microsoft Team workspaces for sharing of documents. It will be up to the organisation to look for the best option for them on the market.
Blockchain technology is a secured database technology which offers distributed data storage, point-to-point transmission, consensus mechanism, and encryption algorithms. It is often talked about in regards to cryptocurrencies but little has been spoken of how it’s a good candidate for securing data not only from disaster but from unauthorised access.
Cyber Liability Insurance
The organisation may intend to have a cyber liability insurance plan in case there are data breaches beyond control. Murphy’s Law does state that if something can go wrong it will.
Some system security threats may affect third party data or compromise the interests of other entities. The organisation may be compensated for system downtime and consequent loss of earnings as a result of a breach.
However, in most cases cyber liability insurance does not cover loss in terms of things such as bank interest or investment income, nor will it cover penalties paid to third parties or losses arising from claims made by third parties.
Insurance on Equipment
Whilst there may be backup equipment, all equipment needs to be insured so that in the event of a disaster, the equipment already in use can be replaced by the insurance company whilst the backup equipment is in use.
Notes On The Risk Register
These can be mitigated by the use of a generator or UPS (Unlimited Power Supply). Solar energy can also be a good alternative to invest in to mitigate that risk.
Where possible there should be an alternative UPS. The one in use must always be serviced and tested.
Updated emergency numbers for essential services such as the fire brigade must be available at all times. Also every office must be equipped with well serviced fire extinguishers. Wet pipe fire sprinklers can also be implemented as long as they are not prone to be triggered by false alarms.
Some fire sprinklers are triggered by smoke. So perhaps the organisation may have a separate smoking lounge and not allow smoking where any vulnerable equipment is situated.
Natural Disaster (Lightning Risk etc)
All equipment must be well earthed and equipped with surge protection measures. This will effectively reduce the impact of natural disaster such as lightning etc.
Data may also be lost to hackers who intentionally hack into a system and wipe it out. It is of paramount importance to increase server security and get a premium antivirus software license.
The antivirus or anti-malware software is to be updated frequently so that cyber threats have no chance. Some systems have a black and white list of websites so that care is taken when browsing.
There are many means of unauthorised entry: some may be by phishing, key loggers or authentication of third-party applications on platforms, where the user gives away their admin logins and passwords.
Human beings are prone to human errors. Thus they need to be trained on best practices on how to secure data. Human error in data loss is more likely than a lightning caused power surge.
In these days of people working from home, the staff itself may be versed in how to maintain the equipment but they have to manage children or other people in the house with regards to a computer that may contain work information.
Thus remote work has to be done in a safe space.Should their children or spouse need entertainment, there should be a separate computer for that.
In the event of a crisis, once clearance has been provided according to safety procedures, a damage assessment of the office will be carried out.
The primary goal of the assessment is to determine which hardware and services can be recovered and replacements that will need to be procured. Initial damage assessment is to be done by the IT personnel experienced in the area to be investigated.
Although the assessment should be thorough, it also needs to be done quickly so that the recovery can begin. The assessment will be documented in the critical equipment status assessment & evaluation form.The asset management database should be updated and reported to the Disaster Recovery Team.
Equipment to be inspected includes all equipment located in the data centre, networking equipment and equipment stored in the IT storerooms. This will be done in liaison with the Administration Asset Manager. Following the assessment, the Recovery Manager will submit an assessment report outlining the findings and state of services and equipment, along with a procurement plan and budget for replacement of equipment for Management approval.
If there are infrastructural or financial constraints new equipment should be procured in order of priority.
When a data disaster occurs, the need to communicate is immediate and essential. Valued clients will deserve to know how they are impacted and when services will be restored to normal operation.
As part of the disaster recovery plan a communication strategy to clients and any other affected persons of interest should be included in order to be able to communicate promptly, accurately and confidently during an emergency in the hours and days that follow.
Many different audiences must be reached with information specific to their interests, needs and general level of understanding particularly when initial assessment indicates a potentially prolonged outage.
During the disaster, communication to a wider audience might not be possible; so alternative means of communication should be used to disseminate information as quickly as possible.
Head of the ICT may craft a broadcast message and assess the affected audiences as well. It would also be wise for the department to have canned messages that can be edited to suit frequently experienced situations.
Depending on the nature of network distribution some email and some corporate tool might not be available to communicate, so alternative means of communication should be considered to broadcast message to the affected customers.
Testing and Reviewing
All strategies to be implemented need to undergo ongoing testing.
This is because nobody intends to find out that a strategy does not work during the actual crisis. At best educate new staff on best practices and make them write an assessment.
Ongoing Changes and Maintenance
As technologies are emergent in nature risks are likely to change. Malware and data breach methods are also being updated.
So ongoing education and training on data recovery and data disaster management will do a lot in preventing the disasters from happening, which is the mastery of the art of war.
We now live in a data driven society and it is becoming increasingly obvious that data is gold. There are many benefits to be experienced through big data collection. Nevertheless, there are also many risks in the handling of such a commodity. When it comes to data disaster recovery, it is better invest in solutions that aim for prevention, rather than correction.