Picture this: Company A and Company B experience ransomware that affects their operations in numerous locations. However, they both move forward with what to do about it very differently.
In both instances, an incident response (IR) plan is in place, which is a playbook for how the organization will respond to a disaster (i.e., anything from a sustained power outage at a data center to a criminal attack). Oftentimes, developing an IR plan goes hand-in-hand with disaster recovery (DR) planning, which is introduced in this article.
Company A Response
Representatives from multiple departments within Company A start reaching out to their internal IT department to let them know there’s a technology failure or emergency outage. Trucks can’t leave the dock with valuable food products because they can’t track the shipment. The warehouse is unable to print labels to identify which product goes in which storage unit. Workers can’t clock their time as shift changes happen, leaving many unable to leave or enter the building.
- The IT department is fielding multiple panicked calls from company leaders and employees at all levels.
- At this point, they reach out to their managed services provider (MSP) who offers IT support; they’re familiar with the backup solution, but don’t have a pre-defined plan that outlines what to recover first and how to prioritize.
- IT realizes the company has backups available, but they don’t know where to start with implementing a recovery effort.
- Meanwhile, the finance department says that since payroll is supposed to process tomorrow, their systems need to be back up and running.
- Warehouse management says that since they can’t properly monitor the cold storage to keep the produce at an optimal temperature, they need to be up and running first.
- Operations says that they can’t ship produce that’s ready to go to its destination, so they need to be the first ones to get the systems operational.
- To add to all of this, 50% of the workstations are down, which means employees can’t do their jobs.
- IT wonders whether they should bring up the servers first or the workstations.
- Since nothing was pre-defined, there were twice as many people needed to recover systems, working disjointedly trying to get them up and running.
- It took 3 to 4 days to get primary systems up and it was another 2 weeks before all the workstations were up and running.
Company B Response
Company B has an IR plan defined, as well, but they’ve combined this plan with a disaster recovery (DR) plan that prioritizes how they should recover once an incident is identified. There’s a collective sense of panic across the company as the same events play out: Trucks can’t leave the dock with valuable food products because they can’t track the shipment. The warehouse is unable to print labels to identify which product goes in which storage unit. Workers can’t clock their time as shift changes happen, leaving many unable to leave or enter the building.
- The IT department is fielding multiple panicked calls from company leaders and employees at all levels.
- The IT department knows exactly who to contact both within the company and with their MSP, who helps the company begin the recovery efforts.
- Each department and internal/external stakeholders have clearly defined roles as outlined in their DR plan.
- The DR plan outlines the priority order of the systems that have been identified by the business in advance. Partnering with the experts at its MSP, IT goes to work following the workflow for restoring systems in order.
- Under the direction of the company’s MSP, IT has backup workstations available in case of an emergency that can be used to execute critical applications while the core prioritized servers were brought back online.
- The downtime for the company was 24 hours for primary systems and all other systems were back up and running within 48 hours because this was carefully planned.
The scenario that Company A faced is not uncommon. Many times, leaders have a conversation about the risk the business faces and the importance of reducing that risk. But how often do we think about recovery?
As we’ve seen over the last several years, the risk of these kinds of incidents is growing by the day, making preparation the key to determining the impact that an outage will have on your business and how to recover quickly.
When do you need disaster response planning?
An IT disaster that is large enough to cause data loss and extensive downtime can come from many sources, including cyberattacks, hardware failures, various natural disasters, or seemingly simple power outages. Whatever the cause, downtime and data loss can be catastrophic to your business.
Although most companies have some sort of backup or rudimentary DR plan in place – or even have IR plans to use – they are often outdated or have gone untested for years. Businesses need response plans to react to disasters and cyber events quickly and effectively.
What is a disaster recovery plan?
A DR plan is a recorded policy and process that aims to restore a business’ applications and technology systems to full functionality following a disaster or emergency while keeping impact minimal.
One of the key parts of setting a DR plan is understanding the concepts of Recovery Point Objective (RPO) and Recovery Time Objective (RTO), which are the metrics that help you determine acceptable data loss and recovery time. Understanding the RPO and RTO for the organization can help IT define a solution that will meet the business needs in the event of a disaster.
- RPO is the measure of how much data is lost because of a disaster event, and how much time we can afford to have between the creation of backups. It’s the question, “How much work can we lose?”
- RTO is how long it will take the business to recover. It’s the question, “How long can a service be down?”
For agribusinesses, the perishable reality is that the shelf life of the product is finite. If customers don’t receive their product, shelves will be bare. Additionally, navigating food safety protocols and timing presents makes IR and DR planning essential.
Elements of a DR plan
Coupled with an IR plan, which outlines how you will respond to a disaster, a DR plan covers what comes next. There are some key elements to a DR plan that include the following steps:
- Developing a list of IT services and applications needed to support normal business operations.
- Identifying critical IT services and applications usage based on department interviews – helps identify why the system is important and to who it is important.
- Prioritizing the order for recovering IT system components and their dependencies ensures that recovery is done in an efficient manner.
- For example, without first recovering the network and Active Directory, users will be unable to access many mission- and business-critical systems.
- Understanding the business impact of IT systems and applications, which helps identify critical processes and ensures that the most critical functions are restored first in a major disaster.
- Outlining a communication plan, including a listing of contact information for individuals involved in both the IR and DR processes and their roles. This helps ensure that responsible individuals can be reached promptly during a disaster and assigned the appropriate tasks. One way this can be implemented is by establishing a call bridge.
- Testing the plans regularly (anywhere from quarterly to yearly based on the size of your organization and how much it has changed) to ensure everyone knows their role and that key factors for getting up and running are not missed.
The benefits of a DR plan
While the main benefit of a DR plan is to get critical systems up and running, as well as business functions restored to full capacity, there are numerous other outcomes associated with having a DR plan in place:
Cyber insurance implications. Some cyber insurance companies are now requiring companies to have IR and DR plans (as well as business continuity plans) in place to secure coverage, along with standards for protecting technology through pre-defined task lists.
Improved decision-making. DR plans take out the guesswork for IT teams and external MSPs when addressing an outage or incident, which means more informed decisions can be made and better business outcomes can be achieved.
Risk management. Taking time to document IR and DR plans and communicate with internal and external stakeholders that manage technology systems and applications means business risk is reduced as more clearly defined steps are executed to address an incident.
Peace of mind. This benefit might not be top-of-mind for some, but when employees have clear policies in place for how to deal with disasters, they are better able to address emergencies as they arise. This can result in higher morale overall.
C-suite involvement. More and more, we’re seeing agribusiness boards of directors asking about cybersecurity implications around technology implementation. This means IT and managed services providers are more involved than ever in helping address the risks and planning needed to protect the business. The C-suite wants to know, and it’s IT’s responsibility to address it.
Ready to talk DR?
ZAG can help you navigate IR and DR planning for your organization, concentrating on getting your hardware, software, and applications back up and running quickly and keeping your company going during the recovery process.