It takes just one hurricane, tornado, or flood to destroy a business: In 2020, there were 416 global natural disaster events, according to consulting firm Aon. Small businesses are particularly vulnerable to these catastrophes, because too often, funds earmarked for disaster recovery are used for more immediate needs. Unfortunately, disasters strike randomly and only preparation can prevent them from wreaking havoc.
Too many organizations backup their data sporadically; too few have disaster recovery and business continuity plans. Many struggle to create business plans for the next quarter, much less dedicate time and resources to care for problems that may never occur. A continuity plan need not be overly extensive, either. You can right-size your plan based on budget, staff, resources and data criticality.
But backup, recovery, and continuity don't have to be cumbersome. A basic, comprehensive IT management framework is within reach of most (if not all) small businesses, and it's critical to ensure that the impact of a disaster – either natural or human-made – is minimized.
The 3,2,1 Approach
Data protection isn't simply precautionary—it can prevent businesses from major income loss and outright failure (not to mention allowing competitors to capitalize on the failure). At the most basic level, follow 3,2,1: Keep three copies of data, two of which are on other devices or types of media, with one of the copies stored off-site.
Having multiple copies helps to ensure a higher chance of a quick recovery. An unusual disaster that compromises your physical location could wipe out two of your backups. Likewise, using two types of media acts as insurance in case one method degrades or is destroyed. Data could be stored on hard drives, SSD drives, USBs, or in the cloud. Keeping one of the copies off-site helps to ensure that the information will be accessible. Most of the time, that means your online server backs up to cloud-based storage.
Cloud backup is popular because it is easily accessible and safe from damage during a natural disaster. Cloud-first backup storage with a local copy onsite helps keep all the bases covered. You must make sure, however, that backup happens nightly or more often. Recovering weeks-old data will not help your business's resilience. It's also worth checking the fine print of your cloud backup agreement. Some providers charge one fee for storage and another for retrieval, tacking on charges for network resources based on how much data you're bringing back down from the cloud.
The only way to be ready when disaster strikes is to develop and implement a disaster recovery plan. This written document outlines the policies, procedures, and responsibilities necessary for recovering your IT systems and data. In essence, it's an instruction manual for when things go critically wrong.
Once developed, the DR plan must be tested to ensure that the IT team can recover critical systems and data no matter what type of disaster has occurred. Numerous templates are available online to help create a new plan or provide structure to an existing one. Ideally, the disaster recovery plan is part of your organization's overarching business continuity plan.
What IT needs to do in the event of a natural disaster, or one caused by human error or intentional malice, is explained in the DR plan. But to function in the aftermath of a catastrophe, an organization should develop a business continuity plan (BCP), as well. A BCP details how the business as a whole should respond in the event of an emergency or natural disaster. It contains contingency plans for all departments, from human resources to accounting to IT.
To get started, or to update an existing plan, organizations should conduct a business impact analysis, which is an internal audit of how different departments function as well as their dependencies (sales can't function without accounting, for example). The analysis helps determine how any type of disruption would impact the company, and it can help determine the potential financial and operational costs of each function and process that may be affected. Armed with that information, the business continuity team can either write the plan or engage with a consultant for assistance.
Once created, the continuity team performs tests every 6 to 12 months to identify gaps and make adjustments. The team also must communicate the plan to all employees, so everyone can perform their roles as expected when disaster strikes.
Today, organizations face not only natural disasters but also those stemming from cyberattacks. Having redundant backup in addition to stress-tested plans can help small businesses bounce back quickly after any type of major disaster.