January 3, 2018 | Ellen Raineri , PhD
No small business owner wants to think about a disaster coming along and wiping out everything they've worked so hard for. But the tragic truth is this: Up to 60% of small businesses never reopen their doors following a disaster, according to the Federal Emergency Management Agency.
Have you thought about what would happen if a flood, hurricane, or cyberattack hit your business? Do you have the proper mechanisms in place to recover from such a disaster? If disaster recovery was not part of your business plan, now is the time to develop your strategies.
Download Our Free Disaster Recovery Plan Template
About 75% of small businesses do not have a disaster recovery plan in place, according to Nationwide. If you're a small business owner who doesn't have the money to hire an external firm to create a plan, you can create your own. Begin by analyzing the following:
- The types of risks that can occur for your company
- The likelihood of each occurrence
- The critical systems/data that could be impacted
This initial analysis will help determine your budget for disaster recovery. To assist you with this process, you can download a free disaster recovery plan template.
What should be included in a disaster recovery plan?
First, list the following:
- Key personnel contact information
- Insurance information
- Vendor contacts (computer hardware, plumbing, HVAC, etc.)
- Key customer contacts
- Bank and financial information
- Offsite data storage facility
Then, give step-by-step instructions for what to do in the event of a disaster. Include:
- An evacuation plan
- How you will notify employees and customers in the event of an emergency
- Instructions for redundancy (how to access backups for things like power, equipment, supplies, and data)
- A list of the software packages that will be part of the recovery
Last, you may wish to include an appendix of supplemental information such as floor plans, insurance policies, and technology service level agreements (SLAs).
Secure Offsite Storage Now
Identify critical hard copy or electronic data for financials, customers, insurances, vendors, and employees. On a continuous basis, make copies of (or mirror) your data and store it in an easily accessible location that would not be affected by the same disaster.
Small businesses can easily scan their data and store in a cloud environment such as Google Drive or Amazon, which can be inexpensive and easily accessed. Alternately, small businesses can store hard copy reports, magnetic tapes, DVDs, or flash drives off site.
Pay Attention to Security
If your small business stores physical information at a secondary site and/or backup information in the cloud or on an external device, you must consider security. Consider:
- The stored physical information is at risk from theft, accidents, or a natural disaster. Plan for things like door and window security and personnel access. Be cautious of drop ceilings and raised floors, from which intruders can gain access.
- The backup electronic information, whether it's on your own network or a cloud provider’s multitenancy system, may be at risk of a cyberattack. Implement adequate security measures such as an IDS, IPS, honey pots, antivirus software, network segmentations, firewalls, vulnerability assessments, and user education. Ask your cloud provider about the type of network security and disaster recovery initiatives it has.
Plan Maintenance and Awareness
Once you develop a disaster recovery plan, you must maintain it. To do this, establish a cross-functional team that drives maintenance and awareness initiatives. The team can host brown bag lunches to initially discuss the concept of disaster recovery plans, as well as trends. When there are changes in applicable regulations (e.g., HIPAA), purchases of new equipment, or changes in company direction, the team should evaluate the content of the plan.
Next, the team can invite risk assessments of the plan. If the cost of an external firm to conduct the risk assessment is a barrier, the team can invite employees to critique the plan or even another trusted organization to critique the plan. Last, disaster recovery training of personnel should be done initially and throughout the year.
Hot, Cold, Warm Choices
As part of your disaster recovery plan, you may wish to explore alternative sites to run your business if a disaster displaces you. Explore hot, cold, and warm choices:
- Hot sites are most expensive, as they contain duplicated hardware and processing systems; updates are current.
- A cold site is the least expensive, because it may simply consist of space, phone lines, and furniture.
- Warm sites are in between with pricing and functionality.
Organizations need to consider costs as well as the acceptable delayed operational time.
If cost is a major concern, a cold site may be your only option. If so, contact a leasing firm for pricing. You could also explore other creative avenues that mirror a formal cold site—for example, perhaps you could strike an agreement with a trusted small business peer who would provide access to their conference room or vacant office available if a disaster occurred.
Most small business owners don’t think they will be the victim of a cyberattack or natural disaster—until one strikes. A disaster recovery plan is vital to making sure you can get up and running as soon as possible afterward.
Are you a business owner who wants to complete your degree?
Purdue Global offers online business degrees, some with with accelerated tracks for working professionals. Earn your management degree or learn more about the ExcelTrack™ bachelor’s degree or MBA—and get closer to achieving your goals.
Ellen Raineri, PhD, is a former faculty member at Purdue Global. The views expressed in this article are solely those of the author and do not represent the view of Purdue Global.