By Ellen Raineri, PhD
Published July 2016
Congratulations on owning a small business! You may have mastered your craft and built up your practice with some excellent support staff such as administrative, IT, HR, accounting, marketing, and sales. If your firm is a success, then you even have customers that generate profit. However, what if a disaster such as a flood, hurricane, or cyber-attack occurred? Do you have the proper mechanisms in place to recover from such a disaster? Even if disaster recovery was not a topic of your business plan, it is not too late to develop your strategies now!
Disaster Recovery Plan
Approximately 57% of small businesses have not developed disaster recovery plans (Johnson, 2015). Even if small businesses do not have the money to hire an external firm to create a plan, they can create their own. Business owners can begin by analyzing the types of risk that can occur for their company, the likelihood of each occurrence, and the critical systems/data that could be impacted. This analysis will then help determine an allocated budget for disaster recovery.
For cost savings, business owners can search for free disaster recovery plan templates. Some common content areas include key personnel contact information, insurance information, media contacts, vendor contacts (i.e. computer hardware, plumbing, HVAC), key customer contacts, and financial information. Step-by-step instructions for addressing high probability disasters should be included. Last, an appendix of supplemental information may be beneficial such as floor plans, insurance policies, and technology service level agreements (SLAs).
It will be important to identify critical hardcopy or electronic data for financials, customers, insurances, vendors, or employees. On a continuous basis, make copies of (or mirror) your data and store in an offsite location that would not be impacted by the same disaster and that can easily be accessed. Unfortunately, in a study of 94% of small businesses that made backups of financial data, only 25% of them used off-site storage (Johnson, 2015). Small businesses can easily scan their data and store in a cloud environment such as Google Drive or Amazon, which can be an inexpensive and easily accessed. Alternately, small businesses can store hard copy reports, magnetic tapes, DVDs, or flash drives off site.
Pay Attention to Security
If an organization stores physical information at a secondary site or backup information in the cloud or on an external device, it must consider security. The stored physical information is at risk from theft, accidents, or a natural disaster. Accordingly, to protect physical security, an organization needs to plan for things like door/window security, and personnel access. Also, owners should be cautions of drop ceilings and raised floors where intruders can gain access to compromise physical security. The back-up electronic information may be at risk to a cyber-attack (on an organization’s system or a cloud provider’s multitenancy system).
Accordingly, an organization would need to implement adequate security measures such as an IDS, IPS, honey pots, antivirus software, network segmentations, firewalls, vulnerability assessments, and user education. If using a cloud provider, an organization should ask its cloud provider about the type of network security or disaster recovery initiatives that it has implemented.
Plan Maintenance and Awareness
Once the plan has been developed, it must be maintained. According to one report, 90% of the small businesses with plans invest fewer than 8 hours a month in plan maintenance (Johnson, 2015). To address maintenance, small businesses can establish a cross-functional team that drives maintenance and awareness initiatives. The team can host brown bag lunches to initially discuss the concept of disaster recovery plans, as well as trends. When there are changes in applicable regulations (i.e. HIPAA), purchases of new equipment, or changes in company direction, the team should evaluate the content of the plan.
Next, the team can invite risk assessments of the plan. If the cost of an external firm to conduct the risk assessment is a barrier, the team can invite employees to critique the plan or even another trusted organization to critique the plan. Last, disaster recovery training of personnel should be done initially and throughout the year.
Hot, Cold, Warm Choices
As part of disaster recovery, some organizations explore alternative sites to run their businesses after a disaster has occurred. Hot sites are most expensive, as they contain duplicated hardware and processing systems; updates are current. A cold site is least expensive because it may simply consist of space, phone lines, and furniture. Warm sites are in between with pricing and functionality. Organizations need to consider costs as well as the acceptable delayed operational time.
For some small businesses, cost is a major concern so a cold site may be their only option. If so, the small business can contact a leasing firm for pricing. Alternatively, a small business can explore other creative avenues that mirror a formal cold site such as striking an agreement with a trusted small business peer who will agree to make its conference room and vacant office available if a disaster occurred.
Ellen Raineri, PhD, is a faculty member at Kaplan University. The views expressed in this article are solely those of the author and do not represent the view of Kaplan University.
Johnson, M. (2015, February 5). How natural disasters terrorize the business world in one infographic. Retrieved from http://www.businessinsider.com/natural-disasters-and-business-infographic-2015-2