By Steve Berman
TIMES ARE CHANGING:
Is Your Disaster Recovery Program Ready for a Refresh?
I
f the last two years have taught us anything, it’s that the threat landscape is constantly evolving. With offices reopening as the shadow of the coronavirus pandemic recedes, many business owners hoped life was returning to normal, only to be faced with supply chain disruptions and rising costs due to inflation. Cyber criminals have also been busy, using a variety of schemes to exploit corporate networks for their own ill-gotten gains. Meanwhile, nature continues to test the resilience of businesses as drought, wildfires, and disastrous weather events occur with ever-increasing frequency. This emergence of new challenges drives home the need for businesses to prepare for a wide range of potential disasters while anticipating new threats. To do so, it’s imperative to have an up-to-date disaster recovery program that includes a current risk assessment, operational analysis, and disaster recovery plan. The Best Defense Begins with a Current, Realistic Risk Assessment A viable disaster recovery plan hinges on a realistic assessment of the threats and vulnerabilities that could potentially disrupt your business. Because circumstances can change rapidly, it’s important to perform a risk assessment at least annually, so you have a clear understanding of any new threats to
24
JULY-AUGUST 2022 | MailingSystemsTechnology.com
your organization. If it’s been a while since you performed a risk assessment, start by identifying vulnerabilities to your physical location, IT systems, networks, and data. Next, catalog any environmental, natural, and human threats and note any changes that could impact your operations. Are weather experts forecasting heavy electrical storms in your area this summer? Are there any new malware attacks on the horizon? Are any of your major suppliers experiencing shortages? Through regular risk assessments, you can factor in any significant developments impacting your business and prepare accordingly. Building Resilience with an Operational Analysis Conducting a regular analysis of your business operations goes hand in glove with an effective risk assessment. As you assess the various threats to your business, consider changes to your operational environment, as well as external risks. Have any employees left your organization? Make sure their accounts have been disabled or deactivated. Are you reopening an office or moving to a hybrid workforce? Ensure you have a system in place to monitor and track the day-to-day usage and location of physical assets and internet usage. Compare these factors against your baseline from previous audits and take note of any changes.
When conducting your operational analysis, you also want to pay attention to your data backups. Do you store backup copies at a geographically remote location? How quickly could you restore critical applications and data in an emergency? To protect the confidentiality, availability, and integrity of your company’s information, perform regular restoration tests of your backup media and make sure you have a current inventory that identifies all backups by status and location. Avoid putting all your eggs into the “cloud” basket — ensure that your plans include contingencies for your business to function if it loses connection to your online backups stored on cloud services. An effective operational analysis should also include a data and application criticality analysis. Required by HIPAA, the criticality analysis is a best practice that every business should adopt to ensure your data and IT resources will be available when you need them. To get started, take stock of all your IT systems and applications and assess the impact that any loss in function would have on your business. Identify which systems need to be restored in minutes versus those that can be placed on the back burner for a few days. Then create a list of applications and systems to restore in order of priority. Plan for Success with an Updated Disaster Recovery Plan Once you’ve performed a comprehensive risk assessment and operational analysis, you’ll have a good idea of what to include in your disaster recovery plan. If you already have one, congratulations! But remember, having a plan is only half the battle. If you’re not updating your plan at least annually, chances are good that it won’t contain the information you need when a disaster occurs. A regular review of team assignments is necessary because staff turnover can create critical gaps in your disaster recovery team. During your review, identify team members who have left the company and note any disaster recovery roles and responsibilities assigned to them. Ensure you’ve got a current organizational chart, so you can identify potential replacements with the decision-making ability and expertise to take over for any team members who have moved on. The ideal disaster recovery team is cross-functional, representing all your major business units and corporate leaders. The plan update is a good time to review your organization and make the adjustments needed to reflect changes