Testing your Disaster Recovery (DR) plan – getting back to work, how hard can it be?


We all know how important a Disaster Recovery plan is to your business, well I would think that you do.   To most small and medium businesses and not for profit organisations this is one of the processes that gets done then put into a little locked box never to see light until that big one happens.    This is definitely the wrong concept.   To some the DR plan is a living breathing entity.   That is what it should be like for all businesses.

Once the DR plan has been created there are a number of processes that have to be done to make sure that it will work when it is called into use.

Why you need a plan

The plan is very important to making sure that when and if something goes wrong with the business that you have a way back from the precipice.   It doesn’t have to be the large things that will ruin your business.   Yes looking into the floods and fires that can totally destroy your business are important, but what about the single point of failure like the servers power supply, the single Internet connection that everyone relies on using to get to your cloud data, the loss of these can reduce your business to its knees.

In that respect you need to be able to make sure that these single points of failure are risk assessed and incorporated into your business DR plan.   In addition you need to amend the plan to assign mitigating factors to ensure that if they do fail that you have reduced that risk.   When that is all done you need to test the plan.

Testing it is critical

So you now have a plan, you have added all of your risk components and mitigated those risk.   You have to test the plan.   You have to test the plan, first to make sure that it will deliver your expectations but also to ensure that you have thought everything through.    This component is critically to the viability of the plan.

To test the plan you can not just turn off the server and see what will happen, well you can but as a first test this is not a good idea.   You have to start slow.   You gather key people around a table and play “hypothetical”.   If we turn this off what happens, if this part of the building burns down what will we do, if the basement gets flooded what happens now.

You are using the testing process to ensure the plan is viable.   As the tests get more in-depth then the next stage is to add more complications to the problems.   What happens to the work environment if all of the technical staff are down with food poisoning from last nights dinner, all of the management team are away on a retreat and cannot be contacted.   This is the next level of test for your disaster recovery.    You want to ensure that no matter what happens it is business as usual, or as close as it can be.

Why is it so hard to get buy in at the management level?

The problem most business face is that management do not understand how important the information and business data that is held within a business is to that business.   The loss of that information, the financial data, the R & D data, the sales and marketing information is to the business can be critical.

Look at it this way, you are doing research on the Internet to purchase some stationary, you do a search and you ring the first resultant local company and try to place an order.   The receptionist / sales person says that she cannot take your order because the system is down.   Do you wait or do you go to the next result.   If you wait that is fine but if you go to the next result the first company has wasted the marketing spend to get to number one, the receptionists time as well as degrading their reputation.   Now change that to reflect your business.   Do you want that to happen to you.

By testing and proving your DR plan you make sure that the risks of a system failure are reduced to a level where they are not only manageable but also improved on.   You also have a company wide culture to ensure that little things do not impact the businesses bottom line

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.