With the June 1 start of the hurricane season approaching, it’s crucial that your company’s most valuable information is protected. Losing your data could be crippling for your business, but with the right planning procedures in place, such a disaster can be avoided.
This is the third installment of a five-part series offering answers from Tom Serio, director of business continuity management for Office Depot and Jon Toigo, CEO and managing partner of Toigo Partners International, on the following topics: Disaster Recovery Planning, Protecting Your People, Protecting Your Data, Investing in Disaster Planning and How to Create a Disaster Recovery Plan for Your Business.
Part 3: Protecting Your Data
Q. How do you store data?
TOIGO: The right data storage solution should be dictated by the importance of the data itself, how often it is accessed and updated, and what kind of special protection it requires. And of course, your budget determines a great deal about how you host and protect your data. I recommend that businesses take the following steps:
1. Copy data to removable media, including DVD-R or DCD-R discs, tapes, or to removable disk drives that connect to systems via their USB ports – flash memory drives, external hard drives or zip drives. Use anything that will enable you to remove the data copy to a safe location away from the original.
2. For larger volumes of data that require quick restoration, look for specialized software for continuous data copy, or an e-vaulting company to which you can send your data electronically for secure backup and storage.
Q. How much information should you back up?
TOIGO: Back up everything that you can’t afford to lose. A simple consultation with your operations people will guide you to critical application software and documents you should protect. And, make sure to transfer this information to a secure, off-site location.
Store copies of key forms and hard copy documents you use in day-to-day operations at a safe location. Scan key documents such as insurance forms into the computer for electronic storage, and store photos of major building and manufacturing sites in protected watertight storage containers and in a fire-proof safe, in case you need to present them to your insurers. You’ll want to have these materials available to help keep your business functioning.
Be aware that some documents, like blank check stock, can create problems if you plan to recover your business in a different country – say in a branch office in the U.S. when you are based in Canada. It doesn’t hurt to check with government officials to make sure your documents are legal. (This is optional stuff, but it severely impeded the recovery of a small Canadian retailer whose recovery site was in Chicago a few years ago.)
Q. How often do you need to perform backups?
TOIGO: Businesses should back up data at least once a week – more often if the data changes a lot, as in the case of an accounting system. Keep in mind, your business processes are ongoing and you can only capture changes in critical data through regular backups. You will need a recent set of data to enable you to return to business as soon as possible in the event of a disaster.
Q. Where should you store the backup data?
TOIGO: It’s critical that you take a copy of your backup software to a secure off-site location. Too many times, companies that have experienced fires or floods or other interruption events were unable to access their backup data because it was stored in the desk drawer next to the system being backed up. You need to standardize a system for moving data to a secured, alternate or off-site location. Make sure to label the media with content and dates, and to replace last week’s media with the next week’s backup.
Remember the lessons learned by big companies: The more manual the off-site storage process, the more prone it is to mistakes. Unencrypted backup tapes have actually fallen out of off-site storage vans or have been stolen from cars or homes recently. Not only is that an impediment to smooth recovery, it might also expose sensitive data about your customers or your companies. Whenever possible, automate the backup process and consider some sort of encryption on your backup media.
Q. What is the most crucial data to protect?
TOIGO: There is no easy answer to this question, which leads a lot of companies to back up everything. Doing so is a mistake because it may well extend the amount of data you are backing up to such a large size that it is difficult to find time to back up all of it. Moreover, too much data can slow recovery significantly.
To cut out the data that really isn’t important to back up, you need to first determine what your mission-critical business processes are, how they are supported by applications and infrastructure, what data they produce and use, and how that data is presently being hosted. Then, when you know where the data is, you can target just the right data for backup.
Truth be told, companies have very different views about which business processes and applications are the most critical. Take, for example, three power companies: the first thinks that its customer service system is its critical application. To the second, payroll is the most critical because of its contracts with unions. The third might think that the meter reading system is most important because it determines where the power bills are to be sent.
Criticality is relative and contextual. You need to do the analysis yourself in your own case.
Q. What's the first step toward data protection?
TOIGO: Once you’ve established which documents, processes and applications to back up, you will need to create a routine backup system – on a weekly basis at least. You should also periodically review the data being stored on backup systems to ensure that the right data is being copied and that it can be restored. This audit step is very important since you do not want to discover that you don’t have the data that you need or that media is unreadable when you go to restore your data in an emergency.
Q. What's the first step to take when a hurricane is on the way?
TOIGO: When preparing for a disaster like a hurricane, protect your most valuable assets: your people and your data.
If you haven’t already done so, create detailed contact lists and communications protocols. Back up as much data as possible and store hard copies of important documents like insurance forms in a fire-and-water-proof safe. Then, move these documents to a secure, off-site location.
The truth about hurricanes is that they avail themselves of advanced preparation. You know a storm is coming long before it makes landfall. Once the National Weather Service starts to project a storm track that might come anywhere near your shop, you need to start taking more frequent backups. When a voluntary evacuation order is issued, take a full backup of your critical applications and begin spreading the word to employees about the strategies you will follow to keep in communication before, during and after the emergency. When and if the mandatory evacuation order comes, don’t queue. Power down your equipment, turn out the lights, lock the doors and leave. Take your last minute backups with you.
Q. What's the most important thing to do after a hurricane has come and gone?
TOIGO: Check on your employees; make sure your staff has weathered the storm and is OK. Once you’ve assessed your employee situation, begin recovering data from backup media that has presumably been stored at an off-site facility.
Q. If data does get lost during a disaster, what can a company do?
TOIGO: If you lose your data in a disaster, the reality is you might lose your business. A recent study from the Association of Small Business Development Centers found that 43 percent of businesses damaged in a disaster close for good.
Don’t let this happen to you. Begin building and testing your disaster recovery plan now, before disaster strikes. Although disaster planning may sound like a complex proposition, there are a number of resources available to help.
Business professionals can download a free copy of Office Depot's Disaster Preparedness guide. I also recommend visiting the U.S. Department of Homeland Security’s Web site.
Q. What are some lessons you've learned during your experience with data protection?
TOIGO: Restoring company data can often take the greatest amount of recovery time following an interruption event. After a disaster, access information more quickly by making backups on a regular basis and moving the media to an off-site storage facility.
I’ve also found that people tend to believe that small businesses have less to lose in a disaster. This simply isn’t true. Data is just as important to a small-or-medium-size business as it is to a global corporation. As a smaller company look at your size as a benefit. With less data, it takes less time to prepare backups.
Over my 20-plus years in the field, I’ve learned that there are no gurus in disaster recovery planning – even among those who have recovered from disasters. The key objective is to build a plan that will effectively recover YOUR businesses and test it.
The nature of disaster recovery planning itself, the uniqueness of individual business organizations, and the rapid pace of technological change all conspire to render each and every plan an original work of its designer. In short, there is no wrong way to develop a disaster recovery plan – one does not need a professional certification to do the work, but can be reasonably certain of developing a testable plan through the application of readily-accessible project management skills, a bit of industry knowledge, and a healthy dose of common sense.
Tip From the Expert:
TOIGO: "Data restoration often takes the greatest amount of recovery time following an interruption event. After a disaster, access information more quickly by making backups on a regular basis and moving the media to an off-site storage facility."
Check back Thursday for Hurricane Preparedness for Businesses Part Four: Investing in Disaster Planning.