If you have a Business Continuity Plan, do you also need a Disaster Recovery Plan? If you have a Disaster Recovery Plan, do you also need a Business Continuity Plan? The distinction between these two types of plans is amongst the least understood topics that small businesses must navigate as they think about creating an environment of stability in the face of a cybersecurity incident. These plans extend beyond just cybersecurity matters, but here we'll focus on what's in our wheelhouse at Havoc Shield: cybersecurity.
By taking a stand on this topic, we're stepping into the danger zone: one Google search and you'll realize that there is a sea of ambiguous blog posts that muddy the waters further, without taking a real stand on the distinction between these policy types. We'll take a stand here -- hope you like it.
Suppose your business faces an interruption. The power goes out. An earthquake destroys the datacenter. The head of DevOps gets hit by a bus. A pandemic causes you to be unable to fly overseas to install a server on-site at a new client. The disruption arrives, probably with minimal or zero notice.
What will you do to ensure the continuity of service to your customers? Will you activate a backup generator? Will you fall back on a less powerful, but temporarily viable, warm-ready datacenter? Will you appoint your head of development to handle the documented steps that the DevOps person left behind, improvising where there is ambiguity? Will you subcontract with a vendor close to the new client's site to handle a server install on your behalf?
The answer is unlikely to be one that you consider "optimal" -- it'll be one that feels like a stop-gap, a way to persist through difficult times with a solution that may feel like it's held together with duct tape and super glue. But it'll work, for the purpose of allowing the business to continue temporarily, until the more lasting/permanent solution is achieved (hopefully soon after).
Your disaster recovery plan is held to a higher bar. In your disaster recovery plan, you have to face head-on the issue of how you will fully (or as fully as possible) restore the company's operational strength, it's data, it's services, and it's products, to a sustainable state that doesn't bear the mark of being a temporary band-aid.
Will you transport data center servers and storage to a new datacenter with more reliable power? Will you rebalance datacenter idle capacity to salvage functional capacity in combination with load-balancing some workloads to a geographically distributed set of datacenters? Will you use infrastructure automation tools to interrogate what's left of the prior infrastructure, and build infrastructure automation that fully stands up an equivalent to what once existed? Will you establish an overseas office near the new client, that is fully capable of serving that client should another unexpected pandemic arise?
Whatever the case, the answer needs to put you in a spot where your business is operating as it was before the disruption -- either 100%, or as close to it as can be achieved, and in a sustainable way that carries forward into the future without any hint of patchwork/band-aids.
A variety of material that we've read on this topic left us dissatisfied. Much of it felt like blog authors trying to achieve some google search benefit. We hope you found this one to be different. Like it? Feel free to get in touch for our help with your policies and plans, and broader cybersecurity matters that relate to keeping your company safe in the new cyber threat landscape.