by David Zimmerman, CEO of LC Technology International
Entrepreneurs and small business owners are often coming to market with that “one great idea.” Their intellectual property that details their new product or service is exceedingly valuable and warrants the utmost in protection. Unfortunately, it’s much too easy to not properly plan for disasters and how to protect and recover data during such catastrophes.
The recent hurricanes and the raging wildfires out West are just some of the events that are impacting hundreds of small businesses, some of which were exposed to data loss, specifically digital data which resides in computers and servers. Thankfully, many firms saw the lessons learned after Hurricane Katrina and have taken steps to lessen the impacts of disasters as they relate to data. In Houston, many of the area’s hospitals had proactively put in place flood control measures and most had already moved to electronic health records instead of paper documents. And during this span, storage options such as the cloud have become much more accessible, secure, and affordable.
Small business owners and entrepreneurs that want to best protect their valued digital assets should follow these best practices for data management during and after a disaster.
Write a Formal Disaster Management Plan.
A formal plan adds accountability and transparency and helps eliminate confusion about who holds various responsibilities. Everyone involved with the company should understand their role in disaster planning.
The data recovery plan should be a part of the broader disaster recovery plan which will cover a variety of concerns, including; how employees will physically evacuate, which staff hold special responsibilities during and after the disaster, and how will upper management meet and discuss the ramifications of the disaster to the business.
Protecting data from a disaster requires careful and comprehensive planning. Here are just some of the considerations and questions that should go into such a plan:
- If the disaster is impending (hurricane, wildfire risk, major storm) and the team has some time before evacuation, then what steps will they take to save data to an offsite location. Develop a priority list of the data to manage the most sensitive information.
- Should sensitive data be deleted from on-site storage (after ensuring it’s backed up) during a disaster situation? If so, the plan should dictate who holds this responsibility.
- The plan should be adjusted per the severity of the disaster. A thunderstorm that disrupts power for 8 hours brings different complications than an earthquake which levels the office building. Create guidelines for various disaster severities, along with corresponding actions from the team.
- Does the plan account for the most likely type of disasters for that specific geographical area?
- Does the company still use paper-based records? If so, what impact would their loss mean to the business? By choosing secure offsite data storage options, they not only provide greater security, but also decrease the risk of damage.
- Should IT adjust the in-office hardware to reduce the potential monetary losses caused by a disaster?
- Identify systems that cannot tolerate any downtime. How are these protected during a major disaster?
Test the Plan.
A disaster management plan is worthless unless it’s applicable within the real world. IT and other departments will be involved in actual fire drills to prepare for evacuations, and they should also test the data management parts of the plan.
If for example the plan involves moving data from on-premises to cloud storage, then how long does this take? Is it a nightly process? Can this process be changing to an automated “mirroring” of data to the cloud?
Firms should test every staff member involved in data management to be sure they understand their role during a disaster. This involves not just IT staff, but also non-technical staff. For example, does the marketing department understand the proper login procedures to important systems if they’re forced to work offsite? Does everyone understand the risk of accessing company data via a public Wi-Fi connection? Utilize surveys to test the knowledge of everyone in the company regarding their adherence to approved disaster management procedures.
Organize and Protect Data Before and During a Disaster.
Firms must consider data as a tangible asset, just as they would office buildings, furniture, and all of the other “things” that go into running a business. The first priority in disaster planning should of course be the wellbeing of the employees, but protection of data should follow behind in terms of importance.
The plan should indicate the physical or virtual location of the data sources, whether that includes Excel files, CRM data, or accounting files. Businesses cannot protect the “unknowns”, so a first step is to find all of the data and centralize its location. When a hurricane is scheduled to arrive in four days, companies won’t have time to locate all of their data sources. This has to be done on the front end, with a full accounting of every source of content and information. Once a disaster occurs, IT should have a way to temporarily suspend access to certain systems, especially local machines in the affected office. If a company headquarters will be unoccupied for several days, IT needs to have in place remote locking capabilities to restrict unauthorized usage.
Collecting the data is a useful exercise in many respects. The team might find data that is no longer needed and should be deleted – which can lower the company’s liability. They might also find unexpected data sources that can be correlated with others to produce insights. All of this can be uncovered through sound disaster planning practices.
Using the Cloud as a Disaster Management Tool.
The cloud is ideally suited because it provides businesses with offsite redundant storage. If an earthquake strikes a business’ headquarters in Los Angeles and that firm keeps all of its content on on-premises storage, then the loss of data can potentially ruin the entire firm. If all of the firm’s content and IP is instead kept in the cloud, the earthquake will disrupt business operations, but the team can get back on its feet quickly. Workers can function remotely and still pull the data they need to get things done.
Here are some of the ways the cloud can be worked into a disaster plan:
- Firms should select a major cloud provider (AWS or Google) and automatically mirror all important data to the cloud
- The most sensitive information should be kept in private clouds (away from the security risks of multi-tenant public clouds)
- The disaster plan itself should be a cloud-based document
- Within the plan should be secure information about the login credentials for cloud accounts as well as a list of people that have access to this information.
In addition to cloud storage, firms should consider backing up their most sensitive data to external hard drives, encrypting the data, and keeping them in secure vaults. This provides an additional layer or protection against disasters, especially those that might restrict internet access for an extended period of time. Plan on having this physical storage located outside of the typical “disaster impact zone.” For example, a business located in southern coastal Florida could have data stored offsite in Atlanta or areas of northern Florida.
Data recovery and protection plans are an essential part of a broader disaster recovery strategy. The best plans are those that reflect proactive thinking and consideration from all the stakeholders.
David Zimmerman has been in the hardware/software industry for over 30 years, specifically in the data recovery software market for 18 years. During this period, he has been involved in the creation; marketing and support of the earlier drive recovery software products to enter the PC market and successfully marketed them both nationally and internationally. His company LC Technology International makes data recovery products for most of his competitors.
