We look at how charities can develop a recovery plan to ensure a fire, ransomware attack, or other disaster does not threaten their continued existence
According to research carried out by the University of Texas, 94% of organisations that experience a significant data loss don’t survive the disaster: 43% have no choice but to close immediately, while a further 51% disappear within two years.
When it comes to losing access to computer systems for an extended period, things are hardly better. According to the US National Archives and Records Administration, 93% of organisations that experience extended computer failure are gone within a year.
It is therefore essential that charities are prepared. We offer some advice around risk assessment and how charities can develop a disaster recovery plan.
The above statistics should be sobering. That’s because, over the last few years, charities have become increasingly digital, data-driven organisations that rely on their computer systems and data for fundraising, service delivery, communication with their constituents, and many other key areas of their operations.
To reduce the risk of being wiped out by a disaster such as a fire or flood which destroys your computer systems, a long-term power outage which makes them unusable, or perhaps a hacker-related event such as a ransomware attack, it is vital that your charity develops and maintains a disaster recovery plan.
The purpose of such a disaster recovery plan is to ensure that your charity is able to survive almost any disaster by have vital digital operations back up and running within an acceptable period of time.
Creating a disaster recovery plan takes a little effort, but having one in place can mean the difference between your charity experiencing a major inconvenience and ceasing to exist altogether.
Make an inventory of all your IT resources
An important starting point is to take stock of all your digital activities and produce an inventory of everything that is involved. This should include hardware, software, databases, other data stores, and any cloud services your charity uses.
Decide what’s vital to the operation of our charity
The key to effective disaster recovery is to get the bare minimum your charity needs to function up and running as quickly as possible. Once the “mission critical” digital systems are operational you can focus on the less important computer systems.
As well as looking at applications, it is important to look at your data. In particular, you need to establish what data you need to be able to access quickly. By eliminating unnecessary data from your disaster recovery plans you will need to deal with a much smaller volume of data, meaning you will be able to restore it and start using it much more quickly.
Work out your recovery objectives
Disaster recovery plans should be tailored to meet to specific objectives: a recovery time objective (RTO) and a recovery point objective (RPO). The RTO is the time it should take to get up and running after a disaster, while the RPO is the point in time before the disaster occurred that you want to get back to.
That means that the RPO is effectively a measure of how much data you are prepared to lose. If you can afford to lose up to a week’s worth of data, your RPO could be seven days and you could achieve this objective by making backups every weekend.
But if you can only afford to lose up to one hour’s worth of data then you would choose an RPO of one hour, and to achieve this objective you would need a far more regular backup regime. It is quite acceptable to have different RPOs and RTOs for different charity functions.
Establish where you store your data backups
For a charity that has gone digital, data is perhaps the most valuable asset. That’s because while computers and software can easily be replaced, data cannot.
Many organisations create backups that are stored on site, which means it is close to hand and therefore easy to access. But in the event of a fire or flood theses backups may also be destroyed.
For that reason, it is sensible to store backed-up data offsite as well – either in another office or in the cloud. Storing backups in the cloud is a more secure option, because cloud storage services themselves make backups of the data they store and keep these in separate locations. That means that data backed up in the cloud is unlikely to be lost.
The drawbacks of storing backups in the cloud are that it can be costly and it can also take a considerable amount of time to restore data from the cloud. This can have important implications for your RTO.
Decide how you will get up and running again
If your RTO is relatively long then your recovery plan may involve moving into a temporary office and purchasing new computers. Alternatively you may decide that staff should work from home using their own computers.
Larger organisations with shorter RTOs may want to pay to make use of a disaster recovery as a service (DRaaS) offering. These make a virtual copy of your computer and software setup, and in the event of a disaster you can switch over to this copy until your real systems are back up and running again.
DRaaS can be highly effective, but also generally expensive.
Make a disaster recovery plan playbook
The idea of a disaster recovery plan is that it is put into operation as soon as a disaster strikes. For this to be practical it is important that everybody in your charity knows exactly what is supposed to happen, and what they are expected to do.
A playbook is a documented step-by-step guide for putting the disaster recovery plan into operation, and this should be as detailed as possible.
That means that it should include named staff members and what they need to do, the services which need to be activated (such as data restoration from a cloud backup), who they need to contact, and the contact details of all of those contacts.
Test your disaster recovery plan
Many disaster recovery plans fail to work because some small detail has been overlooked. For example, the plan may call for data to be recovered from cloud storage, but nobody remembers the password.
It’s only by testing the disaster recovery plan regularly that you can spot any vital information that may be missing, or that the plan needs updating because of the introduction of a new software system.
Key things to look for when testing a disaster recovery plan include:
Make it easy to access your playbook
The final step is to ensure that your playbook is easy to get hold of when it is needed. Copies should be stored locally on staff computers, but it should also be stored in the cloud so it can be accessed from anywhere.
Ideally it should also be printed out and distributed to key staff members, although it is important that any existing printed copies are discarded every time the playbook is updated.