Transcription
Sharefile – business continuity and disaster recovery guidefor SMBsDisaster recovery should be part of everybusiness continuity plan
A guide to business continuity anddisaster recovery for small andmedium businesses (SMBs)What happens when events out of our controlprevent us from accessing the tools we need towork? How do we protect confidential businessinformation when storing it in the cloud?Business continuity and disaster recoveryIT Disaster Recovery and Business Continuity aresimilar in objectives but are far from the samething. When either is referred to during this guide,we mean the following:Business continuity:This is a business-wide review and implementationplan that ensures the continuation of criticalbusiness functions in the event of a disruption.IT disaster recovery:Contained within a Business Continuity plan, the ITDisaster Recovery policy maintains and recovers abusiness’s hardware, applications, and data whentheir information technology stops working.For the purpose of this guide, we’ll be focused onthe IT Disaster Recovery Plan, but consider it aspart of your entire business continuity policy.Citrix Sharefile – business continuity and disaster recovery guide for SMBs2
Why you need a Disaster Recovery PlanTechnology offers many business benefits, but when it breaks it can have seriousrepercussions for those of us who are heavily reliant on tech for normal operations.Depending on the type of disruption,the repercussions can cover many areas: Employees unable to communicate with each other Employees unable to access their files Employees unable to gain access to the company office Inability for customers to access your website Inability of customers to communicate with you Inability for you to communicate with your customers Total loss of company or customer dataThese can lead to a reduction in employee productivity, the ability for customers tobuy/use your product or service, or the level of trust your customers have in you.Ultimately, these will all lead to a revenue hit for your company.“It is important forbusinesses to understandthat no matter how smallthey are and how muchthey do to protect theirassets; a disaster isinevitable at some point.When that time comes,you want to be wellequipped to minimizefallout and return thingsto normal as quick aspossible.”Darren GallopSecuricyCitrix Sharefile – business continuity and disaster recovery guide for SMBs3
Most Disaster Recovery Plans are eithernon-existent or out-of-dateWhat’s encouraging is the level of awarenessSMBs have with regards to a Disaster RecoveryPlan (DRP).We surveyed 500 small and medium-sizedbusiness IT decision makers, and spoke tomany IT experts, to get their thoughts on theimportance of an effective IT Disaster RecoveryPlan (DRP).In our survey, 96% said they consider theirIT Disaster Recovery policy to be a priorityfor their business over the coming year. Givenjust one in five businesses said they didn’thave a policy in place, SMBs are beginning tounderstand how relevant the subject is.Which of the following most accurately describes yourcompany’s IT disaster recovery policy?We have an IT disaster recovery policy and we feelit is up to date and covers our requirements22%We have an IT disaster recovery policy but it needsupdating and/or doesn’t cover our requirements20%Our IT disaster recovery policy has been used inthe last 12 months16%We do not have an IT disaster recovery policy, butplan to introduce one15%Our IT disaster recovery policy has been used butover 12 months ago11%Our IT disaster recovery policy has never beenused despite having one9%We do not have an IT disaster recovery policy, anddon’t plan introduce one6%Citrix Sharefile – business continuity and disaster recovery guide for SMBs4
“Companies that do nothave disaster recoveryor business continuityplans have an increasedrisk of loss of revenue,customers, data, andtrust. All of which can becrippling to companies.Risk management iskey, and all companiesshould have plans inplace to avert disasters orinterruption to businessand service functions.”The Cost of NOT having a Disaster RecoveryStrategyDisaster recovery plans are put inplace to guard against a number ofpotential catastrophes: Cyber Attack Office fire/physical damage tocompany property Server failure Physical loss of data Failure of software toolsRay McKenzie, FounderRed Beach AdvisorsCitrix Sharefile – business continuity and disaster recovery guide for SMBs5
Have a plan in place that keeps downtime to anabsolute minimumOur survey showed that just 3% of businessessaid they do not experience any downtime ona yearly basis. On average, our SMBs said theyexperience nearly 62 hours of downtime eachyear. Reflecting on this potential cost, you canbegin to gauge how important it is for smallbusinesses to remain operational.How many hours downtime does your company sufferfrom each year?03%1-50 hours48%51-100 hours27%101-150 hours13%151-200 hours4%Mean AverageMore than 200 hoursCitrix Sharefile – business continuity and disaster recovery guide for SMBs1%61.6 hours6
Our research suggests downtime costs SMBsan average of 77,989 every single year. Smallbusinesses must have a plan in place thatkeeps downtime to an absolute minimum.How much does downtime cost yourcompany annually? 1- 10,00015% 10,001- 50,00025% 50,001- 100,00027% 100,001- 150,00019% 150,001- 200,0009%Mean AverageMore than 200,000Citrix Sharefile – business continuity and disaster recovery guide for SMBs4% 77,9897
Have a plan in place that keeps downtime to anabsolute minimumAnd that’s only one potential pitfall of ITDisaster Recovery. Cyber security is becomingincreasingly more relevant to small and mediumsized businesses.Moreover, hackers and malicious actors lookingto access sensitive data for fraudulent meansare targeting smaller businesses. While therewards may not be as significant, the apparentlow levels of security lead to a potentiallygreater chance of their efforts succeeding.In 2018, IBM estimated the cost of justone stolen record containing sensitive andconfidential information to be 148 – a figurethat is rising every year. If your companyholds tens or even hundreds of thousands ofnames, addresses, and other information aboutits customers, the cost of a breach canquickly escalate.We asked our respondents how much a varietyof threats and potential pitfalls had cost theircompanies over the last five years.How much have these IT disasters cost yourbusiness over the last 5 years? 50’000Cyber attack 37,900Office fire 27,900Server failure 44,100Natural disaster 35,600Physical loss of data storage 35,900Depending on the location and practices ofyour business, these disasters can vary in theirimpact. Nearly one in three (29%) SMBs saidserver failures had cost their business morethan 50,000 over the last five years. Similarly,the physical loss of data (25%), natural disaster(24%), and cyber-attack (24%) are all significantthreats to every business’s bottom line.When designing your IT Disaster Recovery Plan,each of the above needs to be acutely andthoroughly addressed.Citrix Sharefile – business continuity and disaster recovery guide for SMBsNearly one in threeSMBs said serverfailures had costtheir businessmore than50,000over the last fiveyears.8
Building a Disaster Recovery PlanWhat do we need to protectTo establish what you need to include in yourDisaster Recovery Plan, you first need to askyourself: “What applications and data aremission critical for our business to functionand succeed?”Create a list of everything that falls under thiscategory — this is everything you’ll be lookingto protect within your DRP. For most companies,it will likely contain most of the following: Email (or any communications system) IT infrastructure and systems management Web serving and internet content/video Business intelligence/analytics applications Collaborative content applications CRM/front-office applications Mobile/social applications Transaction processing applicationsOnce you’ve drawn up this list, there are severalthings to consider for each component:Threats and VulnerabilitiesCarry out a risk assessment of each applicationand tool. Within this, consider there arerespective threats and vulnerabilities.Ask what could bring it down, and what stepsare needed to ensure it’s back operational asquickly as possible?Recovery Time Objective (RTO)An RTO is the maximum tolerable lengthof time that a piece of your technologycan be disrupted.Measured in seconds, minutes, hours or days,the RTO of a given computer, system, networkor application is dependent on how muchrevenue your company will lose out on if thatpiece of tech were to fail.To establish whatyou need to includein your DisasterRecovery Plan, youfirst need to askyourself: “Whatapplications anddata are missioncritical for ourbusiness to functionand succeed?”Depending on its importance, your RTOs mayvary significantly. For example, a web serverkeeping an online retailers’ website live isimperative to maintaining revenue, resultingin a low RTO. A high RTO example might bea broken laptop. Laptops and computers canbe replaced immediately (if the company hasenough tech) with a backup, and the damageof one breaking down is likely to be limited,leaving the RTO of the broken device to be indays rather than hours or minutes.Citrix Sharefile – business continuity and disaster recovery guide for SMBs9
Recovery Point Objective (RPO)BackgroundRelated to the RTO is the RPO (you can readmore on the differences here). This is a periodof time that files must be recovered froma backup in order for normal operations toresume. For example, if your network fails, howfar back can your last backup have been madeto incur the least amount of disruption?This is where you can house all the findingsfrom your initial research. Break it down byeach category of technology, before including:Once you’ve deciphered this, combine it withyour RTO figure. This allows you to prioritize,allocate resources, create benchmarks andchoose the right tools and procedures toensure you never exceed your RTO and/or RPO. The previous processes for securing andrecovering this piece of tech The risks and vulnerabilities The estimated cost to the business if it wereto fail Any previous instances of downtimeConsidering howyour DisasterRecovery Plan cancover everythingfrom fortifying anoffice to backing upfiles in the cloud,chances are you’llrequire the inputand management ofeveryone from youroffice manager toyour CTO.What to Include in your planWhen it comes to finally putting your findingsand considerations into a plan, it’s better tobreak it down into relevant sub-categories.Goals of the planAs a means of setting out what your plan hopesto achieve, create a series of goals that allowsyour business to get up to speed with thepurpose and intent of an IT DisasterRecovery Plan.Citrix Sharefile – business continuity and disaster recovery guide for SMBs10
Access and ResponsibilitiesAction StepsList the members of the organization whohave developed the DRP, and outlinewho is responsible for its implementationgoing forward.Action steps should come in the form of adetailed point-by-point guide that explainsexactly how to implement the DRP at thecorrect level of disaster. For each disaster,break down the steps to allow for simpleinitiation. Include:Considering how your DRP can covereverything from fortifying an office to backingup files in the cloud, chances are you’ll requirethe input and management of everyone fromyour office manager to your CTO. Outliningwho is responsible for each aspect can helpemployees recognize who they should go tofor help when implementing the DRP. Also,consider how these might change when outof company hours, or if that particular personcan’t be reached.It’s not just in-house contacts that need to beincluded here either. You’ll be relying on manyexternal, third-party products to keep yourservice operational. If one of them fails, you’llneed a contact for that business too.Plan Initiation Which member of senior management andmembers of the disaster recovery team tonotify, and how you can contact them How to determine the degree of the disaster What the right level of the recovery plan toimplement is, depending on the degree ofthe disaster How to monitor/measure progress How to notify relevant users/customersof disruptionCitrix Sharefile – business continuity and disaster recovery guide for SMBs11
Disaster LogWithin the Disaster Log section, you cancompare your RTO and RPO with the reality ofthe disaster. How long did it take to return tonormality? What was the level of disruption?What was the cost to the business?A detailed log will allow you to track, revise,and ultimately improve your DRP. Here, you canoutline how the team responded to a disaster,allowing the relevant stakeholders to review theprocess and make any necessary changes.Testing Your PlanTesting is an important part of every smallbusiness Disaster Recovery Plan, but one thatoften gets neglected. Once the plan is in place,it can be easy to move onto other projects,presume it’s complete, or blame a lack ofresources for not revisiting it.However, the technology you’ll be usingchanges all the time, as do the threats that lookto seize your vulnerable data. It’s imperativethat you have a policy in place that looksto review the software and hardware you use,to both guard against disaster and returnthings to normal.Tread carefully when testing your plan. Inorder to avoid using live data, set up a test areawhere you can sift through your systems andtry to pick out holes and compromises.It’s also worth holding periodical training andrefresher events for those who will be directlyinvolved in implementing the DRP. Instigate a“mock” disaster, allowing everyone to go overtheir roles and ensure they’re fully competentcarrying it out.Testing is animportant partof every DisasterRecovery Plan, Oncethe plan is in place,it can be easy tomove onto otherprojects, presumeit’s complete, orblame a lack ofresources for notrevisiting it.Ultimately, when a disaster does occur, learningfrom it is vital. Use the DRP’s log to record anyextended issues you encountered, and whatcould be improved in the future.The greatest test of your plan comes whendisaster hits. Be sure that each time you needto use it, you’re in the best possible position torecover your data efficiently.Citrix Sharefile – business continuity and disaster recovery guide for SMBs12
What Tools Could we Invest in?From our survey of 500 SMBs, we looked tofind out how much they invest in protectionagainst IT disaster and cyber-threats.In-house ExpertiseHiring staff is always going to be a costliersolution than finding external software to dothe job, but your chances of minimizing thecost of disaster will increase. That’s likelythe explanation for an “in-house IT team”receiving the most investment of any IT disasterprevention method. In fact, a quarter of allSMBs spend over 50,000 each year on theirin-house IT team, and just 6% say they don’tinvest in this area at all.How much money do you invest annually toreduce the impact of an IT disasters? 30’000Cloud backup 13,500Virtual servers 13,900Cloud network and file sharing 13,400In-house IT team 23,400Disaster proofing the office 10,400Backup internet connection 10,500Laptops for your employees 14,100Citrix Sharefile – business continuity and disaster recovery guide for SMBs13
Cloud BackupsRemote WorkThe cloud is also going to be one of yourmost powerful systems in the fight against ITdisasters. Having a dedicated, secure externalsite to house your companies’ files allows thebusiness to continue operations immediately.Remote work allows your employees to remainproductive in the case of an IT disaster. Filesstored in the cloud can be accessed fromanywhere. To ensure this is the case, 35%of SMBs spend more than 10,000 a year onlaptops for their employees.That is likely why more than a third of SMBsspend over 10,000 a year on cloud backups(34%), cloud network and file sharing (34%),and virtual servers (35%).With ShareFile, we provide an intuitive,cost-effective cloud storage solution that’sbuilt from the ground up for small-to-mediumsized businesses.Citrix Sharefile – business continuity and disaster recovery guide for SMBsThe cloud is alsogoing to be one ofyour most powerfulsystems in the fightagainst IT disasters.Having a dedicated,secure externalsite to houseyour companies’files allows thebusiness tocontinue operationsimmediately.14
Preventing IT DisastersPrevention initiatives are far less costly thancuring a disaster, so implementing preventativemeasures is critical. We asked our 500 SMBshow much they spend annually on applicationsthat will prevent cyber threats.Anti-virus software and firewalls are veryimportant as ever. Just 2% of SMBs say theydon’t actively invest in these applications. Youcan find solutions that protect your businessdata from cyber-threats with ShareFile. Usingour secure file sharing system will keeppersonal data away from the hands of thosewith nefarious motives, and this can extend toyour emails with use of ShareFile’s secure emailencryption tools.How much money do you invest annually toreduce the likelihood of cyber-threats? 20’000Anti-virus software 10,600Encryption of PCs 9,500Staff cyber-securityawareness training 9,500Firewall 11,600Log file Monitoring 8,700Email phising filters 8,700Disaster recovery is everyone’s responsibility.Run regular cyber-security training and educatestaff on how to correctly share and store files,password protect computers, and detect whenthey might be opening an invasive email.Citrix Sharefile – business continuity and disaster recovery guide for SMBsPreventioninitiatives are farless costly thancuring a disaster,so implementingpreventativemeasures is critical.We asked our 500SMBs how muchthey spend annuallyon applications thatwill preventcyber-threats.15
2020 Citrix Systems, Inc. All rights reserved. Citrix, the Citrix logo, and other marks appearing herein are property of Citrix Systems, Inc. and/or one ormore of its subsidiaries, and may be registered with the U.S. Patent and Trademark Office and in other countries. All other marks are the property of theirrespective owner(s).
IT disaster recovery: Contained within a Business Continuity plan, the IT Disaster Recovery policy maintains and recovers a business's hardware, applications, and data when their information technology stops working. For the purpose of this guide, we'll be focused on the IT Disaster Recovery Plan, but consider it as
