What would happen if disaster struck your business tomorrow? Do you have the systems and processes in place to keep your business compliant, continue operating and protect your business? If you answered no, you’re not alone. A 2019 report by IDC found the following:
9 out of 10 companies that participated think having both Disaster Recovery and Backup is redundant.
Yet the same report found that almost 50% of respondents had experienced some kind of DR impact from cyber threats within the last 3 years. In this post, we’re going to outline the business practices you need to follow in any disaster. And, importantly, how this can help you stay compliant should disaster strike.
What is disaster recovery (DR)?
When we talk about a disaster in this context, we’re referring to anything that has the capacity to seriously disrupt your business.
This could be a natural disaster, such as an earthquake, hurricane, or flooding. Or it could be a man-made disaster, such as a fire, a chemical disaster, or cybercrime.
According to the 2018 State of Business Continuity Industry Report, the top three threats are:
- Cybercrime (82.5%)
- Extreme Weather Events (79.5%)
- Natural Disasters (61.9%)
The important thing to know is that these disasters are more than just an inconvenience. Without adequate planning and protection, they put your entire business at risk. And that’s where disaster recovery (DR) comes in.
This what helps your business get back on track after a disaster. It ensures you can replace any lost technology, access data, and if necessary, relocate your business to suitable premises. But there’s more to disaster recovery planning than minimizing disruption to your service. You must also ensure you stay compliant as you do.
How to stay compliant
Many industries have rules and regulations that govern the disaster recovery planning process. If you don’t comply, you could face legal repercussions should a disaster hit your business.
Here are six questions you need to ask in the DR planning process to ensure you stay compliant:
What universal regulations do you need to comply with?
When you start DR planning, it can be hard to know where to start. But, for most businesses, this is the logical place.
There are some regulations that affect almost all businesses — regardless of the industry or jurisdiction.
For example, the General Data Protection Regulation (GDPR) set of rules introduced in May 2018 applies to any business operating in the EU:
The GDPR applies to a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed.
If you’re selling your products and/or services within the EU, you need to consider how these regulations impact you — even if you’re based in the US.
Although the main goal of GDPR is to protect users’ data, many aspects filter down into DR planning.
But this is just one regulation — there are many others you will need to consider too.
“9 out of 10 companies that participated think having both Disaster Recovery and Backup is redundant”
What does your industry expect?
There isn’t a one-size-fits-all approach to disaster recovery planning and compliance. Whilst there are universal regulations out there, the exact steps you need to take will depend upon your industry.
This means seeking general advice or searching Google for the answers might not be enough. You need to find out what industry-specific regulations you need to consider.
Be sure to leave no stone unturned as you do this. A thorough understanding of the rules is key. It’s impossible for us to cover all the individual regulations that might impact your business. But one example — for any business that interacts with the payments cards industry — is PCI DSS.
It might not sound like this applies to you. But if you store, process or transmit cardholder data, it does. In the words of the PCI security standards council (2019):
If organizations want to protect themselves and their customers from potential losses or damages resulting from a data breach, they must strive for ways to maintain a continuous state of compliance throughout the year rather than simply seeking point-in-time validation.
The extensive requirements cover everything from network security to access control. And all the requirements impact DR processes — so ensuring your DR plan takes them into account is key.
Make sure you understand all the regulations that apply within your industry before you proceed with a DR plan.
Do you have the right expertise within your business?
As we’ve highlighted above, understanding all the requirements and how they relate to your business is no easy task.
It requires broad legal knowledge as well as industry-specific knowledge. If you want to stay compliant (which you should), you need to take a critical look at your business.
Do you have the expertise available within your organization, or will you need to seek it elsewhere?
Many of the regulations you’ll need to consider carry hefty penalties.
For example, PCI DSS breaches could receive fines of between $5,000 and $100,000 per month until you’re compliant again. If you’re in the midst of recovering from a disaster, this is the last thing you’ll need — so make sure you cut the risk.
Where are your current weaknesses?
As well as taking a critical look at the expertise within your business, you should also take a look at what you have in place right now.
What’s good about it — and where do you fall short?
This critical appraisal will help you identify any compliance gaps in your current DR plan.
Once you have this list, you can act to fill these gaps and ensure you remain compliant with any relevant regulations should a disaster hit your business.
Does it make sense to outsource your disaster recovery?
If the expertise and/or resources are lacking within your organization, you always have the option to outsource.
You could decide to outsource part of the process — hiring in an IT consultant to help you make sure everything is covered. Or you might decide to outsource the entire planning process. Or just the data backup processes.
Whatever your weaknesses, there’s someone out there who can support you through strengthening them.
“Companies must strive for ways to maintain a continuous state of compliance throughout the year rather than simply seeking point-in-time validation.”
What’s your process for reviewing and updating your disaster recovery plan?
Finally, you need to remember times change.
The regulations will be updated. Your business will evolve and grow — meaning new rules may become relevant or your processes will need to adapt. Make sure you have a process in place for reviewing and updating your DR plan. How often you need to do this will depend on your industry. But if you’re not sure, seek the appropriate advice to ensure this process is set up correctly.
Otherwise, you risk investing time into your DR plan — only for it to be out of date should you ever need it.
Disaster recovery is easily forgotten in today’s modern business — but it’s essential. One of the reasons for this is the growing number of regulations laid out to protect consumers and the large fines associated with non-compliance.
How are you going to make sure you stay compliant, no matter what happens to your business?If this is something you need to know more about, contact us to find out how we can help.