IT DRP : how best to plan your company’s recovery from a cyber crisis?

What is a Disaster Recovery Plan?

A Disaster Recovery Plan (DRP) enables companies to resume normal operations after a disaster. In an IT context, this disaster generally involves a cybersecurity breach: the loss, theft, or disappearance of sensitive data; a virus, a cyberattack, or cybercrime.

‍

Definition of the Business Recovery Plan

In an IT context, the DRP aims to achieve several sub-goals which lead to the main goal: safeguarding the sustainability of your company's activities. These sub-goals are:

• anticipating and mitigating the impact of any cyber crisis;
• guaranteeing the protection of sensitive digital data in the event of a disaster;
• ensuring the continuity of the structure's activities, in the face of an IT crisis;
• setting up a backup system to resume critical IT applications.

‍

A DRP is a document that outlines all the processes your company must put in place to maintain or rebuild its IT infrastructure in the aftermath of a cyber crisis. It indicates how and when to defer to the backup system, as detailed in the crisis management plan, and specifies which backup system to activate in order to ensure the security of confidential data.

Furthermore, the Disaster Recovery Plan sets out how long each department can afford to be paralyzed – also known as the Recovery Time Objective (RTO) – and, finally, the maximum acceptable data loss, or Recovery Point Objective (RPO).

‍

Differences between DRP and BCP

The scopes of Business Continuity Plans (BCPs) and DRPs have evolved over time. Originally, the BCP was required to anticipate the impact of a disaster on a company and provide measures to mitigate the negative consequences of crises, while the DRP functioned like the BCP, but only dealt with IT issues.

Over time, the Business Continuity Plan and the Disaster Recovery Plan have both taken on more precise meanings. Each now has a specific role regarding a company's IT system.

‍

What is a BCP in the current climate?

The BCP now consists of a portfolio of procedures and resources that help to safeguard the continuity of the organization's activities should a problem occur. Its objective is, before anything else, to avoid interruption of IT systems and prevent operational disruptions. It must therefore be built in such a way that all of a company's IT structures remain available: networks, servers, and data centres alike.

‍

From a strict IT perspective, a distinction is made between the operational continuity plan – which includes the company as a whole – and the IT Continuity Plan – which specifically targets the procedures and resources to put in place to ensure the continuous operation of information systems.

‍

What does an IT DRP look like today?

A Disaster Recovery Plan focuses on making sure a company's activity can return to an operational status. In IT, this means backing up vital infrastructure. The plan can be activated when there is an obvious shutdown of information systems, and companies can ensure the post-disaster reconstruction of IT infrastructures and the reboot of the most critical applications to company operations.

‍

Its objective is to guarantee a satisfactory resumption of activity as soon as practicable, in order to reduce the financial consequences linked to a cyber crisis. This is why it has to rely on careful risk mapping to provide adequate backup IT systems and ensure data redundancy, which is the practice of saving the same data on different devices (phone, computer, external hard drive, digital drive, or tablet).

‍

The IT Disaster Recovery Plan in CIO terminology

To summarize, Chief Information Officers (CIOs) generally consider that the BCP specifies measures for ensuring the continuity of activity, while the DRP details measures that guarantee the resumption of activity after an IT shutdown. After all, the Disaster Recovery Plan is activated when the infrastructure is unavailable.

‍

In the event of a cyberattack, there are generally two execution scenarios for the DRP:

• Your company was prepared for IT crises, and had a BCP to mitigate the impact of the disaster. In this case, your company can reduce the RTO and RPO to a minimum and apply a “warm restart” of the applications. This is a quick restart of activities on one or more backup servers, all based on pre-disaster data saves.
• Your structure did not have a BCP or the technical means to execute an effective crisis management plan. In this case, a “cold restart” is required, a process which can last several hours or days after the disaster. In this scenario, the recovery is based on the company’s latest backups. However, with the increasing uptake of cloud data storage, this cold procedure is becoming less frequent.

When should you set up your IT recovery?

By definition, the DRP is only activated when the company suffers a genuine shutdown of its IT activities. If you want this IT recovery plan to perform well and enable you to quickly resume your activities, you must think it through well in advance of the actual onset of a cyber crisis. As a general guideline, you should allow an average of three months to design it, although you may need more or less time depending on the size of your structure.

‍

Once the cyberattack, computer failure, or human error has been recorded and damage to your infrastructure begins, the execution of your DRP should help minimize your operational downtime. The longer the recovery, the more the company’s financial results are jeopardized.

‍