In today’s world, it is no longer a matter of whether your nonprofit will be impacted by a disaster, it’s only a matter of when it will happen. Data and systems can be compromised for such a wide variety of reasons that it is critical to your organization’s ability to function that you have a disaster recovery plan (DRP) in place. Why? Because a DRP will not only give your organization a step-by-step guide to follow if the worst happens; it can be the difference in whether your organization survives.
What’s Included in a Disaster Recovery Plan?
You might be wondering what exactly should be in a DRP. A disaster recovery plan should be a step-by-step guide on how your organization’s operations can get back up to full speed after a disaster. An effective DRP should not be a one-size-fits-all guide that you pull off a shelf. It should be designed exclusively for you and with your software, systems, and security in mind.
Your customized data recovery plan should include just that – very detailed information on how to restore your data if it is corrupted or lost. This should encompass not just the data itself but all the systems that rely on it and all the day-to-day functions that your team needs to perform. One often-overlooked benefit of having a DRP is that doing so will almost force your organization to put safety measures, security safeguards, and backups in place to protect your data and ensure that it is there to be recovered. For some organizations, the process of thinking through a DRP allows them to establish these essential practices and protocols that they may have been too busy with daily functions to even consider.
What is a Disaster?
Any event that impacts your organization’s ability to function could be considered a disaster. Some common ones (and others that you may not have considered) include:
- Cyberattacks
- Natural disasters – these include storms that physically damage portions of your building or roads necessary to access your facility, flooding, a fire, or even a pandemic.
- Physical disasters – these include losses of power or water on a wide scale as well as small-scale issues within your facility, loss of heating or cooling which can damage IT infrastructure, or break-ins.
- Technological disasters – these are the ones that most people think about when they devise a disaster recovery plan. It could be something as fundamental as a failure of hardware or corrupt software, as potentially devastating as a malware or ransomware attack or data breach, or as unpredictable as a failure of infrastructure or a Cloud platform.
- Another type of disaster that could cross multiple categories is theft – which can include both employee theft as well as theft by an external actor or a hacker.
As you can see, many types of potential disasters could impact your organization, and you can probably think of several that are specific to your operations.
What Should Your Disaster Recovery Plan Include?
You’ve heard the phrase “first things first.” In essence, that is how you should look at a DRP. Determine the most critical functions that you would need to recover first if everything were to fail. Make a list of all your organization’s functions and rank them from most critical to least important. This list will become the backbone of your DRP and will also save your organization money by allowing you to focus funds on what is most critical.
Then take a critical look at your people. Determine whose daily functions are necessary to run your organization, and whose can safely be put on the back burner for a few hours or days. Perhaps surprisingly, these might not be who you would initially think. Once you understand who needs their systems brought up first, you’ll have a roadmap that will help to minimize organizational downtime.
Finally, look at essential contacts outside your organization. These could be vendor lists, donors, and technical support contacts. These lists should be saved both in the cloud and as a physical list in your office. Why both? Because while a cyberattack might take out your cloud systems, a physical disaster like a flood or fire could destroy paper backups.
Then, have your IT team test your DRP. Doing so will help them find things they may have missed and iron out any bumps before they need it.
Don’t Forget…
When you are creating a DRP on your own or with your own internal IT team, you should take a momentary step back and be certain that ALL of your systems are included in your plan. While back-end resources that serve your internal team and donors are usually at the forefront of your plan, it’s a common mistake to forget about some of the systems that we all tend to take for granted. Unfortunately, in a true disaster, these are some of the first things that are essential to get back up and running. Here are a few that commonly get left out:
- Phones — whether VoIP or an old-fashioned traditional system, phones are the most commonly overlooked system but they are the most essential to re-connect with the outside world.
- Internet service
- Email Infrastructure
- Any customer-facing websites or essential portals
- SMS employee and/or donor cell phone numbers — many programs that allow mass texts to employees/donors/essential audiences when a disaster happens. These keep everyone connected if your email system is down, but they only work if you have access to that essential data. A solid DRP will plan for this eventually and have backups of those numbers.
Depending on your organization’s structure, there may be other systems that are essential to how you operate. Take the time to make certain they are in your disaster recovery plan.
Backups are essential
As IT experts who have created countless DRPs for client organizations, we cannot overemphasize the importance of backups. They are often called the holy grail of disaster recovery plans – and for good reason. Consistent and automatic cloud backups are at the heart of this plan. Because you literally “set it and forget it,” you can rest assured that these backups are regularly happening and are there to fall back on when disaster strikes.
Some nonprofit leaders are wary of moving data to the cloud because of security concerns about donor information and they fear a lack of onsite control. While those fears are understandable, they are unfounded because cloud backups are more secure than internal backups. Cloud providers store data securely in state-of-the-art data centers run by massive organizations (such as Microsoft, Google, Amazon, and more). These entities employ teams of cybersecurity professionals who work 24/7 to ensure the safety of your data. Because that is all they do, they are always up-t0-date on the latest threats – much more so than your internal IT team has the bandwidth to be.
But not all backups are created equal or do everything. There are several key types that you’ll want to incorporate into your disaster recovery plan:
- Hardware Backups: These are copies of your hardware and data that are automatically scheduled to backup up on a regular schedule.
- Flat File Backups: As you might guess from the name, this type of backup preserves individual files but not the infrastructure on which they run. So, while you might want to save important documents in QuickBooks, Excel, Word, etc. just be aware that you might need to rebuild your IT architecture (the systems and the programs) before these would be of use in case of a disaster.
- Images/Replication: This is the most extensive type of backup that creates a mirror image of your operating system as it is functioning. This type of backup includes all settings, passwords, configurations, security rules, and more. In case of a true emergency, your organization’s IT team would be able to seamlessly switch to this replicated operating system.
No matter which combination of backups you choose, it’s essential to be in the habit of doing them as regularly as needed for your organization. Decide in advance how far often these backups need to be run to ensure business continuity. For example, if you had to rely on the data in your backup, could you function if that backup was 2 hours old, 1 day old, or 1 week old? The answer will be different for every organization.
A disaster recovery plan will allow your organization to survive in the event of an unforeseen emergency. Being prepared beforehand will allow you to minimize downtime and get back to your mission as quickly as possible. Contact us if you have any questions or need assistance putting your plan together.