Stimulus Tech Talk Podcast: Shielding Your Business: The Importance of a Disaster Recovery Plan
What is a disaster recovery plan for business?
In short a business disaster recovery plan is a written document outlining the steps a business should take when something happens that interrupts, or shuts down normal business operations. In this episode Nathan goes over the basics of a disaster recovery plan, different requirements for different types of businesses, what the biggest risks are, and how to get started in creating a disaster recovery plan for your business.
Stimulus Tech Talk is available on most podcast channels and on YouTube.
See below to view or download the transcript:
Stimulus Tech Talk - Why A Disaster Recovery Plan is Essential For Business Transcript
Intro
You're listening to Stimulus Tech Talk a conversation based podcast created by Stimulus Technologies. It covers a range of topics related to business and technology.
[Sherry Lipp] Welcome to a Stimulus Tech Talk. I am here as usual, with Stimulus Technologes CEO Nathan Whitaker. And today we're going to be talking about a subject we've brought up many times in the past podcast, but we haven't gone into in depth. And that is creating a disaster recovery plan for your business. Good afternoon, Nathan.
[Nathan Whittacre] Thanks, Sherry. It's good to be here. I apologize for my change in background. The advantage of remote work is to be able to kind of work from anywhere. And I happened to be sitting in my kitchen this afternoon, so rather than my usual spot because my office is torn apart at the moment.
[Sherry] So advantages of technology today for sure. So let's start out by talking about what a disaster recovery plan is, because we're talking about cybersecurity, not just, you know, natural disaster, although you probably need a plan for that, too.Can you go over what that is?
[Nathan] Well, I think a disaster recovery plan is any plan that you put in place when your business gets interrupted from normal operations. And so it's not necessarily an I.T. disaster recovery plan. It is a disaster recovery plan. And this could encompass anything from, like you just said, natural disasters to a cybersecurity event. Heck, a pandemic that happens, you know, and I'm sure very few companies had a COVID 19 disaster recovery plan before the beginning of 2020.
But I'm sure a lot of companies have something in place today to get through that. And so it's just basically if your normal business operations get interrupted in any way, what are you going to do about it? And that's what the plan is.
[Sherry] And so why it why is it important for business A little more in-depth on why should a business have this in place?
[Nathan] Well, I think any size business, whether you're a one person operation or a thousand person operation, needs to have at least an idea of how they're going to continue generating revenue and income and keeping their employees going. If normal business, you know, normal operations can’t happen. So that's any you common things you got to think about is like, you know, if you have a power outage or your office gets displaced, you know, because of a move or something like that, how are you going to continue to do work?
I think it's common like for businesses to lose power or businesses to lose their Internet service or maybe computers to go down. And if they have customers sitting there expecting them to provide services, how are they going to continue doing that? And I often talk to people, you know, in these conversations is, okay, how did you do it 50 years ago or 30 years ago or 20 years ago before technology was in place?
And think about how you can continue operations and continue serving your clients in the event of any number of issues that happen. Because in the end, it's the responsibility of the company to both provide employment for their for their employees and to provide services to their clients or customers no matter what happens.
[Sherry] All right. So what are the key components to to a disaster recovery plan?
[Nathan] All right. The first thing you need to do in any disaster recovery plan is really identify what you need to plan for, for continuing operations. You know, think about, okay, if a major event happens, what do we need to continue providing to our customers, clients and our staff? And so it could have minimal operations. What is the what is the most important thing that we need to do to continue forward?
And then then the next step is think about all the things that could happen to your organization. I mentioned some. It could be natural disaster, it could be power outages, it could be some type of cybersecurity event, it could be health related issues where your employees can't travel to your office. For example, and then, you know, identify all those things you need to continue doing and and to continue bringing money into your company and then all the things that could potentially disrupt that.
So that's really the beginning of creating a plan.
[Sherry] How do how does a business identify what their biggest risks are?
[Nathan] Well, I think, you know, think about you know, there's sometimes you can't think of everything, right? You know, maybe put them in major categories, for example, maybe environmental. So that could be natural disasters, you know, power outages, things that are, you know, that are kind of out of their control but are related to the environment.
I think the next step would be maybe regulatory. So things that could happen to a company that could cause some problems. We're thinking like right now we've seen, you know, banks go under. So, you know, if there's disruptions to the financial markets, to your bank, to your to your ability to collect money, that could go into another category.
So kind of financial or regulatory. And then the final thing is, is the security. Well, maybe not the final thing that maybe the third thing is security side of things from a cyber side. So that would be a cyber attack. Ransomware, I.T. outages, you know, hardware failure of computers, of servers, cloud outages, things like that. And then that would be another bucket.
And then the final one is, is the human element. So if you're if there's some type of theft or break in to your location, that's a kind of a human element. If your employees aren't able to work or, you know, major disruption to, you know, the ability to people to come into the office, things like that. And so when you you when you break it up into major categories, then you can go into subcomponents and think about how are we going to start mitigating some of those things or what do we need to do to work, work around that.
And there might be some things that you just can't you know, you you have to have some type of insurance in place or some things to really backstop the business in the event of a of a catastrophe that you can't solve in the immediate moment. So I and then the other side of it is think about working with some professionals.
So your I.T. people can work with you on defining the what would happen if you know these different things, these cyber events happen and run some table top exercises like Leo talked about a couple of episodes ago of, you know, okay, what happens if you have a ransomware? What are we going to do about it and run through the steps through a tabletop exercise?
And so just talk to a write out the different plans. So you need professionals to help you through that. Same thing with from a security standpoint, maybe talk to a security vendor or talk to an H.R. professional from a human element. So there's different professionals that you should bring in to discuss what you should do as a company to overcome those issues.
[Sherry] In your experience, are there any risks, the common things that people, businesses, businesses might not think of as as being a risk that they kind of they you know, they don't plan for because they're not really aware of it.
[Nathan] I think, you know, when we talk about cybersecurity, we often think that the hackers are going to come into the business.And, you know, break through a firewall or, you know, bring down your server. But a lot of times, you know, you've got to think about the internal side of things, your employees doing things to damage your company internally, whether intentionally or not. So that's I think that's one of the areas that companies miss, is thinking about the internal threats of of their employees, whether it's, again, accidental or intentional that occurs.
And then, of course, there's all the environmental side of things. You know, as I mentioned before, power outages could cause problems, could cause disruption to your Internet service, to your office. And, you know, there's a lot of things that could happen that's external that the companies can work through. So again, talking to your I.T. Professionals, you can work through a lot of those those issues.
[Sherry] Are there legal requirements for creating a disaster recovery plan?
[Nathan] There are for some type of businesses, you have to have a disaster recovery plan in place when you're, like Leia talked about before with the CMMC framework. Some of these compliance frameworks require a disaster recovery plan. And then of course, if there's any data that's lost in some type of especially a cybersecurity event, there is legal responsibilities to to report that to the appropriate, you know, compliance regulatory agency.
So there could be depending on the industry you're in, that could be regulatory requirements to have a disaster recovery plan in place. Also going back to the insurance side of things, some insurance companies may require your company to have a disaster recovery plan in place before theyll insure you for even general liability insurance to the company.
So having these plans in place might be required. You know depending on the regulatory agency and then depending on what the insurance company asks you to do .
[Sherry] And I imagine that's kind of changed. Have you seen that change over the years as far as requirements? Is that becoming more increased?
[Nathan] Absolutely. I mean, a lot of these insurance companies today are requiring a lot more internal plans, policies and procedures to be in place before they'll even insure companies.
Or if you don't have them in place, they're going to charge you more money, as we talked about. So every year, the the applications are becoming much more stringent with the insurance companies. And then, of course, the government is putting new in place all the time. We see like in the last year, the Federal Trade Commission put in these safeguard rules that were just in place with the with the banking sector and now have come into place in the car dealership or the the finance, you know, the middlemen of finance and so the ederal government and state governments are putting more regulations in place that require some of these plans to be, in effect.
[Sherry] Along those lines, how often do you think or should a disaster recovery plan be reviewed by the company and by their I.T. professionals?
[Nathan] I think minimally, once a year, the disaster recovery plan should be reviewed because things do change. And it's also good to keep it top of mind with the management team. Some regulatory requirements may may make you do it more often than not, you know, do tabletop exercises this maybe monthly for certain disaster, potential disasters.
And you may want to do it more often than than annually because, you know, there's maybe more environmental issues or, you know, critical infrastructure you're maintaining. So it really depends on what type of business you're in and the critical nature of your business. So, for example, if you're a hospital, it might be more important to do that more often because you're providing critical care to other people versus maybe a business that isn't as essential as the hospital is to continue operations.
[Sherry] And what kind of liabilities might a business be facing in the event of a disaster, or does it depend on what it is, what kind of disaster it is? [Nathan] Certainly like, you know, kind of going back again to the security aspect, the cybersecurity aspect of a disaster. If you're hit with a ransomware attack or any of your data gets out, there could be fines that are associated with release of information and that could be let's say, in the HIPAA environment with health care, those fines could be $10,000 per patient record in like in the state of California.
And then federally there would be additional fines. So this could, you know, these type of fines for noncompliance of your your own disaster recovery plan. And security plans could range in the hundreds of thousands to millions of dollars very easily. If you have the plan in place and you're following the plan and you're following your cybersecurity, following your disaster plans and you implement it and follow it, the fines are usually not enforced because you're doing everything possible.
I mean, the regulatory environment, insurance companies understand that they're there in place to protect as much as possible, but it's not 100%. So, you know, there's there's other things that you can't plan for that you can't mitigate 100% against or protect 100% against. But if you're doing everything possible, then those things don't come into play. Those fines and things don't come into place.
So that's why having the plans and following your own plans is really essential to any cybersecurity, any disaster recovery plans. And then in the end, you want to continue servicing your clients. You know that that's what brings in the money. Because if you know, if you're out of business, because of a cyber event or because of a major illness that goes through your location or loss of I.T. Infrastructure, you you can't service your clients. You might not be able to look up their information and then then you would have to go to your stopgap of your, you know, your liability insurance to hopefully get some revenue back to pay your employees. You know, so there's a lot of things that could happen. If you can't continue in your business, then you could lose your whole company because of. And so having these in place makes your company stronger so you can continue providing good employment for your employees and services to your clients.
[Sherry] Are there costs associated with creating the plan?
[Nathan] Obviously, there's there's time, you know, internal time. So you'll need to have your management team review these so there's time involved. Most companies that will help you put these plans together like Stimulus, they might be included in some type of security package or management package. So talk to your different professional service, professional groups, your attorneys, your CPAs, your I.T. Professionals and see what they have. But usually they would have some type of package that they could put together and help you put these plans in place. So certainly there's a cost, but it could be, you know, kind of a part of a comprehensive security plan, which is the way that we do it at Stimulus.
[Sherry] And so if someone is looking for somebody to help them with this, if they don't already have it company in place, should they be looking? Are there companies that kind of specialize in different industries for this that they should be looking for? [Nathan] Yeah. So definitely from an industry perspective, it's important to if you are have to be compliant from a regulatory standpoint, you're going to want somebody that understands the regulatory aspects.
So Leia was on a couple of weeks ago with her CMMC, she really understands the DOD supply chain and the requirements that are related to that. So I'd look for a company that understands that if you are in that industry, it's the same thing with health care. I think it's really important to work with a company that is familiar with health care and you know, there's there's little niche niches that you have to look for.
So I would I would look for a company that has those specializations, you know, for Stimulus. We know general cybersecurity and we know nuances of, you know, FTC safeguards. Know, you know, for the accounting and finance sector, for health care, we're familiar with those. And we can help companies. That's why I brought Leia for the DOD supply chain, because we don't we don't specialize in that. So having having that in place really makes a difference of working with a company that knows knows that industry.
[Sherry] And one question to kind of wrap this up, what advice would you give to a business owner who was just getting started in creating their plan?
[Nathan] I'd say just get started. That's the hardest part, right? You know, sit down with your management team, spend an hour or two just, you know, again, creating those lists of, okay, this is what the minimal operations that we need to continue bringing dollars into the company. We need to be able to answer our phones and or send emails. And we need to be able or we need to have our building working, you know, what are the minimum things? And then, you know, think about just brainstorm about the bad things that could happen to the company. And then even if it's just a few items like who to call, you know, maybe some outside vendors to assist you.
And, you know, that's what we did when we got started is, you know, there was some critical infrastructure that we needed to make sure that we maintained and just created a Word document of like, okay, pasted on the wall. If this happens, then, you know, call Nathan first and then call these companies off. And and then this is what we need to do.
So just just start writing things out and then review it and refine it over time. But the hardest part is to get started that I think all companies should at least have something in place to continue operations in the event of a disaster.
[Sherry] All right. Well, thank you, Nathan, for the valuable information, as always.
[Nathan] Always fun to be here. And maybe next it won't be for my kitchen, but we'll always be here.
[Sherry] And thanks, everybody, for listening.
[Nathan] All right. Thanks, Sherry. Thanks, everybody.
