The impact of not having a disaster recovery plan for your organisation
Small to medium sized organisations sometimes fail to create a disaster recovery plan, figuring ‘we’re too small’ or ‘it won’t happen to us’. Or, if they do create a plan, they seldom, if ever, test it before it’s required. When faced with unexpected scenarios, such as hardware failure, a security breach or a human impact disaster (March 2020’s COVID outbreak was a perfect example of that), these organisations face worse consequences and have greater trouble recovering.
Max Mayfield’s quote can be applied to technical disaster every bit as much as natural ones. Much like a hurricane, when an unexpected scenario arises, if your organisation doesn’t have an effective recovery plan in place, chaos ensues. Being prepared by having a plan in place ensures that your organisation won’t have to learn through tragedy.
A mistake that we see often in many organisations, particularly SMEs, is a lack of protection for the information that the organisation generates and uses; information to do with their patients, members, constituents etc. Most people understand that data needs to be backed up. We all get that, or at least we should. But the process seldom goes far enough. What do I mean by that? Well, let’s look at what happens with facility-based disaster plans. All organisations have a plan that coordinates an evacuation from their building. The plan ensures a safe, orderly exit, a coordinated assembly at specific spots and ensures that everyone is accounted for. But we don’t just plan it. We DO it. We run drills before an event occurs. Why? So that when it does, we know that the plan we put in place will work.
Unfortunately for most SME healthcare organisations and NFPs, there’s a lack of extension into the virtual world of securing data or information assets. You may have a rigorous backup process, but does anyone test the results? Do you truly know that the data being backed up is there? Can it be retrieved when it’s needed? Who is monitoring that and making sure that it is actually happening?
Following on from our evacuation discussions above – if there is a fire, what happens once we do get everyone out? The building, or at least a significant section of it, is likely to be unusable for quite some time. Is a plan in place in the event that our building suffers a significant amount of water ingress, or the roof collapses etc., and it’s uninhabitable? Can the organisation continue functioning in a normal fashion but operating from elsewhere? And how long does it take to get to the point that the organisation can operate from elsewhere? Can all of the people in your organisation go home tomorrow and continue to work in the same way that they did from the office? And what are the implications of not being able to do that? What is the cost of downtime in terms of your ability to deliver services to the community or to your patients in real terms?
Whether that something has happened as a result of a physical problem in the building, a cut communication line in the street or a cybersecurity breach that resulted in files and data being locked up by criminals that are set on extracting money from you, ultimately, it doesn’t really matter. The end result is all the same. If you don’t have the right disaster recovery plan and the right methodologies and technologies to support that plan in place, any of those things can result in a negative impact.
We saw a great example of that in early 2020. When Covid hit, nobody expected it. Overnight, great swathes of the Australian workforce were sent home. Our clients mostly continued operating as usual because we set the right solutions in place to enable them to work remotely. In other words, there was a plan and when it was needed, it worked.
A survey by Flexential, looking at IT systems within the healthcare sector revealed the following statistics:
- 85% of respondents had a disaster recovery plan in place
- More than 50% only tested that plan once a year or LESS
- A further 8% never tested it at all!
This means that nearly 2/3 of those respondents that had a disaster recovery plan in place are at risk of the plan not functioning as it should when it’s required. Frequent testing allows for updates and fixes to the plan. The more time passes between each test, the risker it becomes for your organisation.