How small and medium businesses (SMBs) can fast-track a disaster recovery plan
In an always-on and increasingly digitized world, small and medium-sized businesses (SMBs) quickly find they are in the crosshairs of cybercriminals.
Whether from a sense of naivete that “it couldn’t happen to me,” a lack of time, or even trouble knowing where to start, these businesses are often ill-prepared to handle the consequences of a cybersecurity breach or other disasters.
Phishing simulations & training
That's why it is crucial for SMBs to understand their risks and how to mitigate them and prioritize developing and implementing a robust disaster recovery plan. Delve into the insights provided by Eric Sugar, an expert in disaster recovery planning at ProServeIT, to understand why small businesses should fast-track this process and, more importantly, how they can start creating their own.
The rise of cybersecurity threats for SMBs
Armed with automated scanning and exploitation tools and driven by a desire to make quick money, cybercriminals are increasingly targeting small and medium-sized businesses. As larger companies with more extensive IT and security budgets continue to prioritize enterprise security controls and understand the role of security awareness training, SMBs are quickly becoming more vulnerable and appetizing targets.
This is primarily because it is less likely that SMBs have larger corporations' extensive resources and IT staff to properly deploy, configure, detect and respond to risks appropriately, making them attractive targets for hackers. While there can be a lot of drivers behind this misalignment between services and the backend IT security that defends and enables recovery of their networks, Sugar suggests that this perception often comes from failing to understand the role that technology plays in enabling and protecting their operational and customer data.
One way to overcome this, Sugar suggests, is to take the time to understand the link between the economic drivers of your business, how it is tied to technology, and, ultimately, how those related systems can be backed up, stored and recovered in the event of a disaster. For example, an SMB-sized lawn maintenance company may still generate revenue even if its IT systems are temporarily down, whereas a large retail store that heavily relies on technology for transactions and cannot afford extended downtime.
Recognizing this connection between your economic drivers and the technology that enables them will help determine the amount of preparation, target recovery point objectives (RPOs), recovery time objectives (RTOs) and scale of your disaster recovery plan.
Critical considerations for disaster recovery planning
Creating a disaster recovery plan for SMBs requires careful consideration of various factors. Fortunately, resources and best practices are available from industry groups, non-profits, universities and regulatory bodies like NIST. However, as with any technology decision, there is no one-size-fits-all approach to disaster recovery planning, so any plans you may find will need to be tailored for your systems, business drivers, IT staff and other specific considerations and requirements.
ChatGPT training built for everyone
To help organizations kick-start the process, Sugar emphasizes that a great first step is to assess the potential impact of technology downtime on your business operations. This assessment can then help to determine the RPO, RTOs and the critical assets and individuals that need to be included in disaster recovery planning.
Other key considerations: Budget and planning requirements
Small businesses often operate on tighter budgets and fewer IT professionals, making it essential to allocate resources effectively for disaster recovery planning. As Sugar suggests, this is where the initial assessment and asset inventory can be critical to customizing the plan — and, in turn, budget — to meet your organization's needs and scale.
This customization may lead to your organization choosing to partner with a managed service provider who specializes in disaster recovery and can assist with the end-to-end process, as well as ongoing support. In the event of a disaster, this managed services partner can dedicate disaster recovery specialists to your case to provide rapid response and support until recovery.
Managed services partners can also help maintain the disaster recovery plan, which can evolve as your business does. By putting in the time for regular disaster recovery testing and planning, SMBs can better safeguard their operations without breaking the bank.
Disaster recovery planning in practice
While every organization's disaster recovery planning process will be unique, they generally follow a common set of steps. These include:
-
Risk Assessment: Identify potential threats, vulnerabilities and their potential impact on the business.
-
Business Impact Analysis (BIA): Assess the criticality and dependencies of various business processes and systems to prioritize recovery efforts.
-
Strategy Development: Determine the appropriate recovery strategies, such as backups, redundancy and alternate site arrangements. This can also include decisions on whether to perform disaster recovery steps with internal staff or to utilize managed services support.
-
Plan Development: Create a detailed recovery plan that outlines step-by-step procedures, roles and responsibilities, and communication protocols for key internal and external stakeholders.
-
Backup and Recovery Systems: Establish robust backup mechanisms, including regular data backups, off-site storage and secure restoration processes.
-
Testing and Training: Conduct regular testing and simulations to validate the effectiveness of the recovery plan and ensure staff are familiar with their roles.
-
Plan Maintenance: Review and update the recovery plan periodically to ensure changes in the organization, technology and potential risks are reflected.
-
Vendor and Supplier Management: Collaborate with vendors and suppliers to ensure they have disaster recovery plans aligning with your business requirements.
-
Continuous Improvement: Learn from previous incidents, peers, simulations, and best practices and incorporate these lessons into the disaster recovery planning process to enhance resilience and response capabilities.
It’s important to note that although these steps are listed in order, the disaster recovery planning process is actually cyclical and continuous, requiring regular reassessment and updates to help ensure its effectiveness.
Bringing it all together
Despite the alarming statistics and the potential devastation caused by cyberattacks, ransomware events, and data leaks, SMBs are starting to recognize the gravity of the situation and are fighting back.
In fact, according to one report, in 2021, only 32% of SMBs were allocating the recommended 6-15% of their IT budget to cybersecurity. However, just one year later, in 2022, 68% of companies had aligned their budgets with these recommendations. Moreover, a significant portion of SMBs, 46%, plan to maintain their cybersecurity spending, while 48% are planning to further increase their investments.
ChatGPT training built for everyone
This shift, including key investments in time and resources in disaster recovery planning, signifies that the SMB market is increasingly taking security seriously, further frustrating cyber attackers, protecting their critical data and — most importantly — their future.
Check out Eric Sugar's complete guide to disaster recovery planning for SMBs at the Cyber Work with Infosec podcast.
ChatGPT training
In this Series
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- What it takes to qualify for the US Cyber Games team
- The changing role of a ransomware negotiator
- Protecting K-12 schools from cyber threats: The case of Vice Society
- A deep dive into GitHub's security strategies
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- One phishing attack could expose your entire hospitality network
- Privacy compliance and security: Are you collecting too much data?
- API security best practices: What you need to know
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Twitter’s cybersecurity whistleblower: What it means for the community
- Top 5 cybersecurity questions for small businesses answered
- What Is zero-trust security, and should your business adopt it?
- What’s next in cybersecurity: Predictions from Andrew Howard
- How training employees about ransomware can mitigate cyber risk
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Four examples of human error in cybersecurity — and how to fix them
- Five ethical decisions cybersecurity pros face: What would you do?
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Shaking up security awareness: How one organization is building a culture of security
- Security Culture: TikTok CISO says this trend is here to stay
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- Could psychology be the key to cybersecurity awareness? Research points to yes
- How IT pros can keep their organization on the cutting edge
- Cyber talent diversity: It's time to redefine the face of security
- Cybersecurity and Windows 11: What you need to know
Get free resources in your inbox!
Sign up for our newsletter and get free cybersecurity resources in your inbox every week. Prepare for your next cert, learn new skills, increase your salary and more!
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization