Industry insights

How small and medium businesses (SMBs) can fast-track a disaster recovery plan

Patrick Mallory
September 15, 2023 by
Patrick Mallory

In an always-on and increasingly digitized world, small and medium-sized businesses (SMBs) quickly find they are in the crosshairs of cybercriminals.  

Whether from a sense of naivete that “it couldn’t happen to me,” a lack of time, or even trouble knowing where to start, these businesses are often ill-prepared to handle the consequences of a cybersecurity breach or other disasters. 

Should you pay the ransom?

Should you pay the ransom?

Download The Ransomware Paper for real-world ransomware examples, mistakes and lessons learned.

That's why it is crucial for SMBs to understand their risks and how to mitigate them and prioritize developing and implementing a robust disaster recovery plan. Delve into the insights provided by Eric Sugar, an expert in disaster recovery planning at ProServeIT, to understand why small businesses should fast-track this process and, more importantly, how they can start creating their own. 

The rise of cybersecurity threats for SMBs 

Armed with automated scanning and exploitation tools and driven by a desire to make quick money, cybercriminals are increasingly targeting small and medium-sized businesses. As larger companies with more extensive IT and security budgets continue to prioritize enterprise security controls and understand the role of security awareness training, SMBs are quickly becoming more vulnerable and appetizing targets.  

This is primarily because it is less likely that SMBs have larger corporations' extensive resources and IT staff to properly deploy, configure, detect and respond to risks appropriately, making them attractive targets for hackers. While there can be a lot of drivers behind this misalignment between services and the backend IT security that defends and enables recovery of their networks, Sugar suggests that this perception often comes from failing to understand the role that technology plays in enabling and protecting their operational and customer data. 

One way to overcome this, Sugar suggests, is to take the time to understand the link between the economic drivers of your business, how it is tied to technology, and, ultimately, how those related systems can be backed up, stored and recovered in the event of a disaster. For example, an SMB-sized lawn maintenance company may still generate revenue even if its IT systems are temporarily down, whereas a large retail store that heavily relies on technology for transactions and cannot afford extended downtime.  

Recognizing this connection between your economic drivers and the technology that enables them will help determine the amount of preparation, target recovery point objectives (RPOs), recovery time objectives (RTOs) and scale of your disaster recovery plan. 

Critical considerations for disaster recovery planning 

Creating a disaster recovery plan for SMBs requires careful consideration of various factors. Fortunately, resources and best practices are available from industry groups, non-profits, universities and regulatory bodies like NIST. However, as with any technology decision, there is no one-size-fits-all approach to disaster recovery planning, so any plans you may find will need to be tailored for your systems, business drivers, IT staff and other specific considerations and requirements.  

ChatGPT training built for everyone

ChatGPT training built for everyone

We've created a training video and supplemental resources to educate every employee on how to use AI tools securely. Meet with a member of our team to get started.

To help organizations kick-start the process, Sugar emphasizes that a great first step is to assess the potential impact of technology downtime on your business operations. This assessment can then help to determine the RPO, RTOs and the critical assets and individuals that need to be included in disaster recovery planning.  

Other key considerations: Budget and planning requirements 

Small businesses often operate on tighter budgets and fewer IT professionals, making it essential to allocate resources effectively for disaster recovery planning. As Sugar suggests, this is where the initial assessment and asset inventory can be critical to customizing the plan — and, in turn, budget — to meet your organization's needs and scale.  

This customization may lead to your organization choosing to partner with a managed service provider who specializes in disaster recovery and can assist with the end-to-end process, as well as ongoing support. In the event of a disaster, this managed services partner can dedicate disaster recovery specialists to your case to provide rapid response and support until recovery.  

Managed services partners can also help maintain the disaster recovery plan, which can evolve as your business does. By putting in the time for regular disaster recovery testing and planning, SMBs can better safeguard their operations without breaking the bank. 

Disaster recovery planning in practice 

While every organization's disaster recovery planning process will be unique, they generally follow a common set of steps. These include: 

  1. Risk Assessment: Identify potential threats, vulnerabilities and their potential impact on the business. 

  1. Business Impact Analysis (BIA): Assess the criticality and dependencies of various business processes and systems to prioritize recovery efforts. 

  1. Strategy Development: Determine the appropriate recovery strategies, such as backups, redundancy and alternate site arrangements. This can also include decisions on whether to perform disaster recovery steps with internal staff or to utilize managed services support. 

  1. Plan Development: Create a detailed recovery plan that outlines step-by-step procedures, roles and responsibilities, and communication protocols for key internal and external stakeholders. 

  1. Backup and Recovery Systems: Establish robust backup mechanisms, including regular data backups, off-site storage and secure restoration processes. 

  1. Testing and Training: Conduct regular testing and simulations to validate the effectiveness of the recovery plan and ensure staff are familiar with their roles. 

  1. Plan Maintenance: Review and update the recovery plan periodically to ensure changes in the organization, technology and potential risks are reflected. 

  1. Vendor and Supplier Management: Collaborate with vendors and suppliers to ensure they have disaster recovery plans aligning with your business requirements. 

  1. Continuous Improvement: Learn from previous incidents, peers, simulations, and best practices and incorporate these lessons into the disaster recovery planning process to enhance resilience and response capabilities. 

It’s important to note that although these steps are listed in order, the disaster recovery planning process is actually cyclical and continuous, requiring regular reassessment and updates to help ensure its effectiveness. 

Bringing it all together 

Despite the alarming statistics and the potential devastation caused by cyberattacks, ransomware events, and data leaks, SMBs are starting to recognize the gravity of the situation and are fighting back.  

In fact, according to one report, in 2021, only 32% of SMBs were allocating the recommended 6-15% of their IT budget to cybersecurity. However, just one year later, in 2022, 68% of companies had aligned their budgets with these recommendations. Moreover, a significant portion of SMBs, 46%, plan to maintain their cybersecurity spending, while 48% are planning to further increase their investments.  

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

This shift, including key investments in time and resources in disaster recovery planning, signifies that the SMB market is increasingly taking security seriously, further frustrating cyber attackers, protecting their critical data and — most importantly — their future. 

Check out Eric Sugar's complete guide to disaster recovery planning for SMBs at the Cyber Work with Infosec podcast.

Patrick Mallory
Patrick Mallory

Patrick’s background includes cyber risk services consulting experience with Deloitte Consulting and time as an Assistant IT Director for the City of Raleigh. Patrick also has earned the OSCP, CISSP, CISM, and Security+ certifications, holds Master's Degrees in Information Security and Public Management from Carnegie Mellon University, and assists with graduate level teaching in an information security program.

Patrick enjoys staying on top of the latest in IT and cybersecurity news and sharing these updates to help others reach their business and public service goals.