You can take hundreds of steps and invest thousands of dollars towards protecting your data and your business from cyber-attacks, but it only takes one hole or one mistake for you to be compromised. That doesn’t mean you stop attempting to secure yourself from these threats. Hackers tend to go after the low hanging fruit so the battle is almost a race to be more secure than the next guy. But when it does happen, you must be prepared to restore the business in a timely manner.
Just like a hurricane, earthquake, or tornado, a hacker can cause serious damage to your business, maybe even cause you to lose it. So when all defenses fail or Mother Nature decides to change her landscape, you must be able to get things back to the way they once were. For that you must build a business continuity plan. This plan helps outline not only the restoration of the IT infrastructure, but the business as a whole. When building the IT end of this plan (often referred to as the IT disaster recovery plan), senior management must outline a few key factors that will ultimately help determine what it will take and cost to get your business running again.
Maximum Tolerable Downtime (MTD)
Think of this number as the worst case scenario. If your company headquarters seized to exist 5 minutes from now, how long would your business be able to survive before it started losing a significant amount of money and/or customers? Some smaller business owners may be ok with 24 hours, others will go crazy if it’s longer than 5 minutes. Whatever that time frame is, the entire senior management team must be in agreement. All business owners must realize that the shorter that window, the more it will cost, and in most cases the price is exponential.
Recovery Point Objective (RPO)
This is the point you are looking to return your data to. This may be 24 hours prior to the attack or a couple hours. Think about it as getting attacked or being hit by a large power surge at 2pm that damages your servers. If your last backup (recovery point) of a system was at 10pm the previous day, that will be the most recent time you can recover your data to, potentially losing a half day of work. But if you have a RPO of 2 hours, which in turn requires backups to be done every two hours, you will be able to recover your data from 12pm that very same day.
Recovery Time Objective (RTO)
This ties in very closely with MTD and RPO. RTO is our goal to get the data restored. Say you have a 2 hour RPO as in our last example, just because you backup your data every two hours doesn’t mean it is instantly restorable. In the case of a hack that damages files, you must first locate your point of attack and mitigate it. Then you need to analyze the damage and verify that no back doors were left open. Once you can confirm that the attacker can no longer gain access to your system we can finally restore data to that point. This could take several minutes to several hours.
All these factors should be looked at on a per asset basis just as each asset has a different value to your company. It wouldn’t be cost effective to require a MTD of 1 hour for a shared drive that consists of low importance items such as a day off request forms or photos of the last company picnic. So knowing your true assets are key. Because anything can happen at any time and it always pays to be prepared.