I was asked to do a disaster recovery review for a small non-profit corporation recently. While larger organizations regularly bring in somebody to review their preparedness for disasters, small businesses rarely bring in an outsider. This company had fewer than 20 employees, all at a single location.
As always, the first step was to interview the key people in the company. The purpose of these interview is to find out about the current situation and to understand what the staff believes about the DR plan. With a company of this size, it did not take long to understand the situation. The staffers generally believed they could handle a disaster and had no immediate concerns. However, the current situation did not give me the same confidence.
There were two servers used for the major applications, an accounting system and a CRM system. These servers were also used for general file sharing. Each of the two applications had customized reports added. The individual laptops and desktops each had their own office software installed as well as many unshared files and copies of the shared files.
A tape backup was run every night for the servers, and one of the staff took the tape home and rotated through a week’s worth of backups. The tapes were never checked. The service provider who would restore tapes was a part-time administrator who ran a business providing services for other organizations.
The administrator, known inside this company as “the guy,” would come over on demand when there was an issue. The DR plan was to take the tapes to the part-time administrator’s office and restore the data on servers there. This had never been done, not even as a test.
The company’s DR plan did not address the possibility of a regional disaster where the personnel were not available or operations were impacted by lack of power or a network failure. The feeling was that the operations could tolerate being unavailable for a week, and any longer impact was highly unlikely and had greater consequences that would overshadow being out of operation. The possibility of losing key personnel was not included in this review but was part of an overall staffing plan.
The shortcomings were obvious, but the real issue was the lack of understanding of their limitations and the practices required. There was an unwarranted belief that there would be no issue restoring data from tape and that any server could immediately assume the role of the application servers and did not need to be exercised regularly. This obviously meant that the company needed education around the topic of DR and best practices, and that the local service provider chosen may not have the skill or desire to do what was really best for the customer.
I wrote a report and made recommendations of what should be done. The flexibility to address the problems was more limited with the small business than with companies that I would typically deal with, so I needed to consider the expenses and training.
Small businesses need a disaster recovery plan and a set of practices to implement. They also need education about how to develop a plan, what to look for and some criteria around choosing a services provider (“the guy”). It will be interesting to follow-up and see what changes are made.