Many believe that simply backing up documents, emails and case files is a job well done, a disaster averted, the compliance box ticked. But is that enough? Nigel Wright from Converge TS argues that it is critical for your disaster recovery plan to consider so much more and gives his top tips for Disaster Recovery planning.
Scenario one. It’s a swelteringly hot summer and your air-conditioning unit has a meltdown, leaking all over your servers which are located in your server room. The hardware is dead, the software costs are potentially lost and it will take a week to purchase new hardware, rebuild your network from scratch and reload your data. If you’re lucky, that is.
Scenario two. A disgruntled member of staff deletes all your case management files or an in-house IT staff member accidentally deletes client data. Restoring your data will take weeks – or may be impossible.
Scenario three. A member of staff opens an email from HMRC offering a tax refund. The ensuing virus encrypts every document you have, corrupting ten years of case files. The email arrives with a ransom note and deadline to pay and all staff are locked out of the system until it is paid.
Unlikely? All these scenarios are real, the latter being the infamous Crypto Locker virus that affected businesses globally and a large number of UK law firms last year. Happily, the results are not real, as all three law firms had comprehensive disaster recovery plans in place.
Having a well thought through disaster recovery plan meant that not only were these firms able to recover case files, documents and emails, losing no more than the last 30 minutes of input, but they were also able to replicate their entire network configuration and reinstall software instantaneously.
When disaster strikes, being able to easily open and find crucial documents can make the difference between a few hours, or a few days, in lost fees. It can also help keep your reputation intact.
The best disaster recovery plans are those that start by considering how long the business can afford for its IT systems to be shut down, and build the plan around that time frame. It’s also important to factor in where your server is best placed. Should it be in-house or off-site?
And what will provide the best security options to keep your data secure and immediately accessible?
Also, most importantly, no plan is worth the paper it’s written on unless it’s tested, and tested again.
Of course, a business continuity plan, incorporating disaster recovery, is not just a nice-to-have. Law firms are required to provide a duty of care to their clients, with a proven business continuity plan in place that outlines how the firm will continue to trade should the worst happen.
But perhaps the biggest worry for any management team is the potential loss of earnings. Take the recent real life example of one unhappy constituent smashing into Oxford Council’s offices resulting in a loss of access to their files for a full three days. What would be the impact of three days of idle fee-earners to your firm?
Today, more than ever, as data volumes massively increase, networks become more complicated and testing more onerous, a well thought through disaster recovery plan that considers every possible scenario has to be an absolute necessity.
Here’s a test: ask your IT team to simulate a worst case scenario. What they recover may not be what you expect.
TOP TIPS FOR DISASTER RECOVERY PLANNNG
Plan, plan, plan
First, consider how you can comply with the SRA and Law Society codes of conduct, including ensuring clients won’t be affected by any IT down time. Second, work out your RTO – Recovery Time Objective – to understand how long your business can afford to be down. If it’s five minutes, build your plan around that. Many organisations work backwards, focusing on what could happen and how long it might take to get up and running. It’s best to start from the best case scenario, calculating the impact your business could potentially sustain.
Choose the best server delivery option for you
If hosting your server onsite, consider your entire business needs. For example, will the hardware on your second server be capable of bringing the first server back up to requirements? If choosing an off-site solution, such as the Cloud, does the provider comply with UK ISO 27001 demanded by the regulation governing use of Cloud-based services. It’s worth noting that UK-based law firms must store data locally, so need to locate servers, Cloud or otherwise, in the UK.
Test, test and test again
An annual, all server shut down, should be the minimum test you undertake. Your clients, panel referrers, quality standards, or management team may require it to be more often. A half-hearted test will not satisfy the above and it should not satisfy you – always test for the worst case scenario.
If you're interested in learning more: Download our Free Guide: Cloud & Compliance: Your Questions Answered