Disaster Recovery (DR) has become an increasingly vital core component of the prototypical technology management toolkit that needs to be in place at organizations ranging from small businesses to large enterprises. A well-planned and well-practiced disaster recovery plan is particularly vital for law firms. This article examines why and outlines some basic features of a professional-grade DR plan worthy of protecting a firms’ most vital and workflows.
The “disaster” name should not be construed too literally. An IT disaster can certainly include events ranging from local fires to regional flooding. But the real focus of an effective IT DR plan is maintaining business continuity in the face of any acute threat to operations. These threats can range from a localized facilities issue driving datacenter failure to a full-fledged cyberattack. These disasters can not only threaten crucial operations but permanently destroy essential files (whether stored physically or on on-premise digital storage infrastructure).
While the scale of DR implementations can vary widely depending on an organization’s technology usage, the fundamental principles of an effective IT disaster recovery plan remain the same: protecting data while providing a detailed plan to ensure business continuity.
This combination of safeguarded digital assets and more resilient operations is an attractive risk-management investment for any organization. IBM estimates that the average cost of a data breach is $3.92 million. In the United States, that figure climbs to $8.9 million. In the past, an adequate DR solution was often cost-prohibitive, requiring redundant technology systems to be maintained. The cloud, however, has rapidly transformed the disaster recovery landscape. In today’s market, it’s far more cost-effective to maintain the requisite recovery capabilities without bloated, redundant technology spends.
SPECIAL FACTORS DRIVING THE NEED FOR ROBUST DISASTER RECOVERY PLANS FOR LAW FIRMS
Law firms are more dependent than ever on technology for day-to-day operations. Losing access to technology services in the event of a disaster doesn’t just mean an inability to access archived files—it can affect a firm’s ability to conduct even mundane day-to-day operations like research, secure file management, and client communication.
Additionally, the confidential and/or regulatorily protected data managed by many law firms create a multi-faceted concern. First, firms need to maintain the ability to work with secure files in the wake of a disaster. Second, the potentially sensitive nature of this data renders law-firms a prominent target for ransomware and other malicious attacks. Finally, clients are adopting increasingly robust practices for ensuring that law firms are keeping data safe. The IT consulting firm Logic force reports that 48% of law firms had their data security practices audited by at least one corporate client within the past year.
This means that a disaster recovery plan needs to be not only adequate but ready to match up with best practices for the industry—operability and security need to be maintained in a post-disaster environment.
ALIGNING FUNDAMENTAL COMPONENTS OF ENTERPRISE-QUALITY IT DISASTER RECOVERY
Every organization’s technology usage and data needs are unique, and IT leaders need to think specifically about what workflows and technology services their firm will need to maintain in the event that regular operations/technology deployments are incapacitated. That said, a cluster of fundamental components constitute the bedrock of any enterprise-grade DR strategy.
- Digitization is an Essential Foundation: Some firms are still dependent on paper files, and rectifying this fact is a key step to a robust DR plan. Physical disasters present an acute threat to paper, and “paper data” that is lost in a flood or fire can never be recovered.While it may make sense to maintain certain low-value records as paper-archives, your DR plan needs to seriously consider the value of losing access (perhaps permanently) to paper records in the event of a disaster. If your firm cannot operate effectively without utilizing a particular set of files, digitizing them needs to be a top priority. Bringing documents into secure cloud storage will also help maintain best practices for security and improve mobile productivity for your firm.
- A Thorough Strategic Perspective on Systems Required for Business Continuity: A huge array of assets can potentially be affected by a disaster, including hardware/storage, communication tools, and even office workstations. Once these at-risk assets have been cataloged, the firm can proceed to tally the total memory and computing requirements of standing up alternative systems and methods in case of a disaster, comparing these costs to the recovery objectives discussed below.
- Establish Clear Goals for Recovery: While most data retained by your firm has some value, some will be a far higher priority for keeping your business operating after a disaster. Disaster recovery plans need to provide for explicitly stated Recovery Point Objectives (RPO’s). A Recovery Point Objective specifically tallies the data that is immediately needed to get your business up and running quickly.A Recovery Time Objective (RTO) is also essential, as the specific timeline for recovery can make or break a plan’s viability. A firm may be able to operate without its past project archives for a few weeks, for instance, but will need e-mail, filing, and research tools to be back up and running “at the speed of business” in the aftermath of a disaster—RPO’s can be less than 5 minutes for mission-critical systems.
- Simulation-Driven Verification: There’s no substitute for a dry-run of a disaster. A disaster simulation helps identify standing weaknesses and gaps in the plan while providing management with assurance that the plan is ready for action. An effective DR plan includes substantial “non-digital elements,” like maintaining access to contact information for employees and clients, notifying customers of any delayed work, and laying out a clear set of responsibilities to provide for smooth operations during the outage—these nuts of bolts of effective DR can be hard to foresee without a commitment to rigorous testing.
- A Regularly Updated Plan: A five-year old plan sitting on the server simply cannot be effective. Plans need to be regularly reviewed and updated, ideally on a yearly basis. A regular review ensures that your firm’s plan keeps pace with best practices and the ground-level reality of the firm’s current technology usage.
With no disaster recovery plan at all, a simple flooded facility can cost millions, perhaps even doing irreparable damage to a firm’s reputation with clients. At the same time, the infrastructure needed to ensure business continuity post-disaster is more cost-effective than ever. With these facts in mind, an enterprise-grade disaster recovery plan is an excellent risk management investment for any firm—in some cases requiring nothing more than the time and focus of IT leaders.
If you’re interested in learning more about best practices for IT disaster recovery, you can find some useful foundational resources at the Department of Homeland Security’s preparedness website: www.ready.gov/business/implementation/IT.