Fail to prepare, and you prepare to fail. Natural and man-made disasters occurring are not a matter of if, but when, and have huge potential to knock out your data access and networks. Take a pro-active approach to your business’s longevity with these 7 disaster recovery principles:

Understand the threats you face

A rock-solid BC/DR plan will not only recognize the full spectrum of dangers to your business, it will have a step-by-step reaction plan. For example, if a cyberattack knocks out your servers in Miami, do you have a transition plan? Thinking one, two, and three steps ahead will save you time and money in the long run.

Realistically, not all scenarios happen with equal probability. So as best you can, put focus on the most likely disruptors. Sadly, in recent months and years, the prevalence of cyberattacks has been steadily rising, and is now a top threat. With that in mind, give cyberattack planning some precedence over others, such as natural disasters.

Do a business impact analysis

How do I prioritize my DR plan? The most effective method is to put your information systems through a BIA, or business impact analysis.

A BIA in summary classifies the effects, whether it’s financial, legal, or regulatory etc, of man-made or natural catastrophes on your business’s activity. By establishing priorities for your DR plan with a BIA, you ensure your recovery strategy is as efficient as possible.

You can find BIA templates and questionnaires online from and the National Institute of Standards and Technology, among other sources.

Focus on your people

Organizations should avoid the trap of making their DR plans too focused on data and not enough about people and process. Think about building your DR plan in the context of your entire association. Questions to ask are: What do your employees need to continue working after a disaster? How will productivity be impacted?

Another critical component of a DR plan is assembling a team appointed to handle these situations. Make sure you have all their contact information and make it clear who will work during a crisis. Know who you’ll call for help, such as law enforcement, and if possible, establish a relationship with authorities. Further, decide who will speak for your company if victims and/or employees need to be formally addressed.

Keep it fresh

Internal systems change, an example being major software updates, and your plan isn’t complete until it takes all systems and applications currently in use into account.

Plus, there is a good chance new offerings have become available since your DR plan was made. DR plans are based on assumptions about the processes and tools available at the time the plans are finalized, but those assumptions can change significantly.


Not everything is worth saving or needs to be protected in your business. Any PII about your employees is certainly a top priority, but any info that is for public release is not as important. If your house was on fire, what would you grab as you run out the door?

Regular practice drills

Simply having a plan is not enough. It must be consistently tested, and people need to practice procedures, like a fire drill. If not regularly practiced, the plan is ineffective.

Don’t wait

If you wait until after a cyberattack or disaster to figure out what to do next, your chances of recovery drop dramatically. Don’t be a part of the 25% of businesses who shut down after a disaster, be pro-active!