Covenant Technology, an IT consulting group based in Houston, Texas that specializes in small and mid-size businesses, has been advising clients on disaster preparedness for years. But in 2005, when Hurricane Rita blew ashore too close for comfort, a number of those plans got put to the test.

“We had one client -- an investment business -- that we had recently helped with a disaster plan. This particular client wanted a plan that meant they’d never be down," recalls David Robertson, president of Covenant Technology. The business was in Houston, close to the coast. When Rita hit, they tested the plan and were able to continue trading from an inland backup location, in San Antonio.

Robertson and his client made all the right decisions preparing for a disaster. Most businesses don’t. “Most small to mid-size businesses are not adequately protected. They don’t anticipate the possibility of an event in any form,” says Frank Scavo, president of Computer Economics, an Irvine, Calif. research firm.

There are a lot of reasons businesses tend to procrastinate: expense, time, disbelief that anything will ever go wrong, or simply not knowing where to begin. Here are six steps to get started that will hopefully minimize costs and time commitment, as well as make a compelling case to take action.

Step One: List events that may cause lost data or technology.

  • Ideally: Companies should have contingency plans for the kinds of disasters that they are vulnerable to based on geography or the nature of their business. A business in California may be primarily concerned with earthquakes and wildfires, while companies in Houston are focusing on floods and hurricanes. Other companies may be more concerned about being a high-risk target for theft or terrorism.
  • Other considerations: Scavo advises business owners to also consider more mundane disasters. “Just losing a laptop that has the only copy of a piece of critical business data can be devastating," he says. "The trend towards mobile computing has compounded this risk in recent years.”    
  • At the very least: “Pick the ones that are most worrisome,” says Robertson. Planning for the biggest risks is better than no planning at all.

Step Two: Safeguard the company data.  

  • Ideally: In addition to routinely backing up data, Robertson recommends that companies store it offsite with a Web-based data storage solution. Many third party solutions are reasonably priced for smaller businesses.
  • Other considerations: The more redundancies the better. A locally-owned data center that rents space is great for backing up company information. But in the event of a natural disaster, it can be compromised, too. Ask if they have a back-up system elsewhere in the country.
  • At the very least: “It’s cheap to just get an external hard drive, plug it into the server, and do a complete backup. But you have to remember to do it,” says Robertson. You also have to remember to store it offsite. Scavo suggests rotating sending it home with different employees.

Step Three: Safeguard the network.

  • Ideally: A lot of companies take adequate measures to save data, but forget to do the same to save the system,” observes Scavo. Make arrangements in advance with a co-location facility that offers not only redundancies in backing up data, but fire suppression, backup power, and proper cooling to keep the servers humming.
  • Other considerations: Define acceptable ‘down times,’ which differ depending on the business. Covenant Technology’s client was an investment business obligated to continue trading and could afford no time offline. Another business may be able to close for a few days while an alternate network is loaded with company applications and data.
  • At the very least: Have a schematic of the network and an inventory of all the hardware that make up the infrastructure. Replacement gear won’t be exactly the same, but it will offer a roadmap of where to begin.

Step Four: Safeguard staffing.

  • Ideally: Essential staff needed to run business-critical technologies, like the network or certain applications, are sometimes impacted -- even if the disaster doesn't damage your business. Every key position should have someone cross-trained to take over in case of an emergency. Key staff members need to have reliable remote access to the company network.
  • Other considerations: You see companies prepare for loss of equipment or data, but not people. But what about a pandemic? It doesn’t touch the system, but instead the staff,” points out Scavo. Companies need to not only consider contingency plans for displaced staff, but for losing a portion of staff or having them quarantined at home.
  • At the very least: Keep a running list of essential staff and cross train those positions. Also keep a check list of which employees have what level of access from home.

Step Five: Test the plan.

  • Ideally: All plans look good on paper. Having the occasional real life drill is where the rubber meets the road. Most consultants recommend testing and updating the disaster plan once a year, if not every six months.
  • Other considerations: A disaster drill is worthwhile for everyone, but it's essential for new staff. In addition to hard copies of the plan, keep hard copies of passwords and IP addresses, along with access data for bank accounts. Double-check and update each year.
  • At the very least: For businesses that don’t have time to test, dust off the written response protocols and have a read-through with staff. Fine tune the plan, and offer a refresher course to employees.

Step Six: Have a recovery plan.

  • Ideally: “You have to think about what happens after the disaster. How will the data on the alternate system be returned to the company?” asks Robertson. This requires a well thought out protocol.
  • Other considerations: How will recovery in one area impact the recovery in another? Allowing employees to occasionally work from home also functions as an informal drill to make sure they can work offsite.
  • At the very least: Factor in additional hours, days, if not weeks or months into projected times for returning to normalcy. Look at New Orleans. The immediate disaster of Hurricane Katrina lasted only a week or two. More than two years later, a total recovery is no where in sight.