More than one third of cyberattacks are aimed at small businesses, but only a small percentage of them are prepared to defend themselves.

Experts say it's time to plan for when. Every enterprise needs clear backup and disaster recovery plans to execute recovery processes after a disaster. Disaster recovery planning and how it can be implemented in the cyber landscape are explored in this report.

Key findings are listed in the report.

  • Cyberattacks have grown more frequent and sophisticated, and SMEs are in the firing line. The data tells a worrying story. With the pandemic, along with geopolitical factors, causing shifts in how we live and work, the case for disaster recovery planning has never been more urgent.

    According to one study, the likelihood of a company being attacked by artificial intelligence was 500% higher by the end of 2021. Most businesses become victims of human error when they become victims of deepfakes.

  • A well-built disaster recovery plan can significantly minimize and even eliminate downtime. Disaster recovery plans are a key component of business continuity plans. While business continuity focuses on overall strategy, including policies and procedures for recovery following an incident, disaster recovery focuses on IT infrastructure, data, and applications.
  • A well-crafted disaster recovery plan includes clear definitions of recovery time objective (RTO) and recovery point objective (RPO).3,4 Having such a plan is crucial for protecting data and applications against malware and ransomware attacks and could significantly minimize or even eliminate downtime.

  • Backups and replication of data are essential for disaster recovery. With cybercriminals spending over 200 days in companies’ systems before being noticed5 and corrupting backups, SMEs need to store their data in multiple formats on different systems or look toward a data replication solution to ensure near-instantaneous recovery. While the longstanding 3-2-1 strategy6 is endorsed by cybersecurity experts, some organizations are seeking greater security with the 3-3-2 approach7, which includes an extra disconnected and inaccessible (“air-gapped”) copy.
  • An unexamined disaster recovery plan could bring enterprises back to square one. Disaster recovery plans are essentially pointless without regular practice runs—and how often this practice should be done depends on how fast an organization is growing or adopting new technologies. Experts say such plans should be updated and tested at least annually, and ideally every quarter.

You can download the report.

This content was produced by Insights, the custom content arm of MIT Technology Review. It was not written by MIT Technology Review’s editorial staff.