Disasters happen often unexpectedly. Many businesses think they are prepared with a disaster recovery plan that will be able to get them by, but recent disastrous events proved otherwise.
The average cost of a ransomware attack reached over $7.5 million in 2018. The expense doesn’t only come in the millions you might have to pay for the services needed to recover; but also the cost of being without your data for days or weeks. The City of Baltimore spent over $18 million trying to regain control of its data, and after six weeks of restoration efforts, only 70% of its operations were fully restored. Maybe it isn’t a surprise that an estimated 60% of small to medium-sized businesses fail within six months of a cyber-attack.
Risks and threats can also be brought about by manmade acts such as terroristic activities in populated urban areas. When targeted cities are put on high alert because of these threats, business halts and business continuity is threatened.
These statistics are sobering, but they don’t give the entire picture. Gartner estimates that companies will spend over $124 billion trying to safeguard data and privacy. Unfortunately, the reality is that there is no way to prevent 100% of the cyber-attacks, 100% of the time. This means that for a vast majority, it is only a matter of time before they are faced with cybercrime.
Whether it is a classic natural disaster or a cyber-attack, the impact can be reduced with planning. A business continuity plan can help an organization get back online, quickly mitigating loss. The first step is determining the type of backup and disaster recovery plan that is right for your company. We start with a look at the three C’s: Criticality, Complexity, and Culture.
Think about the importance of your employee, client and proprietary business data. Here are a few critical questions to consider:
- What is the maximum level of data that can be lost or be re-entered during network downtime? For example: If your business isn’t handling a considerable volume of transactions, maybe making a copy of the data available every 18 hours is enough.
- How much time can your business be offline without a significant disruption? The answer might be very different for a healthcare organization compared to a city government.
- Could your data be compromised or leveraged against the company, vendors, or clients?
- Does your organization need to comply with insurance requirements or federal standards and regulations like PCI or HIPAA?
- How much of your daily operations rely on your employees freely accessing data?
The answers to these questions will help you determine the Recovery Point Objective (RPO) and Recovery Time Objective (RTO) for your business. The cost of these solutions is determined by the thresholds established. You’ll want to determine the lowest threshold that makes sense for your unique requirements considering the costs of maintaining these levels. If your daily operations rely heavily on accessing your organization’s data, or you must comply with industry-recognized standards, you will want to opt for the plan with faster recovery time (RTO) along with more frequent backups (RPO) and offsite data synchronization.
Complexity describes being able to function normally in the event of a disaster occurring. Can you run all of your critical systems with all of their dependencies if your system was down due to a ransomware attack? Every company has a diverse set of operations on a variety of platforms that all need to be backed up. Whether those systems are on-premise or in the cloud, you must have a disaster recovery and backup plan that will accommodate them. Archiving might be an important feature you’ll want to include in your backup and disaster recovery plan, like an HR backup system, particularly if you have critical employee information or if an employee decides to leave the company and you’d still like to access their data.
What cybersecurity training have your employees undergone? Employee negligence is the number one reason small to medium-sized businesses are vulnerable to attacks. It is vital to make sure you are preaching the proper protocols and implementing policies that will protect your organization from an employee making a weak password or clicking on a phishing email. Our blog on password offers some tips to create the best password policy for your organization.
Questions to be Answered
Whether it’s a cyber attack that devastates critical systems, a natural disaster that ends in total outage, or a human error that leaks sensitive information, there is no shortage of damage that businesses suffer when disaster happens unexpectedly. A well-thought out disaster recovery (DR) system is the lifeblood of corporate survival and business continuity.
The most successful disaster recovery strategy is one that will never need to be implemented. This means that when all vulnerabilities, loopholes, and threat vectors are sealed, risk can be prevented. However, after putting a disaster recovery program in place, some business executives become complacent and the program is forgotten. disaster recovery planning is not a one-time event. It requires a continuing cycle of management, updating, and testing.
The following important questions need to be answered when devising a disaster recovery strategy:
Is management on board?
Often, senior executives think that disaster recovery is an activity that is better left to the IT department. Business continuity is a critical concern of top management. Disaster recovery managers must convince management that it is not just about systems, networks, and data, but a bigger picture of the entire enterprise. After all, those at the top are accountable if the enterprise finds itself in a catastrophic situation.
Are existing and potential risks constantly assessed?
The risk analysis process includes not only the evaluation of threats and vulnerabilities but the probability of their occurrence. Disaster recovery officers should test their disaster recovery strategy on a range of disaster scenarios, from data inaccessibility to outage to facility damage and more. They should consider recent untoward events and analyze the impact those events had on business, as well as assess the associated costs and other collateral damage.
Is the redundant backup system working?
Redundant backups are the last lines of defense for recovering lost data. Thus, it is important to ensure that backups are working reliably to eliminate all potential points of failure within the backup framework.
A reliable backup solution includes deploying backup servers and using redundant backup media. For backup severs, the best approach is a two-step, or better still a multi-step, backup design and process. Each backup server is a fall back to the other so that if one fails, the others can take over. To further strengthen the backup system, disaster recovery officers may consider replicating the backup servers’ contents to a third-party data center or the cloud rather than depending on in-house replication.
Is there an effective cycle testing process for the disaster recovery system?
The cycle testing process should utilize multiple methods and approaches from one stage to the next. At the end of the cycle, the entire disaster recovery plan should be completely evaluated for errors and deficiencies that should be removed from the plan no matter how minor they are. Cyclic recovery testing helps early detection and correction of errors and the resulting problems.
For management, disaster recovery plan testing ensures stakeholders that the disaster recovery system is working. For IT, it provides key inputs into improving the business continuity strategy of the enterprise.
Considerations for a Disaster Recovery Plan
Larger companies have broad options for business continuity strategies, but smaller businesses with limited resources are often left to deal with disasters on an ad hoc basis. Big or small, businesses nevertheless need to consider all important assets – physical assets, IT assets, and their employees – in their DR plan.
The DR site. Ideally, the DR site should be conveniently accessible from the main site, not too close as to be similarly affected by the same widespread disaster but not too far away as to limit communication. DR planners should look for locations that are free from geographic connectivity limitations such as mountains and oceans.
Employee needs. A successful recovery solution takes into account the big picture, not just the physical assets and the IT system. Companies often assume that employees will always be able to travel to the DR site to manage the recovery process. However, in a widespread disaster, employees may be occupied with home recovery, roads and bridges may be impassable, and travel systems shut down. Working from home is a valid temporary solution if power and connectivity are available in employees’ homes.
Disaster Recovery Options
Emerging technologies are helping both big and small businesses deal with the aftermath of disasters. Even the most mundane of disasters can have a devastating impact on business if it destroys data and keeps customers away.
The cloud. Enterprises are realizing that they cannot rely solely on an in-house recovery system. Because of its virtualized nature, the cloud is a viable disaster recovery option, affording businesses faster and more flexible recovery for backing up data at lower cost. Servers, the operating system, applications, data, and patches are abstracted into a single virtual server that can be backed up to an offsite data center and spun up in a virtual host in a matter of minutes without reloading each component of the server.
A cloud DR solution also allows SAN-to-SAN replication, making multi-site availability possible. Because of the solution’s flexibility, resources can be scaled down for less critical applications and servers, while prioritizing more critical applications to keep the business running through the disaster.
Colocation. Colocation sites provide an ideal environment for disaster recovery if the data centers are strategically distanced from one another, on separate grids, and located in areas of low incidence of natural disasters. The availability of reliable power, cooling, connectivity, security, and remote support are also important considerations when opting for colocation.
Work from home. Allowing employees to work from home is a viable recovery strategy. Remote workers can work from any capable device such as home computers, laptops, or smartphones in a virtualized desktop environment where applications and data are run and controlled centrally. This approach reduces concerns over security, privacy, and infrastructure.
An enterprise’s ability to remain operational during and after a disaster depends on the disaster recovery strategy it implements. For expert help crafting a DR strategy, contact us at BlackPoint IT Services.