Let’s examine key considerations for disaster recovery (DR) for small and medium-sized enterprises (SMEs), including why mere backup is insufficient, how to create a disaster recovery plan, and experiences with DR testing and DR as a service.
Over the past 18 months, businesses of all sizes have learned to adapt to disruptions. As lockdowns and social distancing forced office closures, companies had to transition to remote work.
For some companies, this was an entirely new experience. For others, it was part of a disaster recovery plan already in place to ensure continuous business operations. Employees working from laptops with cloud-stored data became a setup to cope with incidents ranging from power outages to natural disasters.
Disaster recovery plans have long been commonplace for large businesses and government agencies in the public sector, but they are equally crucial for smaller organizations. If an SME provides services to larger enterprises or the government, a disaster recovery plan is often mandated.
However, many principles behind disaster recovery planning apply regardless of a business’s size. Technology, especially cloud-based services, is making disaster recovery more accessible for both small and medium-sized enterprises.
1. Disaster Recovery vs. Backup and Restore
Disaster recovery is often viewed as a purely technical exercise, focusing on data backup and restoration. While safeguarding data remains a critical part of any disaster recovery process – no organization can survive without the ability to recover its data – DR extends beyond this.
A DR plan needs to consider how data is protected, crucial to addressing hidden flaws caused by software or hardware failures, as well as environmental incidents like floods or fires.
Planners must examine how the business will function and where it will operate during recovery. This includes infrastructure considerations such as alternative workspace arrangements or remote work capabilities for employees.
Businesses also need to review replacement equipment in case existing hardware is damaged, destroyed, or inaccessible. This includes laptops, tablets, other endpoint devices, as well as communication and network equipment, servers, and storage for on-premises systems.
Most small and medium-sized enterprises may not have the resources for dedicated data centers or standby servers. In some cases, organizations can shift to the cloud or temporarily use cloud resources. For other companies, the recovery strategy may involve acquiring and setting up new hardware to restore applications and data.
However, the key to any approach is meticulous planning.
2. Disaster Recovery Planning: Not If, But When
In recent years, organizations have shifted from operating under the assumption that disasters might happen to the recognition that disasters will happen. This shift is partly driven by the rise in cybercrime, especially ransomware. Simultaneously, the pandemic has elevated the importance of disaster recovery in companies’ agendas.
Regardless of the scale, companies need to start with a disaster recovery plan that outlines actions to take in case of a disaster and, most importantly, designates who will carry out those actions.
The plan needs to be comprehensive, reviewed, and practiced. CIOs need to understand where their critical data and systems are, how they are backed up, and how they should be recovered. For organizations operating an increasing number of IT systems, prioritizing recovery by stages may be necessary. Trying to recover all systems simultaneously might not be feasible.
Once the CIO or project team agrees on the plan, it needs to be communicated throughout the organization.
Tony Lock from Freeform Dynamics, an analysis firm, emphasizes that organizations often fail due to a lack of preparation. He points out, “DR is not just about recovering IT systems at a technical and data level.
“Beyond technology and data, it is necessary to ensure that recovery processes are clearly understood, including who will be responsible for initiating recovery and covering any incurred costs. Do employees know where to go, how to contact others, and are recovery procedures written clearly and easily accessible in emergencies?”
Organizations also need to review their supply chain and how they depend on others to provide goods, services, and even data.
Adam Stringer, a business resilience expert at PA Consulting, states, “Companies often overlook third-party dependencies and rarely check agreements between companies, but in a disaster, their priorities may not align with your business.” He adds that a clear plan helps identify these dependencies, and the organization will know how to operate if a crucial supplier fails.
3. Risks and Recovery Time
To plan effectively, CIOs and business resilience managers need to understand the risks and requirements for the business to return to normal operations.
Key metrics used in disaster recovery, regardless of business size, are the Recovery Point Objective (RPO) and Recovery Time Objective (RTO). RTO is about how quickly data needs to be recovered and made accessible. For some systems, this will be measured in seconds; elsewhere, it may be a few hours or even days.
RPO is the amount of data that an organization can afford to lose. Again, some organizations will have a very low tolerance for data loss.
For RPO and RTO, not all systems will be the same. Some, like customer-facing applications or data-managed applications, will have fast recovery times and low data loss thresholds. Others will be less critical or updated less frequently. The crucial aspect is for planners to work with the business to understand priorities and timelines.
Stephen Young, director of DR and cloud backup company AssureStor, notes that planners also need to consider RPO and RTO concerning threats. Identifying the specific risks of data theft and data loss is a primary consideration, along with RPO and RTO.
4. Testing and Multiple Trials
However, disaster recovery planning will not be complete by merely having a plan in place. Organizations need to communicate the plan and test it.
“Companies may have plans and procedures in writing, but they may not be practical or widely known and then not actually applied in a crisis,” says Stringer of PA Consulting.
“They need a clear decision-making structure, and playbooks need to be unified and perfected through practice and testing, along with easily understandable approaches like the gold, silver, and bronze command structure. These are more practical functions for companies in times of disaster than a detailed 100-page instruction book.”
Testing should be frequent, with DR experts recommending a minimum of once a year. Critical systems may need to be tested at least monthly.
5. Disaster Recovery as a Service (DRaaS) and SaaS
However, smaller companies may not have access to large IT teams that can build duplicate IT systems.
Fortunately, the cloud offers various options, from specialized disaster recovery as a service (DRaaS) providers to business applications like Microsoft Office 365.
Office 365, Google Workspace, and cloud-based enterprise applications allow businesses to recover most of their operations as long as their employees have access to a web browser. Cloud storage can also be a lifeline.
But there are caveats. Consumer-grade cloud storage raises compliance issues, and SaaS providers only offer limited guarantees for customer data. CIOs should check terms and conditions while considering specialized DRaaS, even if most of their applications and data are already in the cloud.
Cre: bizflycloud