How businesses can protect their business IT infrastructure, mitigate risk and keep costs to a minimum
Whilst stories of businesses being affected by natural disasters grab the headlines, it is the ever-growing threat of cyber-attacks that has helped move IT disaster recovery planning up the agenda for business managers.
No plan. No excuse
IT disaster recovery and business continuity plans are a necessity for every modern business, so why do many smaller businesses still not have them? The expectation of high set-up fees and ongoing monthly costs discourages many businesses from pursuing some of the more advanced solutions available. A lack of knowledge is also an issue, along with the difficulty of finding a service provider that doesn’t just concentrate on large enterprises, wrapping the subject in impenetrable technical jargon.
Every business, regardless of size should develop an IT disaster recovery plan with step-by-step procedures for recovering disrupted systems and returning them to normal operation. This process identifies critical IT systems and networks, assesses the required recovery time; whilst defining the steps to restarting, reconfiguring and recovering them.
Larger organisations can afford to outsource responsibility for disaster recovery to external service providers. The growing acceptance of managed IT service contracts amongst smaller businesses often includes the added benefit of disaster recovery planning as part of a comprehensive service, offering the use of disaster recovery suites for displaced staff.
Going mobile can help
The increasing use of mobile devices is proving a benefit for disaster recovery and business continuity strategies, with greater flexibility for displaced employees to work with recovered systems. Tablets and smartphones allow employees to remain productive and also makes them easier to communicate with in the event of a disaster, particularly one that requires relocation or remote working.
Of course certain businesses are required by law or regulation to have IT disaster recovery plans in place, with some required to keep all data secure and retrievable, regardless of what disasters befall the business. Relying on employees working from home or the local coffee shop may be in contravention of strict data policies, for those businesses working with sensitive data.
The problem can be addressed through desktop virtualization, which allows a copy of the client’s system to be quickly deployed on new hardware at a recovery site. Following disruption, the employees turn up at the recovery suite, switch on and, as far as they’re concerned, they’re working on their machine, with their applications.
Does the cloud change disaster recovery?
Although the “cloud” is offered as the ultimate IT problem-solver, it offers benefits for disaster recovery, bringing more comprehensive IT disaster recovery plans within reach for smaller businesses. Utilising the cloud for disaster recovery can offer faster recovery times and the ability to get remote workers up and running on a small budget compared to the high costs associated with traditional disaster recovery solutions.
Although cost effective, businesses are still paying out regularly for a service that the vast majority are never likely to use.
Do It Yourself
For smaller organisations, where budgets are understandably under more pressure, it’s now possible to plan for a disaster, do some of the work yourself, protect your business and only pay if disaster strikes. Although longer recovery times might have to be accepted, it’s a case of weighing the risk against the money that can be saved.
Drawing up the plan
The following steps will help tailor a plan for business recovery, ensuring the potential impact of any disaster is minimised:
1 A business impact analysis – will help identify and prioritize critical IT components and systems. It will establish the “maximum acceptable outage” (MAO), the time needed for a recovery to become effective before compromising the ability of the business to survive.
2 Identify preventive controls – these measures reduce the effects of system disruptions and increase system availability, highlighting the need to regularly review options for creating a more robust and recoverable infrastructure.
3 Develop recovery strategies – to ensure the system can be recovered quickly and effectively following disruption, with a plan for communicating the situation to all employees.
4 Contingency planning – offers detailed guidance and procedures for restoring damaged systems and should contain contact details for any third-parties needed to assist in the recovery
5 Testing the plan – identifies problems with the plan and offers the opportunity to train everyone for activating the plan. It identifies areas for improvement or change and can be done without serious disruption to the business. The test must be as real as possible, while there is time to check things before it happens for real.
6 Evolve the plan – it’s essential once a plan is designed and tested that it is kept current and includes changes to the business operation, changes in infrastructure, key personnel etc.
For businesses with smaller budgets, it’s a case of balancing risk against the costs associated with recovery. And a disaster doesn’t have to be flooding or fire, it can be a virus, a cyber-attack, hardware and software malfunctions or even simple human error.
Many businesses will back up their data on a regular basis and, hopefully, even check the data is usable. The age of the backed-up data is another point of risk for any business and each will have to assess how much data they are prepared to lose, maybe to have to enter again. Generally, the more current the back-up, the more expensive the solution, but for smaller businesses back-ups are usually done at the end of the day, which risks the day’s data up to the point of failure.
Businesses must also consider the media used for backing up data. What is the right media for the different types of data within your business; tapes, disks, SAN, LAN? The answer is a simple cost versus risk equation, with tapes still popular and low cost, but presenting higher risk – a major manufacturer recently reported 42% of tape backups failed.
Perhaps the next most important consideration is if a business no longer has its IT system, servers, applications, licenses etc – what is the backed-up data going to be recovered to?
Most options incur costs that the majority of small to medium businesses would find prohibitive, so the temptation for many is therefore to risk running their business without any proper disaster recovery plan. When even a short interruption to operations can finish a business, the acceptance of the high costs associated with real time data replication to duplicate servers in different data centres, is perhaps more understandable.
At the other end of the scale, the management of smaller businesses can accept more responsibility, with perhaps a greater risk to the business continuity, but at a much reduced cost.
New and innovative solutions like Inactive/Active Disaster Recovery are entering the market in a bid to address the needs of smaller businesses, looking to protect their future, without spending large amounts of money.
Inactive/Active Disaster Recovery relies on an assessment of the IT infrastructure a business needs to function normally, recording all the necessary information to create a copy of the IT environment at extremely short notice – usually within 24 hours. The snapshots taken of each physical or virtual server supported are stored at the disaster recovery centre and the inactive phase begins.
All the necessary server space is guaranteed, along with the power and communications needed to turn this virtual, inactive environment live, as soon as disaster strikes. After the initial consultation fee, there is only a small annual maintenance charge to pay until the service is required, if ever.
Once active, the client supplies the latest backed-up data, sending tapes, disks or hard drives by courier if necessary. It is only at this point that the costs associated with new hardware, software licensing etc are incurred. These costs are usually covered by the business insurance, but it’s worth checking the policy.
Planning for a disaster is all about considering risk against cost. Service providers have to understand disaster recovery is not something any business wants to pay for and they must develop new solutions that offer varying levels of cover, with costs matched to the level of risk a business finds acceptable.
With good planning and innovative solutions like Inactive/Active DR businesses can now protect their future, spend less on disaster recovery and invest in activities to promote growth.