Time for a radical rethink of your Disaster Recovery plan? Is your businesses’ disaster recovery strategy as robust as you think?
Bad things happen – worse than we expect, and when we least expect them. Years ago, those bad or disastrous things could be summarised as physical ‘fire, flood or theft’. Today, a disaster is more likely to be digital – the sudden and catastrophic loss of access to our digital information.
A disaster recovery (DR) plan is a set of protocols to enable us to recover from a disaster. The problem is that most DR plans are rooted in physical disaster. Few have kept pace with business transformation into the digital age, leaving many companies exposed to existential digital disaster.
What is disaster recovery today?
OGL Computer’s solution architects work closely with businesses to create the most effective, complete disaster recovery technology provision tailored to the individual needs of each company. We have observed many emerging trends in disaster recovery, some positive and some in need of a radical change of thinking.
Throughout the 20th century, disaster recovery for business was oriented around physical disasters – fire, flood, quakes, physical theft and so on. Although DR plans today have changed to reflect the online world, many are still rooted in the safety of physical premises and storage locations. But today, only 3% of disaster incidents leading to data loss and business downtime are caused by natural disasters.[i]
As the business landscape has become more and more cyber-oriented, and as digital transformation continues, there are more ways that an enterprise can be crippled without any physical damage. In 2019, an organisation undergoing a ransomware attack could expect to lose an average of 16 days to operational disruption.[ii] Ransomware attacks, severe data breaches and service provider failures all need to be accounted for just as much as any hardware failure or natural disaster ‒ but not all businesses are fully adjusting to modern requirements.
At this point it is worth differentiating between data backup and DR. DR must include backup, but backup alone is not disaster recovery. Consider ransomware. Some variants – and this seems to be an increasing trend – are destructive. They can leave computers unusable. So, even if you can recover lost files from a backup, you are not quickly back in business if you have no infrastructure to use the files. There is already a long history of destructive attacks, even as far back as 2012, when the Shamoon[iii] attack against Saudi Aramco ‘floored’ 30,000 workstations for 10 days. DR is not simply the ability to recover data, but the ability to return the business to normal operations efficiently and speedily.
The problem became more difficult in 2020. The Coronavirus pandemic and advances in sharing and remote productivity technology are leading to increasingly decentralised workplaces, with dispersed staff working on personal machines in many different locations. With this increasing diversity in business models, disaster recovery plans need to be more bespoke; templates or ready-made protocols are becoming less and less likely to be effective for most enterprises.
A particular problem area observed by OGL is found in the data backup and storage element of DR. We have seen many disaster recovery plans that recommend storing backup data in the same physical premises or on the same network as the operating devices. This is a weakness. A disaster could compromise the working device and the backup devices at the same time. In fact, a primary focus for many ransomware gangs today is to infect the network and compromise any local backup before seeking to encrypt the business files ‒ effectively neutralising any backup.
The converse is also seen. If data is backed up to a different premise, many plans do not account for access to this new location. Especially with COVID-19 opening the world’s eyes to lockdowns and restrictions of movement, businesses need to be more aware than ever of how they will manage data extraction and retrieval under different circumstances.
Common failures in DR
OGL’s solution architects have observed numerous common mistakes and errors among businesses. In our work to build tailor-made DR solutions for our customers, we have identified several of the most common failures.
Data backup is the cornerstone of disaster recovery, but many businesses fumble this essential step. While 90% of companies do back up their critical data, daily backups are only performed by just over 40% of businesses.[iv] Daily backups are vital for shortening or eliminating downtime when data is lost – which is necessary, as in 2019 42% of businesses experienced downtime due to data loss.
The most critical, director-level data often gets stored on local devices. This creates vulnerable endpoints that may put highly sensitive data at more risk than necessary. Businesses need to keep track of where data is being stored and ensure that sensitive data is only held on appropriate devices.
We also see many organisations conflate cloud sharing with cloud storage. Microsoft 365, for example, offers a limited period in which accidentally lost data can be retrieved, but this is not a permanent backup or an effective part of disaster recovery. Microsoft 365 and similar services are intended to allow decentralised collaboration on projects, not to store or preserve data for long periods.
Physical backups need special consideration under COVID-19 and any similar emergencies. With ever-changing quarantines and lockdowns, many businesses may find that their physical premises are inaccessible. Thought needs to go into the accessibility of the backups; if data is being backed up onto tapes, and if the location storing those tapes is inaccessible, is that really a functional backup? Storage into a cloud platform such as those from Datto or Veeam are much more robust.
A good disaster recovery plan
Finding the right cloud solution is more important than ever as the business landscape moves more towards decentralisation and more workers telecommute. Most consumer-level cloud services like OneDrive, DropBox or AWS buckets will not be enough in terms of security or data integrity. Finding the right managed cloud solution is a vital part of any DR plan to meet all data security needs while keeping that data accessible. When combined properly with secure on-site backups, this can let many organisations simply keep on working even in the face of a disaster scenario.
Physical data storage is also vital to incorporate into a comprehensive data recovery plan. This encompasses everything from the location and accessibility of the building in which the data is stored to the environment where the storage devices are kept, and the physical storage medium used. For long term storage, products like Veeam Backup & Replication in the cloud or Datto’s SIRUS or ALTO hardware devices include verified backups, restore options for any scenario, instant virtualisation and ransomware protection.
Once the DR plan has accounted for making both cloud and physical storage as secure and robust as possible, planning for business failure conditions is vital. Unforeseen events can and will happen. However well your data is stored and backed up, it is important not to assume your business is invulnerable. DR plans should have a clear, realistic RPO and RTO (recovery point objective and recovery time objective) and protocols should be put in place to determine what data is most critical to business operations and how to restore it in the event of a disaster.
The most important part of any disaster recovery plan is asking the right questions. It has never been truer to say that there is no one-size-fits-all disaster recovery plan. Every aspect of a prospective DR strategy needs to be questioned – is this necessary? Is this effective? Does this account for the business’ biggest vulnerabilities?
For this reason, delivering a complete DR solution in-house is neither cost-effective nor time efficient. An expert consultation service that will work with a business and find fresh ways to challenge potentially stagnant thinking will be the best way to protect against the growing diversity of threats as we move into 2021.