07th July 2016
It’s remarkably common for optimistic business owners to see any risks to their infrastructure as minimal. While we don’t expect major catastrophes to hit us every day, it’s important to plan ahead for those rare instances when they do.
Despite reading about flash floods, terrorist activity or rolling blackouts in various countries across the world every day in the news, such major disruptive events are still relatively unlikely to happen.
‘Relatively unlikely’ however, does not mean ‘will never’ happen. Gartner’s 2015 Business Continuity survey found that 72% of bosses had indeed found cause to utilise their business continuity plans.
Yet business owners all too often take the optimistic view that low risk means no risk, leaving their businesses open to potential disaster with inadequate planning.
There is a common misconception that once a plan is made, the job is done. If there is a disaster recovery or business continuity plan in place, it might be several years old and in a dangerously neglected state.
Another study, by the Disaster Recovery Preparedness Council using 2014 figures, identified that three out of four of the companies they surveyed suffered catastrophic failures in their disaster recovery plans, when they actually needed them.
These businesses lost one of more of their mission critical software applications, lost one of more of their virtual machines, lost critical files and experienced days of datacentre downtime.
It will never happen to my business, will it?
Figures published in the report reveal that the cost of losing critical applications or data ranges from a few thousand to several million dollars. Almost 20% of the business surveyed quoted losses of more than $50,000 to over $5million.
According to this benchmark global survey, 73% of businesses worldwide are at risk of failing to recover from a disaster or significant outage, due to lack of planning. So why are the majority of businesses failing so spectacularly to plan for potential disaster?
We are all busy. It’s a highly competitive world out there and time is precious. Many businesses simply fail to realise how valuable it is to spend time on DRBC plans, preferring to focus on the daily activities.
Another problem is the failure to realise quite how serious and commonplace significant downtime is becoming. As with many things in our fast-paced industries, threats, how we protect against them and how we can plan to keep businesses running while we deal with them change quickly. But that can’t be an excuse.
If you lose data or productivity to downtime, the painful truth is that you may not have a business to return to. Planning ahead of disasters for your recovery and maintenance of normal business activities is absolutely critical.
Here are ten important things you need to consider:
1. Serious disruption happens when you least expect it – all you can do is prepare
Low risk definitely doesn’t mean no risk. Anything from a flu outbreak to a power outage to a terrorist attack can disrupt a business and lead to potential damage.
Thinking you’re at low risk of experiencing some kind of significant event is probably the gravest error you can make.
2. It’s not all about earthquakes and floods
50% of businesses surveyed in the global benchmark report indicated that their cause of data loss or outage was due to software and network failure.
43.5% said it was due to human error and 24% cited power failure as the culprit.
Only 14% of major disruption events were due to the weather.
Cyber crime is a growing threat. Ransomware attacks in particular are increasing every year, costing businesses dearly financially in lost productivity and in lost data.
3. Your staff should all be trained in IT and data security protocol
Disaster recovery and business continuity is certainly about more than just IT. However, your data is your business so IT must always be a central consideration to DR and BC planning.
The strongest IT defence is only as strong as its least careful user and human error is one of the highest risks faced by businesses.
There is a strong correlation between the cost of downtime and the average hours per week spent in backing up data and training staff in data security protocol and disaster recovery awareness.
4. Disaster recovery and business continuity are not the same thing
These two plans should of course be linked but are not interchangeable. Think of it like this:
Disaster recovery is planning how you would rebuild your office if it burned down.
Business continuity is planning how you would keep your business operational in the meantime.
While you are bringing your data centre back online and recovering lost data, replacing destroyed or inaccessible devices and reconfiguring software, you also need to be rolling out new ways of working even if certain applications can no longer be used.
5. Every BCP must cover some key areas, regardless of sector or size
Your plan must envelope your IT, your business facilities, people, systems and operational processes; everything you need to make your business run.
There will always be risks specific to your industry but some considerations are universal:
- Information – what systems does your business need to keep running at acceptable levels?
- Communications – email, call centres, VPNs; whatever is most relevant to you. How will you keep in touch and who should be contacted in the event of an emergency?
- Access and authorisation – identify personnel that need to access your critical systems and how they will do this.
- Physical business location – what do you physically need to keep your business up and running if the disaster has affected your usual location?
6. Always start with business impact analysis, RTOs and RPOs
Understanding precisely how your business will be affected by a significant disruptive event is your crucial first step.
When ransomware strain, CrytpoWall, swept $18million away from US companies in 2014 – 15, for instance, experts and business owners alike were shocked to discover that downtime cost more than the ransom itself.
When considering the true impact to your business of downtime, look at every aspect you can think of: from financial implications including potential fines, to erosion of customer service and experience, to loss of business, reputational damage, loss of staff and loss of critical data.
You then need to establish recovery time objectives (RTOs) and recovery point objectives (RPOs). These parameters will allow you to determine how regularly back-ups should occur and acceptable downtime terms.
7. Your DR location should not be the same as your primary location
This might seem obvious but keeping your primary servers in the same physical place as your back-up data storage solution is a very unwise thing to do.
If anything happens to your primary data, you need to be able to access your back-up. These two facilities should be miles apart. Depending on your risk assessment, you may need them to be as much as 50 miles away from each other.
8. Everything should be backed up – not just your critical data
European data protection laws are becoming more stringent, making your data security more important than ever.
You need to make sure you’re backing up all your data, not only that which is critical to your business operations. This in turn means keeping your networks clear of unnecessary or redundant systems.
Backing up GBs of data you don’t need is a waste of valuable time and space; make sure your networks are cleaned annually.
9. Test your plans
You and your personnel need to feel confident that your plans will work. The only way to do this is to simulate a disaster and make sure everyone knows what to do.
It is during testing that any overlooked elements will be made obvious. Perhaps you failed to identify all critical systems in your original plan, for instance?
10. Your DRBC plans need updating every year
Planning for disaster recovery and business continuity is not a one-time project. These plans need to be assessed and updated every year.
As your business evolves, so too must your DRBC plans. To neglect these updates is as grave an error as failing to plan in the first place.
Simon Coggin is a data centre expert