Many business leaders are reviewing their results from the past year and setting objectives for this year. But in the technology era, even the best-laid plans can be torpedoed by a disaster that brings your IT systems crashing down. So, as you look at your objectives for 2019, we thought we’d provide a crash course in Disaster Recovery & Business Continuity.
The easiest way to do this is to answer some of the most frequently asked questions as well as provide links to where you can go for more information.
What is the difference between disaster recovery and business continuity?
Business continuity planning is the overarching plan that ensures your business can recover from a disaster. This includes things like emergency response protocols, communications plans, legal liability issues, workspace recovery (giving your employees a safe place to work), etc.
Disaster recovery is a subset of business continuity planning and refers specifically to the recovery of your applications and data in the event of a disaster. It’s about making sure your IT systems and data are available, so you can resume business as usual.
What is the most common disaster I need to worry about?
Most people think about hurricanes and floods when they think disaster recovery. These things happen, but a business’ employees often present a far greater threat. According to the Ponemon Institute’s Cost of Data Center Outages 2016 (the most recent study available from this highly reputable organization), human error is responsible for 22% of all unplanned downtime. (Outdone only by UPS failures, which accounted for 25% of outages.)
That may be under-reporting the ability of human beings to inflict chaos on your business. According to the same Ponemon Institute report, another 22% of downtime is caused by cybercrime, specifically DDoS (Distributed Denial of Service) attacks.
While cybercriminals are clearly responsible for these incidents, employees can and do inadvertently aid them from time to time. According to Symantec’s 2018 Internet Security Threat Report, spear phishing (tricking someone into opening an attachment or clicking on a malicious link) is still, by far, the most common way IT systems become infected. It’s also a common method for stealing credentials.
Finally, you can’t rule out squirrels. These vicious adorable little creatures account for more power outages than any other cause. The outages tend to be more localized, but even a localized outage can be a “disaster” when it affects your business. The website CyberSquirrel1 provides an interactive map showing the number of outages caused by animals by year and by month. Currently, squirrels cause more than twice the outages that birds do. Thankfully, the little beasts have yet to figure out how to write SQL injection code.
I backup my systems daily. Does that qualify as disaster recovery?
Many would say “no,” but we’re going to offer a solid “maybe.” That’s because different applications have different recovery objectives. Your objectives should be defined along two vectors:
- Recovery time objective (RTO) - The targeted length of time from failure to restoration of business systems and services after a disaster.
- Recovery point objective (RPO) – The maximum amount of data loss the business deems acceptable following a disaster or failure.
If your business would be dead in the water without access to a specific application, e.g., your online customer service portal or order entry system, you’re going to set your RTO for that workload fairly low. If any data loss for that workload could cause irreparable harm to the business, your RPO along that vector should be set low as well.
The problem with offsite backups in this instance is that recovery time and data loss can be high as compared to other methods. Let’s look at RPO targets first. Most businesses back up once a day (or less often). If the back up happens at 5PM and their systems go down at 3PM, that means that everything they entered between 5PM the previous afternoon and the 3PM crash is at risk. Depending on the nature of the failure and the degree of difficulty in reproducing the data, this data may be lost for good.
Even if data loss isn’t an issue, recovery using a backup system can take a while. Most backups are stored offsite. Once your systems go down, the backup needs to be retrieved from storage, which can take from hours to days, depending on where and how it is stored, and then restored.
The bottom line is that for most workloads offsite backup solutions aren’t fast or reliable enough.
If not backups, what are my disaster recovery options?
The short answer is replication to the cloud. Replication that is synchronous provides the lowest levels of data loss because data is written to the replication site at the same time as the primary storage array. With synchronous replication, both recovery time and recovery point can approach near zero.
Asynchronous replication writes data first to the primary storage array and then to the fail over site. Recovery time and recovery point can still be fairly low. Asynchronous replication options have the added benefit (usually) of being less expensive and less likely to impact system performance.
Beyond that, there are many different flavors of synchronous and asynchronous replication. We can walk you through some of your options based on your objectives as well as your computing environment.
You may also like: 3 Questions to Ask When Setting Recovery Objectives in Your Disaster Recovery Plan
Why disaster recovery plans fail and how to prevent it
Disaster recovery plans fail for two primary reasons:
- The plans are inadequate/nonexistent – According to a survey conducted by Forrester and the Disaster Recovery Journal, only 37% of business leaders felt they were prepared for a disaster, and only 18% felt they were very prepared.
- The plans don’t work – According to the same Forrester/DRJ survey, almost a quarter (21%) of businesses never test their disaster recovery systems to see if they actually work. Another 17% said they test them less than once per year.
DRaaS (Disaster Recovery as a Service) can help you address both shortcomings. While we don’t do disaster recovery planning for you, we can help you create your plan by discussing your options. Even if you have a pretty solid plan already, working with one of our DRaaS advisors can help you identify shortcomings or ways to save money.
More importantly, DRaaS ensures your plan gets executed. We set up your systems then monitor them to ensure everything is working as expected. We can help you troubleshoot issues, and we’ll periodically test your systems to ensure your data and applications will be there when you need them. We can even help ensure your fail over systems remain compliant with your specific industry regulations and standards.