Sarah Doherty: Why is it so important to test your disaster recovery plan?
This article was contributed by Sarah Doherty, Product Marketing Manager at iland
In the wake of the global COVID-19 pandemic, business continuity planning will no doubt be top-of-mind for most organisations as they make their first tentative steps back to the ‘new normal' of business operations.
Today, running a successful company requires that the business remain operational in a variety of difficult conditions, including a pandemic, an economic crisis, a natural disaster, or any other critical situation that could disrupt the flow of normal business. So whether it is ensuring that your technology doesn't go down, that your remote workers can access all your systems securely, or that the business can continue to communicate and support your customers, making sure you have a resilient business continuity plan in place to prevent any interruption is really important in our ‘always-on' world.
Planning for the unexpected
A business continuity plan is a course of action that an organisation would take should an unexpected situation arise. Such a plan evaluates a company's internal and external threats and creates strategies for resolving any difficulties that may emerge. For example, it will look at triggers, security implications, working from home policies, vendor/customer contingency plans and much more. Disaster recovery is an essential part of a company's business continuity plan. That said, businesses must find cost-effective, proven methods for disaster recovery and right now cloud disaster recovery is growing in popularity, especially among small and mid-sized companies.
So, what is the difference between a business continuity plan and a disaster recovery plan, are they not one and same?
The key difference is when the plan takes effect. For example, business continuity requires you to keep operations functional during the event and immediately after. Disaster recovery focuses on how you respond after the event has completed and how you return to normal, whether the disaster was a hurricane or simply email failure. In other words, disaster recovery is the process of getting all important IT infrastructure and operations up and running following an outage. Business continuity differs in that it is the process of keeping the entire business as close to full functionality as possible during and after a crisis.
Unfortunately, because of the term, often organisations only think about the disaster in terms of physical events such as hurricanes but, these days, malicious insider threats and hardware failure are the more common reasons for downtime.
DR is not set and forget - why you need to test
This means that growing operational complexity is increasing the need for more frequent and lower-cost testing, which in turn is forcing organisations to rethink their traditional disaster recovery methods and processes. In many cases, these traditional methods include backing up data and shipping it off to a secure offsite location, which is really only data protection. True disaster recovery also involves systems, such as hardware and software, as well as the people, processes, and tools necessary to recover the data.
The whole purpose of IT disaster recovery testing is to discover flaws in your disaster recovery plan so you can resolve them before they impact your ability to restore operations. In fact, regular testing is the only way to guarantee you can restore customer operations quickly following an outage. Likewise thinking through whether you need to implement a full DR plan, which is expensive, or whether you can tier DR options, will help the IT team to manage costs and also set expectations with senior management.
It is a good idea to work through ‘what if' scenarios to understand how quickly you need to get systems back up and running. For example, what do you do if your email fails? Do you implement a whole DR plan? Also, what is acceptable downtime on different applications? Do you need the application back up in an hour, will you lose revenue? What is critical versus nice-to-have? How fast do you need to recover and how long do you need to keep data for are key questions to ask. That said, ask most executives these questions and they will probably say “instantly” and “forever”. However, if you explore the different scenarios (and costs) they will soon realise this cannot always be the case.
Different approaches to DR
Likewise, how often companies conduct disaster recovery testing varies enormously. The most important thing to remember is to make sure that your DR plan has what is needed to recover your information systems and business functions in the event of an emergency. This may be once a month, once a quarter, or once a year, or only after there have been major changes in the organisation. This will be different for every business, and something that management will ultimately have to decide and support.
More importantly, you need to ask yourself, "Have we tested at all?” I know many businesses that have never tested their disaster recovery procedures. Plans sometimes go untested because of all the technical and operational complexities associated with them, but you can often work around some of these issues through simulation. Testing is the only way you can validate and improve your plan and, in my experience, problems and gaps in your plan will surface during testing.
Furthermore, recent disasters and ransomware attacks have revealed gaps in many companies' disaster recovery plans, therefore exposing the need to deploy a variety of solutions. Likewise, depending on their size and goals, different companies will have different disaster recovery needs. For example, smaller companies typically cannot afford to duplicate their production environment in an offsite recovery environment – it is expensive enough to build out the production environment! This is where cloud disaster recovery can provide real benefits.
Why consider the cloud for disaster recovery?
As mentioned earlier, many companies are considering moving away from “do-it-yourself” disaster recovery solutions that involve building out secondary recovery infrastructure in a recovery data centre and are exploring cloud-based options for several reasons.
Firstly, purchasing the infrastructure for the recovery environment requires significant capital expenditure. Therefore, converting capex to opex makes for easier cost control, especially for those companies with tight capex budgets.
Secondly, cloud disaster recovery allows IT workloads to be replicated from virtual or physical environments. Out-tasking disaster recovery management ensures that your key workloads are protected, and the disaster recovery process is tuned to your business priorities and compliance needs while also allowing for your IT resources to be freed up.
Finally, cloud disaster recovery is flexible and scalable; it allows an organisation to replicate business-critical information to the cloud environment either as a primary point of execution or as a backup for physical server systems. In most cases, the right disaster recovery provider can offer you better recovery time objectives than your company could provide on its own in house. Therefore, as you review your disaster recovery options, cloud DR could be the perfect solution, especially as talk of a second COVID-19 wave is on the horizon – whether that is the case or not, it is better to be prepared.