five main things to consider

In the health crisis, companies, regardless of their size, have learned to adapt disturbances. When offices closed due to lockdowns, organizations widely adopted the telework.

For some, it’s a place they don’t yet know. For others, it is part of an existing business continuity plan and disaster recovery. Working remotely on laptops with data stored in the cloud has become common to deal with incidents ranging from power outages to natural disasters.

Ang disaster recovery plans have long existed in companies and large public sector institutions, but they are also important for small structures. When a small or medium -sized enterprise (SME) is a service provider to large corporations or public administrations, a disaster recovery plan is often required. But many of the principles governing disaster recovery planning apply regardless of company size. And technology, including cloud services, makes this process more accessible to SMBs.

1-Disaster recovery, or backup and restoration?

Disaster recovery is often viewed as a purely technical exercise, centered on backing up and restoring data. However, while data protection remains an integral part of any disaster recovery process (no business has a chance to survive if it cannot recover its data), recovery has a broader scope. A disaster recovery plan should consider how the data is protected. It is important to deal with possible failures due to software or hardware problems, but also to natural disasters such as the recent floods in the United Kingdom and mainland Europe.

A disaster recovery plan should consider how the data is protected.

Planners should consider how and where the business will work in a recovery situation. This thinking includes physical areas, including failover and recovery workspaces, and the ability for employees to work from home.

The company must also provide replacement equipment, in case existing equipment is damaged, destroyed or inaccessible. This includes laptops, tablets and other terminals, but also communication and networking equipment, as well as servers and storage solutions for on -site systems.

However, most SMEs cannot afford duplicate data centers or backup servers. Some will be able to migrate to the cloud or use it temporarily, while for others the recovery strategy is to retrieve and install new hardware to recover applications and data. But, whatever your strategy, the key is planning.

2-Planning for disaster recovery: the question is not “if”, but “when”

In recent years, companies no longer consider disasters as an event, but as a death. This development is partly explained by the development of cybercrime, in particular ransomware. At the same time, the pandemic has produced disaster recovery a priority for businesses.

Businesses of all sizes need to start with a disaster recovery plan that specifies the actions to be taken in the event of an incident and, more importantly, who is responsible for implementing them. This plan must be complete, proven and experienced.

CIOs need to know where their critical data and systems are, how they are backed up, and how they need to be recovered. As more IT systems companies to manage, they may also need to favor a staggered recovery. In fact, it is not possible to restart all systems at once. Once the CIO or project team has approved the plan, it must be communicated to the entire organization.

“Disaster recovery is more than just recovering computer systems in technical settings and data. »

Tony LockAnalyst, Freeform Dynamics

Often, businesses fail because of a lack of preparation, says Tony Lock of analyst firm Freeform Dynamics. “Disaster recovery is more than just recovering computer systems in technical parameters and data,” he emphasizes. “It is also important to make sure the recovery procedures are well understood, which includes knowing who is responsible for initiating the recovery and answering any costs. Do staff know who to contact and how, and are recovery procedures clearly written and easy to find in an emergency? »

Organizations also need to evaluate their supply chains, and the extent to which they rely on other providers for the delivery of products, services and even data.

“Companies often fail to consider dependencies on third parties and rarely investigate agreements between companies, but in the event of an incident, the priorities of those third parties are not it will always be the same with you, ”Adam said. Stringer, business stability expert at PA Consulting. He added that a clear plan would define these dependencies and how an organization would work in the event of a major supplier failure.

3-Risk and recovery

To develop a plan, CIOs and business resilience managers need to understand the risks and requirements of returning to business as usual.

The main metrics used in disaster recovery (regardless of business size) are recovery point goal (RPO) and recovery time goal (OTR).

ang OTR is the time when the data must be retrieved and made available again. For some systems, it is measured in seconds; for others, it can be measured in hours or even days.

ang RPO is the amount of data the company can afford to lose. Again, some companies will have a very low tolerance for data loss.

Risks of data theft and loss are key factors, along with RPO and RTO.

Not all systems are equal when it comes to RPO and RTO. Some, such as customer -facing applications or those containing regulated data, will have fast recovery times and low tolerance for data loss. Others are less strategic or update less frequently. The bottom line is that planners work with the business to understand its priorities and timeline.

Planners should also consider RPO and RTO from a threat perspective, said Stephen Young, director at AssureStor, a company that specializes in disaster recovery and cloud backup. He points out that the risks of data theft and loss are key factors, along with RPO and RTO.

4-Try over and over

However, disaster recovery planning will not stop once the plan has been put in place. Companies need to make it public and try it out.

“Some companies have written plans and procedures that are impractical or unknown, and especially that don’t really apply in the event of a crisis”, explains Adam Stringer of PA Consulting. “You need a clear decision -making structure and playbooks that are validated and refined through practice and testing, as well as intuitive techniques, such as a gold, silver, and bronze hierarchical structure. These elements are more useful to companies in the event of a disaster than a detailed 100-page manual. »

Companies must also define who will manage crisis management. It’s not really the CEO or CEO, but possibly the CFO or IT manager. The key is to make sure everyone knows who will lead, and how they will communicate.

“The trial takes time and money, but without it the recovery is incomplete or too slow.»

Tony LockAnalyst, Freeform Dynamics

Tony Lock of Freeform Dynamics agrees. “Testing takes time and money, but without it the recovery is incomplete or too slow,” he said. “And the worst, it may fail completely, or it will take too much company time, or it will result in the loss of important information.»

Evaluation should be regular, with disaster recovery specialists suggesting a minimum frequency of once a year. Critical systems may require testing at least once a month.

5-DRaaS and SaaS solutions

Small businesses, however, typically do not have large IT teams capable of building redundant IT systems.

Fortunately, the cloud offers a variety of workarounds, from dedicated disaster recovery service providers (DRaaS), business applications such as Microsoft Office 365.

Office 365, Google Workspace, and cloud-hosted apps allow a business to restore most of its business when its employees have access to a web browser. Cloud storage can also be a lifesaver.

Leave a Comment