Most companies relate to Disaster Recovery as to an insurance policy. Most of the time, the investments in this area are rather an expense that do not generate direct results in the company’s revenue, which can only be “collected” when something unforeseen of great impact happens. Therefore, many companies postpone investments in this direction, making decisions in a shorter time frame, in which the possibility of a disaster is quite low.
Over 75% of the Romanian companies do not keep an up-to-date guide for such situations.
The notion of “Disaster Recovery” is misleading. Natural disasters - floods, fires or landslides are rare, and, even when they do happen, they do not significantly impact on the infrastructure in the data centers used by companies. The incidents causing an unavailability of the same magnitude as a natural disaster are much more diverse, and their likeability is much higher. For example, cold weather comes with a number of such possible incidents - voltage cables cut by trees, the impossibility of the employees to arrive at work, or fires in industrial areas caused by overloads. However, cyberattacks and inside attacks caused by dissatisfied employees remain the most common cause of systems’ unavailability.
During the past 12 months, approximately 85% of companies have incurred a malware or ransomware-type attack, about 90% of these being successful.
Considering the importance of information in our businesses, few companies can successfully operate for a longer period of time without access to critical applications, email and Internet. Unplanned Disaster Recovery efforts, respectively those that are not part of a consolidated organization-wide guide for such incidents, take an average of 30 days to fully solve the situation.
Organizations whose return to normal operation lasts more than 30 days have a market survival rate of less than 20%.
Although critical for business continuity in any organization, the investments in Disaster Recovery rank one of the last places in the budget priorities. Providing the customers with an improved experience, attracting and continuously training people in the field of digital skills and keeping the systems up to date with changes in legislation or functionality, are projects that effectively push such “insurance policies” to the bottom of the budget ranking.
However, Disaster Recovery being the classical association of people, of processes and technology, hereinafter we propose a series of directions identified while discussing with our customers, which are worth exploring even if the budget for such initiatives is low or non-existent.
Defining a team responsible for Disaster Recovery and its replacements
People are the ones behind all systems or applications, even if digital tools are usually at the heart of disaster planning. Regardless of the allocated budget, you can start by defining a team responsible for planning and executing the Disaster Recovery strategy, consisting of people in charge of infrastructure, applications, security, led by a person responsible for the continuity of operations.
Such a team, even in the absence of a budget that equips it with the right tools, could begin working on documenting risks, calculating an average hourly cost of the company’s unavailability, identifying all systems and the infrastructure necessary for the company’s operation, and finally dealing with the development of a Disaster Recovery Plan. “Prevention is better than cure”, and in this case the mere existence of such a document can save days in case of an unexpected incident.
And because unforeseen situations in practice can be more complex than those imagined, we recommend establishing replacements for each member of this team, who are informed and kept up to date with this activity. Therefore, we avoid situations in which the recovery sequence cannot be continued because it depends on a single person who is unavailable exactly when we need it most.
Involvement of the other departments in planning, documentation and execution
A Disaster Recovery Plan is well defined only to the extent that all departments are involved in setting goals for it. We encountered many companies in which the IT department was the one deciding which systems are critical and what was the level of availability needed for each of them, by taking over part of their colleagues’ responsibilities, while keeping a low level of the risks that can be prevented by such initiatives.
The involvement of the other departments - both operational, and management - must firstly occur by communicating the intention to develop such a mechanism that concerns the entire organization, not just the systems they use. The normal resumption of operations covers all services within an organization, not just a part of them, and the representatives of these services are best able to establish together, in a coherent way, which processes, information, systems and people they need to operate within optimal parameters. Negotiating at least one Service Level Agreement with each department is essential for correctly defining the needs of the organization in the event of an unforeseen incident.
Ideally, the above-described team would also include a representative from each department, who not only has the role of communicating and deciding together with the recovery team, in the event of an emergency situation, but also can support the efforts to ensure business continuity by providing essential information periodically - changes in regulations, the emergence of new processing needs, etc.
Investigating alternative approaches
Probably the most common Disaster Recovery strategy involves doubling the infrastructure in another data center, different from the primary one where we usually carry out our operations. This redundant infrastructure, although expensive, can only be used in the short moments when recovery tests are performed or in the event of an incident.
Also, many Disaster Recovery plans are lean, because the complexity of the organizations becomes increasingly difficult to manage. Most organizations have dozens or hundreds of applications in complex infrastructure permutations. The organizations that have developed Disaster Recovery plans have found themselves in the position that these plans were already outdated, as the organization’s operations have evolved, new systems have been added, and old systems have been decommissioned over time.
However, the emergence of Cloud technologies marks a turning point in the economy of systems and Disaster Recovery approaches. With the support of modern tools, companies can prepare a minimum infrastructure that can be extended on demand in unexpected situations, and it costs nothing until it has to be used. However, this on-demand infrastructure can also be used for alternative services - development or testing systems, data analysis, etc. - finally justifying the cost of this additional infrastructure in the budget. At the same time, modern tools for the migration of services and applications, data replication and infrastructure orchestration in the event of unforeseen incidents have emerged, all of which can be considered as an alternative to the conventional “insurance policy” approach.
With an experience of more than 26 years, GTS Telecom provides professional solutions for Disaster Recovery. The companies that chose to work with us rely on the complex understanding we have regarding the business needs of organizations and the consultative discussions that underlie any new project.
* The statistics presented in this article were provided by IDC.