There are numerous misconceptions about disaster recovery strategy in modern business. For some, they believe that it would be too expensive to construct a disaster recovery plan. Others mistake their backup strategy for a disaster recovery strategy. However, the worst misconception is that businesses today do not need a disaster recovery plan at all. Nothing could be further from the truth.
In truth, constructing your strategy is likely less expensive, simpler, and more valuable than you might expect. You just need a clear plan and an understanding of what is required.
Here, we’ll dispel some of the common misconceptions about disaster recovery strategy and provide a foundation of DR knowledge to begin the conversation. We’ll discuss what the technology covers, how to draft your asset priority list, and touch upon testing—the most important part of your disaster recovery plan.
What Do We Mean by Disaster?
When you think of a disaster, what’s the first thing that comes to mind? For many, the word evokes images of wildfires, tornadoes, and hurricanes. Certainly, those catastrophic events are worth considering and protecting against, but their likelihood of striking your environment is quite low. By that reasoning, disaster recovery sounds like a luxury, a frivolous insurance policy against the extremely unlikely.
The problem here is the connotation around the word “disaster.” What a disaster recovery plan is protecting against is any sort of event that leaves your data center or IT environment unusable for an extended period of time. Of course, a hurricane striking your data center can create that scenario, but it is far more likely that a tripped cord, malware, or genuine human error will create the disaster.
All at once, we think too big and too small when we hear the term disaster. Our mind wants to go to hurricanes, earthquakes, and fire and brimstone, or we think of some slip-up in which crucial files are deleted. The former has a low probability of occurring, and the latter can be solved with backups. This dynamic can lead to complacency, but the stakes are too high to remain unprepared.
- 40% of small businesses do not reopen after a disaster
- 75% of small businesses do not have a disaster plan in place
- Cybercrime is the fastest growing cause of data center outages representing 22% of all outages surveyed in 2016
- The average cost of a data center outage was $740,357 in 2016
Data Backup vs Disaster Recovery
One point of confusion in these conversations is the difference between data backup and disaster recovery.
The tech industry is filled with jargon and related terms with overlapping principles. A perfect example would be software defined storage and storage virtualization. These are similar concepts and at the same time separate ideas. The same is true of disaster recovery and data backup.
A disaster recovery plan does not exclusively entail backing up your data. Although, data backups are critical to a successful disaster recovery plan. So before moving forward with strategy, let’s take a moment to denote the difference between backup and disaster recovery.
Explaining the Terms
Data Backup: Data backup involves creating duplicate copies of your data for safe keeping. Whether recording your backups on tape, disk, or in the cloud, a backup strategy will ensure that if data is ever lost or corrupted, there is a backup on hand to fill in the missing pieces.
Disaster Recovery: Disaster recovery is the act of devising and testing a documented plan to respond to a disaster that impacts the IT systems of a business. Largely, this involves establishing a priority asset list of every application in the environment and developing a plan to restore these systems in the most efficient manner within budgetary restraints.
Clearly by examining these terms, the distinctions arise. When devising a disaster recovery strategy, reliable backups, in whatever their form, will play a crucial role in restoring IT systems, but they are merely a component of a larger plan. Relying on data backups to be a disaster recovery strategy in and of themselves will quickly show flaws once the rubber hits the road.
As noted above, disaster recovery primarily involves establishing asset priorities in your environment, and to do that, a business must establish their Recovery Time Objective (RTO) and Recovery Point Objective (RPO).
Assigning Asset Priority
When crafting your disaster recovery plan, one of your most important steps is writing your asset priority list. An asset priority list ranks every single application and technology component in order of importance relative to the survival of the business. Furthermore, it includes the amount of time the business can go without this asset before it has a serious impact.
This list is crucial to your final disaster recovery plan, because the rankings will determine when and how you devote your time and resources as soon as the plan kicks into action.
When a disaster strikes and your entire IT infrastructure is disabled, the goal is to overcome the disaster with no interruption in service. Though possible, this will be far outside the price range of most companies. The goal is instead much more primal. The goal is to survive.
Why Do We Need a List at All?
When a business sits down to write an asset priority list, their first reaction is to say, “Everything is a priority!”
Unfortunately, that’s simply not true. In order to keep your disaster recovery strategy within a reasonable budget, you must prioritize your assets. When a disaster strikes, you only have so many people and so much time to restore your key applications and assets. You need a definitive step by step plan to focus the attention of your team on what is most important.
This requires some hard choices. What applications are essential to your business’s survival? Those mission-critical applications are the ones that will require the lowest Recovery Time Objective (RTO) and Recovery Point Objective (RPO), while less essential applications can take a momentary backseat. You have a limited amount of resources and time at your disposal. If this was a triage center, what do you save first?
For example, if your business is an online ecommerce marketplace, your webhosting server is crucial to your business survival. It’s where your website lives, and without it, you have no website. At the same time, your internal payroll systems are less important. Employee paychecks might end up a few days late, but the business will carry on. You need to arrange all your applications in a hierarchy using this lens.
RTO and RPO Explained
RTO: This term refers to the amount of time a business can survive with its systems operational. This will be different for every business and will thus determine the different measures a business must take to protect itself in the face of disaster. An RTO of six hours is going to yield a much different strategy compared to a business with an RTO of a month.
RPO: The RPO of a business is very closely related to the business’s backup strategy. It refers to the amount of time the business can realistically lose between your current data state and your latest backup. It is impossible to create a backup that is exactly the same as the current data in use. Whether the snapshot was taken yesterday or five seconds ago, it is entirely possible the state of the data in question has changed, and the backup no longer serves as a perfect representation of all the business data accrued up to that point. The question RPO asks is, how recent do your backups need to be? For some businesses, it could be a day. Others may require down to the minute data. The brevity of your RPO will dictate how you approach your backup strategy. A business with an RPO of one minute must make a backup of their environment or application every single minute of the day to meet their needs.
Common Assets and their Importance to the Business
No two companies are going to have the same set of priorities. Different business models, services, and industries will dictate your list. Here we’ve covered a few common assets to see how they may rank in different industries.
- PBX Phone System: While in the past, office phone systems may have been a fundamental aspect of businesses, today we all have phones in our pockets. Unless your business has a contact/call center, phones may end up low on your priority list. So long as you can recover a client list and corporate directory and be able to distribute them to the organization, you may be able to go some time without your corporate PBX system. Your employees can fall back on their own personal phones in the interim.
- Email: Email is harder to do without. Most of your staff will be cut off from the rest of the company without email correspondence, and productivity will grind to a halt. For that reason, it will likely end up high on your list, but not at the top.
- Company Website: The website is a good platform to disseminate information about your disaster, your efforts to recover, and how your customers can still receive service, so it should be higher than some other forms of communication. If your business has an ecommerce store, your website would fall under “Line of Business Applications.”
- Line of Business Applications: If you’re an application developer and your application goes down, you’re toast. If you’re in manufacturing and your inventory and production application goes down, you’re toast. Your line of business application is the lifeblood of your organization. It and any applications connected to it should be at the top of your list to focus your attention in the event of a disaster.
- Accounting Applications: Without the accounting application, payroll can quickly become a mess and your employees may not get paid on time, but it is not crucial to the survival of the business. Any backlogged payroll can be sorted and inputted at a later date. It may not be simple, but it is not essential. Your accounting applications should be low on your list and could even go over 24-48 hours before coming back online. The one caveat involves invoices and accounts payable/receivable. If the company cannot pay its bills, it may lose crucial services at inopportune times.
- Files and Documents on the Local Area Network: It is difficult to generalize the importance of files and documents on the LAN because they can vary so wildly from one company to another or even from one department to another. Sales may be keeping pending quotes and job proposals, marketing may have full campaign plans housed there. Either way, this asset must be critically analyzed in relation to your specific company to determine its importance.
Recovery Solutions and Testing
The next phase in a disaster recovery plan is to define recovery solutions. Some strategies may take longer than others. For example, a cloud disaster recovery plan is likely to be far faster than using electromagnetic tape. So, by reassessing your list and recovery window, you can begin to assign backup and recovery solutions for each asset.
Again, the knee-jerk reaction is to just host a complete mirror of your environment in the cloud at all times, so you can just flip a switch and return to work, but that strategy is needlessly expensive. By taking a hard look at your environment, you can begin to see what’s really important and what will keep your business afloat.
The final component of a disaster recovery strategy that must be considered is testing. If your solution isn’t tested, it’s not worth anything. Remember, in the event of a disaster, you have limited resources and personnel at your disposal, and every second that ticks by costs the business money. There is no time for the team to be figuring out how to enact the disaster recovery plan. Worse yet, the plan itself could be flawed. You must test your plan, and you must test it regularly.
The Beginning of a Conversation
Disaster recovery is not a product, it is a strategy. There is no out-of-the-box solution on the market today that will provide a complete, cohesive strategy perfectly aligned to your business needs. It just doesn’t exist. Therefore, every business must devise their own unique strategy.
This should serve as the beginning of a longer conversation, but it’s one you don’t have to do alone. Our Mindsight consultants are experienced at determining the asset priorities of businesses and aligning technology solutions to match a strategy.