This back to basics article written by the team at OGL Computer offers insights into why DR is so important, how even common DR strategies can sometimes fail, and why today’s business environment mean it's time for a radical rethink of older strategies.
Traditionally, unexpected bad or disastrous events for businesses could easily be summarised as physical ‘fire, flood, or theft’. Today, businesses are more likely to suffer a digital disaster than a physical one, such as the sudden and catastrophic loss of access to critical information at the hands of a ransomware attack, severe data breach, or service provider failure.
To prevent this, businesses need to have a comprehensive disaster recovery (DR) plan in place - a set of protocols designed to enable us to return to normal quickly should a disaster strike. However, many DR plans are rooted in physical disaster, with very few keeping pace with businesses as we move further into the digital age. This has left too many companies exposed to a plethora of potential digital disasters.
20th century disaster recovery plans were oriented around physical disasters – fire, flood, earthquakes, physical theft, and the like. But despite the business world becoming more cyber-orientated, DR plans often still focus on physical rather than cyber issues.
OGL Computer’s solution architects have recently observed many emerging trends in disaster recovery, some of which require urgent and radical rethinking of existing DR plans.
As the business landscape continues to undergo its digital transformation, so too do the ways that an enterprise can be crippled digitally. Research shows that in 2019, an organization undergoing a ransomware attack could expect to lose an average of 16 days to operational disruption. Severe downtime due to data breaches and service provider failures need to be accounted for just like any hardware failure or natural disaster ‒ but not all businesses are fully adjusting to modern requirements.
It is worth differentiating between data backup and disaster recovery. DR must include backup, but backup alone is not disaster recovery. Think of a ransomware attack by a destructive variant, which can leave your computers unusable. So, even if you can recover lost files from a backup after the disaster, you cannot quickly return to business as you have no infrastructure to use the files. This would leave any solo backup recovery measures redundant.
Disaster recovery is not just about recovering data, but the ability to return the business to normal operations efficiently and speedily. The problem became more difficult in 2020 as workplaces decentralised, with staff now working from home on personal devices in a number of locations. With this increasing diversity in business models, disaster recovery plans need to be more bespoke; templates and ready-made protocols will no longer be sufficient for most enterprises.
The data backup and storage elements are often a particular problem area with disaster recovery plans with organizations storing backup data in the same physical premises or on the same network as the operating devices. This is a mistake, as a disaster could simultaneously compromise the working device and the backup devices. A primary focus for many ransomware gangs today is to neutralise any backup data by infecting the network and compromising any local backup before attempting to encrypt the business files.
The opposite is also seen. If data is backed up to different premises, many plans do not account for access to this additional location. Especially with there being restrictions on movement and lockdowns due to COVID-19, businesses need to be warier of how they manage data retrieval under various circumstances.
Our solution architects have observed numerous common mistakes and errors made by businesses. In our work to build bespoke DR solutions for our customers, we have identified several of the most common failures:
As highlighted above, data backup is a cornerstone of disaster recovery, but many businesses fumble on this essential step. While 90 percent of companies do backup their critical data, daily backups are only performed by just over 40 percent of businesses. These backups are vital for eliminating downtime when data is lost – which is a necessity, as in 2019, 42 percent of businesses experienced downtime due to data loss.
The most critical, director-level data is often stored on local devices, which then creates vulnerable endpoints that may put highly sensitive data at risk. Keeping track of where data is being stored and ensuring that sensitive data is only held on the appropriate devices is vital to DR solutions.
We also see many organizations conflate cloud sharing with cloud storage. Some providers, like Microsoft 365, offer a limited period in which accidentally lost data can be retrieved. However, this is not a permanent backup or an effective part of disaster recovery, and so should not be relied on. Microsoft 365 and similar services are intended to allow decentralised collaboration on projects, not to store or preserve data for long periods.
Physical backups need special consideration under situations like COVID-19. With ever-changing restrictions, thought needs to go into the accessibility of the backups; if data is being backed up onto tapes, and where the tapes are being stored is inaccessible, is that really a functional backup solution? Utilising a cloud platform such as those from Datto or Veeam is a more robust solution.
Finding the right cloud solution is more important than ever as the business landscape decentralises and more workers telecommute. Most consumer-level cloud services like OneDrive or AWS buckets will not suffice in terms of security or data integrity.
Finding the right managed cloud solution is a vital part of any DR plan in order to meet all data security needs while also keeping that data accessible. When combined properly with secure on-site backups, many organizations can keep on working in the face of a disaster scenario.
Physical data storage is also a vital inclusion in a comprehensive data recovery plan. This encompasses everything from the location and accessibility of where the data is stored, to the environment where the storage devices are kept, and the physical storage medium used.
Unforeseen events can and will happen, so it is vital that you plan for potential disasters. However well your data is stored and backed up, it is important not to assume your business is invincible. DR plans should have a clear, realistic RPO and RTO (recovery point objective and recovery time objective) and protocols in place to determine what data is most critical to business operations and how to restore it in the event of a disaster.
The most important part of any disaster recovery plan is asking the right questions. ‘One size fits all’ does not exist in the world of DR, so every aspect of a prospective DR strategy needs to be questioned – is this necessary? Is this effective? Does this account for the business’ biggest vulnerabilities?
For this reason, delivering a complete DR plan in-house is often neither cost nor time efficient. An expert consultation service that will work with a business and find fresh ways to challenge fixed thinking is the best way to protect against the growing list of threats as we move through 2021.
For more details see OGL’s disaster recovery and backup guide.