Lately the news has been rife with disasters: fires, floods, hurricanes, earthquakes and mudslides all within just the last few months. And then there is the looming threat of terrorist attacks including nuclear missiles from North Korea, not to mention a hardware failure of your critical server(s). Is your business ready to sustain any of these events, and remain viable, continuing operations? Even more insidious, and with a much higher likelihood of happening on your network systems, are the threats from the internet, such as spyware, ransomware, worms, virus’s, DDoS, and data leaks or breaches.
One thing we learned from 911: the businesses that came out OK were those that had business continuity plans that included maintaining off-site backups of their data. Many companies without usable backups never recovered and were out of business. In the last few years, the threat of cyber-crime in the form of spear-phishing, phishing, CEO fraud, hacking and ransomware have been in the headlines usually resulting in many large corporations reporting data loss, data leakage, and huge financial losses. Costs for ransomware have grown 350% since 2015, up from $350 million to $5 billion in 2017.
Today many options are available to mitigate the risk of disaster. Individuals can use tools like Carbonite, whereas enterprise organizations might want to look at DRaaS (disaster recovery as a service) or complete hosting in a private, virtualized cloud network, such as IaaS (Infrastructure as a Service). In between there are solutions, such as backing up your data to an off-site warm location using Veeam. The best of these solutions involve moving data to the cloud, which is no longer an option; it’s a requirement.
To protect against cyber threats, anti-virus/anti-malware software should be implemented, but even with those protections, it is likely not enough. With social engineering tactics used by cyber-criminals, through phishing and spear-phishing exploits, as well as the “drive-by” payload dropped on your systems simply by visiting a compromised website, your only real defense is training staff to be vigilant and aware of the tactics the hackers use. Annual security awareness training and regular inoculations of staff are the only way to maintain a human firewall.
In order to choose the right solution, there are many considerations, such as cost, how much of your critical data is necessary to recover from a disaster and how quickly you need to resume operations. These are measured by RTO (recovery time objective) and RPO (recovery point objective). To determine these objectives, analyze your data transactions. For example, how frequently does your data change? If it’s minimal — on a hourly or daily basis – then your RPO can be longer than an organization whose data changes by the second. The other question is how quickly do you need to be back up and running (RTO)? If you are losing millions of dollars per minute, then your systems need to be back online within minutes or less.
Once you have determined which method of backup to use, whether it is a real-time set of systems running in tandem from two disparate locations (always on availability groups) or high availability, or simply running a nightly Veeam backup to a warm site, you’ll want to make sure you select a vendor who can meet your SLA (service level agreement) based on your RPO and RTO.
Some of the larger cloud hosting companies (Amazon’s AWS, Microsoft’s AZURE, Google Cloud) can do quite well, but you may have difficulty getting the support you need from a larger provider. Finding the right balance between a reliable host who can meet your needs and provide you with the level of hands-on expertise and support is a challenge. Research the vendors thoroughly so you are comfortable with their capabilities and establish a working relationship. A high availability system running in tandem in two disparate locations will give you the best RPO and RTO but it can be costly. A thorough cost/business analysis is definitely in order.
When starting out, consider moving to the private cloud using Veeam backups to a warm site. You may be tempted to start replacing your data center hardware as the refresh cycle comes around. Don’t! This is your opportunity to have your provider spin up some virtual servers, saving you hardware replacement costs going forward and improving your disaster readiness footprint. Over time, you can become completely virtualized in a private cloud environment. Once that has been completed, you can upgrade to a high availability, fully synchronized, real-time live secondary system with automatic fail-over. That is the ultimate solution for a company that requires up-time no matter what happens and data that is as current as can possibly be.
Remember, the IT component of your disaster recovery plan is only one small but important piece of the plan. If you don’t have a DR Plan, get one. The main components of a DR Plan are: safety and security of staff and visitors, communications (to staff, customers, public), and finally, business resumption. You won’t be able to resume business without a solid IT backup solution.