Everything You Need to Know About IT Disaster Recovery
COVID-related business disruptions have been teaching companies a lot about the need for disaster recovery planning. Here are the basics your company should master.
- IT disaster recovery helps maintain business activity in the event of a disruption such as a natural disaster, ransomware attack or accident.
- Disaster recovery in IT relies on having data and software duplicated somewhere that can be accessed relatively quickly to ensure business continuity.
- Choosing among the different types of IT disaster recovery plans requires understanding your organization’s needs and the resources available.
That moment when your servers go down is the wrong time to wonder what happens to your data. But if your organization has engaged in IT disaster recovery planning beforehand, this critical aspect of your business continuity shouldn’t be seriously compromised, even in the wake of natural or man-made disasters.
What Is Disaster Recovery?
Think of disaster recovery as a lifeboat that will help keep your organization afloat when a major event strikes the mother ship. IT disaster recovery supports essential business functions by regaining access to data and software after events like a natural disaster, cyberattack or accident.
Why Is IT Disaster Recovery Important?
An effective IT disaster recovery plan is part of a larger business continuity plan meant to protect your organization. With the growth of digital operations, an IT disaster recovery plan is much more than a way to keep emails flowing and printers working. With the growth of digital infrastructure, many operational systems from manufacturing to customer relationship management now rely on digital components that can be compromised. Ransomware attacks now routinely threaten all kinds of industries, from automakers to shipping. Spending time and money on an IT disaster recovery plan is becoming a best practice much more readily funded as senior management recognizes how it can result in important savings when the plan is activated.
- It saves the business: Few organizations can afford the downtime brought on by a catastrophic IT failure. When there is a data breach, for example, the resulting lost business can cost companies an average of $1.5 million, according to the Ponemon Institute, including increased customer turnover, lost revenue due to downtime, and the higher cost of acquiring new business due to reputational damage. Another survey found that the stocks of companies that suffered a cyberattack dropped in the following six months.
- It saves your assets: Disaster recovery also protects your company’s intellectual property and other digital assets. The recent spate of ransomware attacks and the disruption of the sudden pandemic lockdown have increased the exposure of such assets.
- It saves money: Spending on disaster recovery can ultimately be cost-effective in other ways, too. For instance, effective disaster recovery can hold the line on expenses that follow many disasters, such as increased insurance costs and legal fees. A Deloitte study on the effects of cyberattacks found that companies faced higher insurance premiums and difficulty borrowing in financial markets, because credit rating agencies would downgrade companies that suffered an attack and lenders would charge them higher interest rates.
COVID pandemic lockdowns only underscored the consequences of being unprepared. When they started, as few as 15% to 20% of companies were prepared for maintaining business continuity, according to Ross Jackson, Mimecast’s Vice President, Organizational Resilience. Even fewer had prepared disaster recovery plans that were meant to last more than a few days or weeks.
What Are the Types of Disaster Recovery?
Like every other aspect of business, disaster recovery has evolved with technological innovation. More companies are relying on outside vendors to support their IT disaster recovery, and the cloud is increasing the options available. Here are experts’ assessments of the options:
- Data center-based disaster recovery: This plan addresses all that could go wrong in your on-site data center, from a security breach to an HVAC malfunction. Disaster recovery in this case involves having backup servers located at a safe distance from your organization’s servers — often at an off-site location run by a managed hosting provider — so operations can move there when disaster strikes. This can be an expensive option, including the cost of maintaining hardware to sit idle, hosting backups. But it offers peace of mind for organizations that have no margin of error in their disaster recovery plan.
- Virtualized disaster recovery: A cheaper, faster option involves using multiple virtual machines hosted by a vendor to emulate your server environment. In case of a disaster, your operations can transfer to those virtual machines in a matter of hours and be up and running with minimal disruption, rather than wait for your IT disaster recovery team to stand up a disaster recovery server and transfer operations, which can take days for some organizations. Virtualization is thorough, but it is more budget-friendly than building a backup data center. It saves on the expenditure for servers, and powering and cooling those servers, which can add up. Additionally, partitioning your server environment among multiple virtual machines gives the disaster recovery team more flexibility by allowing them to compartmentalize different systems, workloads or working environments to secure and back up.
- Disaster Recovery as a Service (DRaaS): With so many companies working with cloud service providers for applications ranging from email to payroll, IT disaster recovery also has the option to rely on your service provider’s disaster recovery capabilities. Businesses spent more than $6.3 billion globally in DRaaS disaster recovery services in 2020, and the segment is expected to grow over 18% annually during the next five years. Organizations of all sizes use this model, which relies on cloud computing to backup and restore data when it’s lost due to system failure, with a vendor providing all the disaster recovery orchestration through its own solution. This structure eliminates the need for duplicating hardware while at the same time offering fast recovery (even instantaneous), and it can be budget-friendly. Some cloud service providers only charge if the disaster recovery portion of their service package is used.
Developing a Disaster Recovery Plan
Before launching a disaster recovery plan, experts advise that you first understand what needs protecting: Which data needs to be backed up and which operations need to be duplicated off-site. Steps include:
- Measure your risk: You can’t protect what you don’t know, so audit your infrastructure and your needs. How many servers do you have/need to operate? How much data do you have, what is it used for, and when? Are your servers vulnerable? Do you operate in a disaster-prone area?
- Set goals: Clarify your recovery time objective (RTO): how quickly systems should be up and running after an incident. This will vary depending on the business function and the industry; even within the same company not all functions are mission-critical. Also state your recovery point objective (RPO), as the amount of data you can afford to lose after a disaster — usually based on what was created since the last backup.
- Choose a plan and a team: Set up a working group to study which disaster recovery plan structure will prove most effective for your organization’s operations and the scope of its work and resources. Evaluate vendors and budgets for the different options and present them to management; the C-suite may need to sign for the expense.
- Execute and update: Like most IT programs, disaster recovery planning is not a one-and-done effort. As the plan develops, new wrinkles and features may emerge that will need to be addressed. Disaster recovery also requires monitoring to stay ahead of possible risks such as evolving cyberthreats.
Essential Features of an IT Disaster Recovery Program
An effective IT disaster recovery plan should cover all the bases:
- The A-team: In case of emergency, the organization needs to put a team to work ASAP, and it needs to work effectively together. The disaster recovery plan needs to include all the people necessary to get systems operational after an event, spell out their responsibilities in that situation, and list their contact information.
- Risk assessment: A financial institution may be more concerned about a cyberattack than an earthquake; a power grid may fear both. A good disaster recovery plan should model some of the most common possible threats. Know what is most likely to trip up your organization and how quickly stakeholders would expect you to be up and running after a catastrophe.
- Priorities: Resources may be limited in an emergency. Establish in advance what needs to be up and running immediately and what can wait. Powering up operational systems may be more important than bookkeeping to a manufacturer, while a retailer will want transaction processing back right away — to keep the doors open — and let merchandising systems wait.
- Remember to backup: Backups are critical to the success of a disaster recovery plan. Once you establish your acceptable RPO, keep on schedule with backups to deliver on that goal. Anything that is mission-critical needs to be backed up regularly, and a copy of the disaster recovery plan should be stored safely off-site, ready to be used at a moment’s notice.
- Test, rinse, repeat: Climate change is bringing flooding into areas that never saw it before. New malware attacks develop as soon as old ones are deflected. A disaster recovery plan can’t stand still; it has to be constantly testing for new vulnerabilities and other risks. Regular testing and drills need to be a part of any effective disaster recovery plan.
The Bottom Line
Disaster recovery in IT is a vital part of a business continuity plan, especially in today’s digitally-dependent environment. An effective disaster recovery plan is like a good insurance policy: You may never use it, but if you need it, you’ll be glad it’s there — as long as you have the right coverage.
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!