In 2014, when pro-Russian separatists took over regions in eastern Ukraine, the government in Kyiv developed plans to disable its computing infrastructure and move backed-up data to fallback positions. If Russia seized infrastructure and passwords, they would find no sensitive data. Remote teams had the ability to cut off access to compromised accounts.
While war may not be top of mind for all organizations building disaster recovery strategies and systems, it illustrates the kind of anticipatory thinking that needs to go into such plans. Recent events show that war can’t be counted out as one of the many risks to companies and governments around the world.
Whether it’s the threat of an invasion, a natural disaster, ransomware attack or cyber-espionage, enterprises and governments will benefit by regularly reviewing, testing and reinforcing their business continuity, disaster recovery BCDR process, according to Dan Angst, director of data center sales at Nutanix.
Weather Disasters and Cyberattacks are Rampant
With 47 climate-related events costing more than $1 billion in damages globally, 2021 was the third most expensive year on record for weather-related disasters, according to insurance broker Aon. As widely reported, rising planetary temperatures are predicted to lead to more extreme events like hurricanes, floods, tornados and sea-level increases.
Cyberattacks are also ramping up in volume, sophistication and number of targets. In 2021, IT teams handled 623 million ransomware attacks, up 105% from 2021, according the 2022 SonicWall Cyber Threat Report. There was a 1,885% increase in attacks on government targets, a 755% increase in healthcare attacks, and a 152% increase in education targets.
For businesses, “Ransomware and cyberattacks can be worse than natural disasters,” said Angst. “Everything might be gone forever if you get hit with an attack.”
The DRBC Disconnect
Yet most businesses are not fully prepared. In a 2021 report commissioned by backup software vendor Veeam, based on 3,000 enterprises in 28 countries, 80% of respondents said their organizations cannot recover applications fast enough to keep their users productive. More than three-fourths (76%) said there’s a disconnect between their frequency of backups and how much data they say they can afford to lose if systems go down.
A recent Data Protection Trends survey of business and IT leaders echoed those findings: 90% of organizations reported a big gap between what business units expect from BCDR service-level agreements (SLAs) and what IT can deliver. Nearly as many organizations also perceive a gap between how much data they say they can afford to lose and how well that data is being protected in the event of a cyberattack or natural disaster.
Assessing Time and Costs
Creating BCDR plans involves inventorying all IT resources and developing solid plans for how to protect them. If a disaster does happen, ideally you want to be able to restore IT applications, data, and other functions quickly with no data loss.
“The cost of doing business and the cost of losing business is getting higher and higher,” said Angst. “Businesses have to ask hard questions like how much will it cost per hour if I’m offline? How much data can I afford to lose?”
Key metrics in the BCDR plan are the recovery point objective (RPO) and recovery time objective (RTO). RPO is a standard for the interval of time between data backups, calculated based on how long a business can survive without data being updated. Is a week’s worth of out-of-date data tolerable, for example? A day’s worth?
RTO is the organization’s standard for how long it takes to get business back online and fully functioning following an outage. Enterprises might have different RTOs for different workloads, applications, and data, based on their criticality. RTO is generally measured in seconds, minutes, hours, or days.
Setting RPO/RTO goals, putting processes in place to support them, and regularly testing those processes to ensure that they work must be balanced with what it all costs. “You can [recoup] an RTO in less than an hour. But is it worth the expense?” said Angst.
For example, narrow-margin industries such as retailers might not be willing to pay a premium for low RPO and RTO. The potential loss of a few hours or a day of data might not be as big a deal or economically justifiable. But for a busy online business, even a four-hour downtime window can be incredibly expensive and damaging to the business’s reputation. The loss of data could be catastrophic.
Calculators are available that estimate how much it will cost if your company’s network goes down. But there are many elements that go into such calculations, and cost estimates can vary widely. For example, in one scenario, a company with annual revenues of $196 million a year and 1,000 employees, each valued at $80,000 a year, would incur estimated downtime costs of $65,000 an hour[GK1] .
Multiple Back-Up Options
According to Angst, the best BCDR plans have a backup strategy that addresses business needs, choices of different types of network access, cloud economics and scale to keep costs in check. The best plans follow the 3-2-1 rule: three different copies of data on two different media, with one of them off-site.
“Companies are looking at their storage backup in multiple ways because there are now multiple backup options that accommodate everything from the most stringent data requirements to the loosest,” said Angst. “Being able to back up everything you have, no matter what you're running, to the [public] cloud, without strict requirements for an RTO, is a great option for some companies.”
One reason is that the public cloud, by definition, fulfills the “off-site” requirement of the 3-2-1 rule. In addition, public cloud pay-as-you-go pricing allows enterprises to pay only for resources when they use them, so it helps balance the DR cost side of the equation.
Other back-up storage options are available from third-party providers and managed service providers. Warm and cold data backup can be priced based on multiple RPO tiers.
Security and Continuous Testing
Security and data protection are important components of business continuity. Systems and data are protected with cyber security solutions and physical security in offices and stores. Yet insiders are responsible for 22% of malicious data exfiltration and accidental data loss, according to the Verizon 2021 Data Breach Investigations Report.
For example, breaches occur when people share passwords and as a result of malicious acts by disgruntled employees and employee negligence. Combating insider attacks requires the effective communication of clear policies and procedures and vigilance among employees.
The more security, however, the higher the cost and the greater the inconvenience. For example, changing a password frequently is perceived by most people to be a hassle. Going through two-factor authentication every time you log in is inconvenient at best. So security measures should be weighed against the cost and the tolerable level of user frustration.
Automation and testing are other important parts of BCDR. The use of automation makes it easy to create backup and recovery tiers customized to the needs of each business. The most critical apps can run with near-real-time failover. Products and services are available that provide automated testing to make sure your BCDR plans and procedures are always in place.
Prevent, Detect, Recover: An Ongoing Process
The latest generations of BCDR tools help companies shrink their downtime windows. The operations of computers, storage arrays, and network switches can all be virtualized, making it easy to spin up environments that duplicate existing IT operations and enable rapid disaster recovery. Cloud-based disaster recovery-as-a-service (DRaaS) provides simplified, automated BCDR testing.
Stringent disaster recovery not only protects a company’s internal business operations; it can also be a “benefit companies can tout to their customers,” said Angst. “Demonstrating that you have extensively planned and prepared for natural disasters and cyberattacks, that your company is secure, instills a lot of confidence.”
BCDR is an ongoing process involving the prevention and detection of threats and recovery from disasters and attacks. Done right, BCDR plans and processes carefully balance acceptable downtime and data loss with security, inconvenience, and cost.