Click to learn more about author Matt VanderZwaag.
Spring floods, summer tornadoes, winter blizzards – Disaster Recovery (DR) planning for mission-critical IT assets is seldom top-of-mind, until headline-grabbing, “seasonal” disasters occur. Even then many organizations are resistant to investing in DR, gambling that they will never be subject to a disaster.
The fact is disasters can and do happen — and they can occur at any time and aren’t restricted to weather-related events. Statistics have shown that a security breach or hardware failure can be just as great a threat to an organization’s mission-critical data as a wild fire or hurricane.
That makes it all the more important that companies focus on developing a Disaster Recovery plan to mitigate or eliminate downtime that can occur any time of the year.
Conduct a Risk Assessment
Whether you take on DR planning yourself or outsource to a third-party vendor, one of your first steps will be to conduct a risk assessment. A risk assessment examines the vulnerability of your IT assets to events that can cause downtime including cyber-attacks, internet outages, and natural disasters.
Geographical location and weather patterns can come into play here. For example, if you’re in an area at risk for flooding or a location with limited transportation access (which could prevent employees, as well as emergency services, from accessing your site), your IT operations could be at risk.
Also look for weaknesses that would make an asset more susceptible to damage from a hazard, such as deficiencies in building construction or being in a multi-tenant building where a fire or broken water pipe in the suite next door could put your business as risk.
Inventory Your Assets
Next, take stock of your IT assets. Get input from others within your company as “shadow IT” could have introduced essential applications without the knowledge of the IT department. Identify any application and system dependencies as well. It stands to reason that they would also need to be recovered to access your critical applications and data.
Conduct a Business Impact Analysis
Determine the operational, financial and reputational effects to your business if your IT assets were not available. Include costs associated with downtime including, but not limited to, lost or delayed sales, regulatory fines, lost customers, and damaged reputation. This will help you to calculate how much downtime your business can tolerate.
Identify the minimal resources required to maintain business operations and establish an order of priority for restoring business functions and related data or applications. Take into consideration any compliance requirements as well.
Define Your Recovery Objectives
Once you have determined the likelihood of particular threats and the implications of downtime, set your organization’s recovery objectives.
Your recovery point objective (RPO) addresses how much downtime your business can tolerate — is it seconds, minutes, hours or days? If you’re an online retailer, you may not be able to tolerate anything beyond several minutes without substantial revenue loss or customer dissatisfaction. If you’re a healthcare organization, any data loss may be unacceptable.
Recovery time objective (RTO) addresses how quickly you need your data back up and running after any sort of downtime. This turnaround time will vary based on the application and its importance to your business continuity.
Pick Your Strategy
The next step is to evaluate data backup, replication and recovery strategies. Is tape or disk backup the better option? Should you keep your data backups on site, move them to an off-site facility owned by your company or store them with a third-party provider?
If you go with off-site backup, will you need a facility equipped with everything necessary to get recovery started immediately ─ even if you must pay for resources when not in use? Or, would it be better to bring in the equipment for data recovery at an off-site facility only when needed although that will lengthen recovery time?
Disaster Recovery in the Cloud
Among the DR strategies to consider are Cloud services, which offer a number of advantages over traditional DR. Cloud-based DR can be delivered “as a service,” eliminating the need to invest in a remote DR site. Ongoing operating expenses are lowered because users do not have to pay to power and cool off-site equipment. Capacity and performance can be allocated on demand, so customers only pay for the resources consumed. Because Cloud services are designed for remote management, recovery is also much faster.
To assuage fears that Cloud-based DR could open customers’ data streams to breaches from a third party or because of other customers residing in a given data center, many providers build high-level security features into their Clouds. Providers that typically offer the highest levels of security are those like US Signal that are audited to meet the stringent security requirements of Healthcare Information Portability and Accountability (ACT), Sarbanes-Oxley, and other regulations or industry standards.
Be Prepared Every Season
Ensuring your business can continue operations and recover critical data and applications if a disaster strikes is essential to your organization’s survival and success. The strategies are out there. It’s a matter of choosing the ones that are right for your business, incorporating them into a plan and testing that plan to ensure your company can stay up and running year-round.