Resilience, recovery and relief
I’ve been thinking about writing for a while on disaster recovery…. In a recent article on the Independent (which can be read here – http://tinyurl.com/hoxttwa) it was noted that Cyber attacks are affecting small to medium businesses as well as large household names.
We’ve all heard about the attacks on various big players that resulted in the release of customer details and private information. The intent here isn’t to scare anyone but to raise awareness. Just because your business is smaller doesn’t mean you may not be targeted.
Experts argue that that SMEs are more at risk because hackers simply know that they’ll have less safeguards in place. It is important to be aware that data loss can happen by a variety of routes; hacks are just one example. You must consider hardware failure, loss of connectivity, accidental deletion and so on.
This can be a bewildering area to think about which is why a lot of small businesses tend to give it a lower priority and concentrate on the more traditional business worries; sales, reach, competition and so on.
Any business should have a business continuity plan. These traditionally cover all aspects of your business and its sole aim is to ensure that you are equipped to deal with any major interruption to business that prevents you from working as you would normally.
A part of this business continuity plan is your disaster recovery plan. This is defined as “a set of policies and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a natural or human-induced disaster”
Disaster Recovery
The questions you need to ask yourself before deciding on the correct solution are
- What data can afford to lose in the event of a disaster
- How quickly do I need to get that data back
Recovery Point Objective or RPO.
All this means is defining the point at which you are happy to recover to. It’s perhaps easier to understand this by reading some examples.
Example One
XYZ Ltd makes and sells childrens toys. They sell these exclusively online via their website. Included in their website is a database which holds the names and addresses of customers and details of their orders. It also holds details of stock inventory, images and reviews
They back their website up once a week on a Sunday night at 11pm. Their RPO is therefore defined as 11pm on the previous Sunday.
On Monday they announce a sale on social media. This produces an excellent result and they are inundated with orders all paid for via paypal.
By Wednesday, they are still catching up with orders when there is a major outage at the datacentre where their website is hosted. This happens at 11:30am.
They call the hosting company who tell them that the server is completely broken but that they are replacing it and XYZ Ltd will have to restore a backup.
The net result for XYZ Ltd is that all orders, inventory, stock items received from 11pm Sunday till 11.30am are lost
Example Two
ABC Ltd are a team of accountants. They have in their offices a small server which acts as a file server. This means that all their files are saved on a network drive.
This network drive is connected to a backup device which backs up twice a day at 11am and 11pm. Their RPO is therefore defined as 11am or 11pm the same day.
At year end, just after their lunch, they check the server room to find that the server is completely dead. They call out their IT support team who confirm that there has been a catastrophic hardware failure and provide a temporary replacement server.
They perform a restore from the onsite backup and only lose data entered between 11am and 1pm.
Example Three
LMNOP is a small business run by John Smith. John is a joiner by trade and saves all his files to his laptop. He does not back these up as it never goes wrong. He therefore has no RPO.
One-day John is en-route to a customer on the train and his laptop is stolen. He has lost all his data from the start of his business with zero chance of recovery.
Recovery Time Objective (RTO)
This is closely allied to your RPO. It means “How quickly do you need to recover the data” and nothing more. If you can happily survive for a week without the data, then your RTO is pretty low. If you need to have it recovered within a day, then it is higher.
Questions to ask yourself
- How much data can I afford to lose?
- How long can I carry on till the data is recovered?
The answers to these will help to define your disaster recovery plan in terms of what is required.
The following infographic illustrates this.
Crafting a disaster recovery plan
This is not a task to be rushed as it requires some careful thought. The plan should be a live document and regularly returned to and updated. Furthermore, it should be regularly tested and the results recorded.
Some of the things you need to include when drafting the plan are
- Where is my data
- How is it accessed
- Is it backed up
- Where?
- How much data can I afford to lose?
- How long am I prepared to wait to recover the data?
- In the event of a total loss of systems, what would I need to buy in order to recover fully
- Backups
- Do I have them
- Do I check them
- Do I test them
As you can see from the graphic above, the quicker you want to recover and the smaller the data loss you can stand has a direct impact on the cost of the solution.
Sometimes, we can have unrealistic demands in terms of RTO and RPO. A small business may need restoration to within half an hour and for it to happen within three hours. This is achievable but may require some investment.
As previously stated, disaster recovery is only a subset of your business continuity plan. If it is planned in detail, implemented effectively and regularly updated and tested then as a business you will be more assured that the data that you rely on is more safe, more secure and more readily available.
Still confused and not sure if this applies to your business?
- Yes, it does – it affects everyone 🙂
- Let me help. You’ll be pleasantly surprised at the low cost for Hub Projects to come in, look at what you have and then report back on what you need (or don’t need). Once you’ve got the report back it’s up to you what to implement or not and you can go anywhere for the practical help. No strings, no ties; just help and advice from an experienced IT professional with 20 years’ experience
You can get in touch by clicking here – remember, no obligations, no ties, I am just here to help.