We’re all familiar with the value of making a backup of business data, but how does this fit with ‘disaster recovery’ and ‘business continuity’ strategies? This article takes a brief look at how these elements fit together to ensure that businesses can survive, function and get back up to speed when disastrous events (external or internal) pose a serious threat.
Normal life rules apply to the business environment i.e. things can and do go wrong, and backup and disaster recovery are both based upon this understanding.
Business continuity in the event of a ‘disaster’ is about making sure that your essential operations and core business functions can keep running while the repairs can be made that get you back up to speed.
What could go wrong?
There is a potentially huge range of ‘disasters’ that businesses could make plans to be able to overcome, and even though organisations come in different sizes and have different budgets, the risks they face are generally the same. Typically, the more obvious ‘disaster’ threats to business include:
- Hardware failures/server failures
- Outages and/or file corruption
- The effects of cyber-attacks. For example, 53% of senior managers believe that a cyber-attack is the most likely thing to disrupt their business (Sungard AS 2019) and the effects could include damage to/locking out of systems (malware and ransomware), fraud and extortion, data breaches (which could also attract fines under GDPR, damaging publicity and loss of customers)
- Environmental/natural disasters e.g. fire and flood
- Important 3rd supplier failure or the loss of key employees
- Failures of part/a component of a network e.g. as highlighted by recent problems with banking and airline industry services
- Theft or loss of equipment holding company data
Backing up your data – where to store it
When it comes to backups, security, integrity, cost, scalability, complying with legislation, your own business plans, and ease of daily use are all considerations. Where/how to store backed-up data is a decision tackled differently by different companies. In the UK, GDPR (the data protection regulations) should be taken into account in these decisions. Places to back up data could include:
- On-site – storing data in the same location e.g. on an external hard drive in the workplace. Although the data backup is close to hand, this is not a particularly secure solution and in the event of flood/fire/theft disasters, your data would be gone.
- Off-site – taking the data away on a hard drive or another physical storage medium. This means it’s less at risk from local issues (e.g. loss, theft, damage) but may could mean it takes longer to restore data .
- Online – backing up your data on hosted servers (in the cloud) and accessing them through an application. This is now becoming the preferred method for most businesses as it is convenient and fast (if you have an internet connection) and it cuts out many of your on-site potential disaster risks (fire, flood, loss and damage of physical storage media).
Some businesses prefer to use a ‘hybrid’ cloud backup to help address any vulnerabilities that cloud-only or local-only backup solutions have.
There are many dedicated online backup solutions available e.g. IDrive Business, Backblaze Business, Carbonite Safem, or larger solutions for businesses with much bigger data backup requirements.
Taking regular, secure backups of your business data is an important part of good practice. It is also an important element of disaster recovery and the business continuity process.
There are several types of backup that businesses need to make decisions about. These include whether, if/when and how to make:
- A full backup – one that covers every folder and file type and typically takes a long time.
- An incremental backup – the first back up is a full one, followed by simply backing up any changes made to the previous backup.
- A differential backup – similar to an incremental backup, requires more storage space but has a faster restore time.
- A mirror backup – an exact copy of your data that has the advantage of removing the obsolete files each time.
- An Image-based backup – captures images of all data and systems rather than just copying the files.
- A clone of your hard drive – similar to imaging and creates an exact cloned drive with no compression.
In reality, many businesses make use of many different types of backup solutions at the same time.
Business continuity, backup decisions and disaster recovery
Accepting that disasters happen and you can plan how to maintain business continuity while you deal with them (using a disaster recovery plan) is an important step in safeguarding your business. Maintaining the ability to ensure that core functions and critical systems remain in place in the event of a disaster (business continuity) involves planning, an important part of which is the disaster recovery plan (DRP). Creating this plan is usually an interdepartmental process which is often led by information technology.
RTO and RPO – linking backups to your DRP
There are two metrics you can use to help you to make data backup decisions that relate to your DRP.
The Recovery Time Objective (RTO): the recovery window/how long (time) the business realistically has to recover from a disaster before there are unacceptable consequences.
The Recovery Point Objective (RPO): how far back (the maximum tolerable period of time) your organisation needs to go in recovering data that may have been lost due to a disaster.
By working out these time periods (particularly RPO), it can help you to decide upon the frequency of backups, which backup methods are most suitable and preferable to you e.g. the need to go back longer periods may favour online backups, and businesses with large quantities of valuable historic data may struggle with a short RTO (which may require tiered data recovery).
In today’s business environment, it is worth bearing in mind that your customers are not likely to be very tolerant of downtime, so recovery windows now need to be as short as possible. Many businesses, therefore, simply opt for a daily backup.
Disaster recovery plan
At the heart of your business disaster recovery strategy should be the disaster recovery plan (DRP) which should provide step-by-step workable instructions to ensure a fast recovery. A DRP should be tested and kept up to date to ensure that it will work in reality in the event of a disaster and typically includes elements like:
- A plan for roles and communications, detailing employee contact information and who’s responsible for what following the disaster.
- A plan to safeguard equipment e.g. to keep it off the floor, wrapped in plastic away from flooding.
- A data continuity system that details what the business needs to run in terms of operations, finances/accounts supplies and communications.
- Checking that your data backup regime is working and that a very recent copy is stored in a secure place but would be easily and quickly accessible when needed.
- An asset inventory, including photos where possible, of the hardware (workstations, printers, phones, servers etc) for insurance claims after a major disaster.
- Keeping (up to date) documentation that lists all vital components of your IT infrastructure, hardware and software, and a sequence of what needs to be done to resume business operations with them.
- Photos showing that the hardware was in use by employees and that care had been taken to minimise risk e.g. items were off the floor (e.g. to avoid flood damage).
- A supplier communication and service restoration plan so that you quickly restore services and key supplies after the disaster.
- Details of a secondary location where your business could operate from if your primary location was too badly damaged in a disaster.
- Details of the testing, optimisation and automation of your plan to ensure that it could be implemented quickly, as easily as possible and free from human error.
Putting the pieces together
The basic difference between a backup and disaster recovery, therefore, is that a backup is having a copy of your data and disaster recovery is the whole strategy to recover your business operations and essential IT environment in the event of a serious event e.g. cyber-attack, equipment failure, fire or flood.
Creating a DRP involves completing a risk assessment and business impact analysis in order to identify critical applications and services and it is from here that your business can then create its own tailored RTOs and RPOs which in turn will link to your backup strategy and cycles.
Backups are essential files that enable a full restore and as such are an important element of ongoing good practice and of your DRP, and your backup should relate strongly to the underlying strategy of disaster recovery.
One thing is certain about backup and disaster recovery which is that having no plan for either is planning to fail.