By Neil Clegg, Technical Director at GCI
Here’s a shocking statistic: 70% of businesses hit by ransomware paid the amount demanded. While that is typically £300-£500 per organisation, you can see how this adds up to a lucrative pastime for cybercriminals. And of course, we don’t know how many of the businesses that paid up actually received the decryption keys, or even had further demands for money.
At GCI we have a saying – “it’s only a disaster if you haven’t got a plan.” It’s preferable to go through the inconvenience of restoring your business-critical data compared to losing it altogether, particularly when it’s sensitive customer or financial information. But cultivating your Disaster Recovery strategy can be tricky if the responsibility seems overwhelming or even if you just don’t know where to start. Read on to discover the five easy steps you need to take to build your DR plan.
The first step is to take stock of your company’s IT assets and important business procedures, as well as mapping the dependencies on these. Your important business processes will be the IT-related actions that are critical for your company to stay operational, and will differ from business to business depending on what kind of company you are. For instance, an e-commerce business would doubtless make keeping their website running a top priority. Other processes could include email or billing systems. Be sure not to rush this step—the rest of the planning process depends on it.
Once all your assets and procedures have been identified, your next task is to assign each one to a Tier, dependent on how reliant you are on it. A helpful method of doing this (as well as an important piece of information to know) is to estimate the real cost of any downtime of these, as it should help you to prioritise.
- Tier 1: business-critical applications and systems that provide the most value
- Tier 2: processes of medium importance
- Tier 3: low priority
Once this is done, you need to give each tier a Recovery Point Objective (RPO) and a Recovery Time Objective (RTO) – or, to put it another way you need to decide both the acceptable interval of time between the last backup and the disaster event (24 hours? 48 hours? Less?), and the maximum amount of time this restoration should take before it causes an insupportable amount of disruption. The below diagram might help you to get a clearer idea:
The tangible costs of a downtime-inducing disaster are very real and for some they can be devastating, so you need to be honest with yourself about the effect on your business that it could have. Consider the knock-on effects for your customers too, and document the potential costs of not fulfilling any orders or meeting agreements.
Because not all businesses are the same, once you have the essential information to hand it’s important to customise your Disaster Recovery plan. You will have to decide the order in which certain business operations should be restored in the event of an interruption based on the dependencies, Tiers and RPOs/RTOs that you have recently identified. This is where the actual plan really comes together, and should be meticulous – don’t be tempted to rush it! Everything should be inventoried and mapped, so gather floor plans, utility diagrams, system configurations and every other relevant bit of information that will help in forming the plan. Stakeholders should also be identified, and each assigned their set of responsibilities.
Your customisation should also take into consideration the likelihood of various threats and how the response might be different for each; for example, human error would require a far different recovery plan than if, say there was a flood or a fire. There is no right or wrong way of customising as long as the result is a defined plan that can be followed to the letter to ensure the continuity of your critical systems after disaster strikes However you choose to customise your DR plan – and I can’t stress this next point enough – make sure you test it thoroughly. You don’t want to wait until after a disaster to discover your plan is missing a critical piece.
As I’ve said throughout this piece, no two businesses will have identical recovery needs, but something that every company will have in common is the need for more than one copy of their data backups. Consider a blended plan consisting of virtual, on- and offsite solutions to ensure that even if your primary backup fails, you will have a plan C. Secure Cloud backup is essential and keeps your data offsite and separate from any physical calamity, but an additional backup in an alternative datacentre ensures that any disaster affecting your primary backup won’t affect your second copy. In the same way, a mix of Cloud and on-premise backup can work well for large datasets, and can sometimes offer faster recovery capability in cases where the damage is more virtual than physical.
This is such an important step that it bears repeating – test your DR strategy regularly! In addition, don’t be afraid to tweak if necessary; as your business and systems evolve over time, so will your Disaster Recovery needs. And whatever you do, don’t become one of some 40% of companies that admit to only testing their DR plans annually! We would recommend you test your Disaster Recovery plan at least once a quarter.
Your next step…
So you have a robust, comprehensive DR strategy – great! If you’ve carefully followed the steps above you should have a plan that will save you time, money and a lot of stress in the event of a disaster. Now you need a reliable IT partner to help you execute it. Choose one with an offering that has impressive security features and, if necessary, can meet all your compliance needs (e.g. if a regulatory body requires you store your backups within the UK). At GCI, we’re so impressed by EVault from backup and DR experts Carbonite that it powers our own backup and DR offering, SecureVault. It’s a service that provides secure, affordable backup to our Private Cloud Platform, which not only operates to ISO9001 and ISO27001 standards but is housed in Vodafone’s highly-resilient and secure Tier 3 datacentre.
SecureVault Cloud Backup is also available in four tiers – Bronze, Silver, Gold and Platinum – depending on your requirement, with entry-level DR included at no extra charge with the Silver package upwards. There is even a unique hybrid service, SecureVault On-Premise, for large workloads unsuitable for a traditional Cloud environment. We also take the time to listen to you, and if you need us to we will use our 25 years of experience to help you define a disaster recovery strategy that will work for you when it matters most.
Want to know more?
Email us at email@example.com to discuss your backup and DR requirements further.