The role IT plays in DR and BC
What is business continuity?
Business Continuity (BC) summarises the plans you have in place, and the actions that you take when your business faces disruption that makes it difficult – or impossible – to operate under normal circumstances. It ensures that you can continue to operate, even when faced with adverse events, and get back to full capacity and access as quickly as possible.
You’ll depend on business continuity infrastructure to protect your operations from the following situations:
- Severe weather such as flooding or storms
- Natural disasters
- Theft or vandalism
- Electrical or gas failure, especially if you have machinery
- Internet or IT connectivity outage
- Hardware or software failure
- Data loss
- Cyberattack, including ransomware and viruses
- Strike or attendance issues
As you can see from the above, business continuity planning and actions cover a wide range of disruptions, some more easily manageable than others. The technology infrastructure and systems aspects of business continuity are called Disaster Recovery (DR), and are deployed with the intention of getting systems, software and applications back up and running.
Depending on your business, the term “Disaster Recovery” may mean something different. For example, if you’re a manufacturer and a key piece of machinery malfunctions, you would quite rightly class this as a disaster, and get to work restoring full functionality.
In technical terms, DR is concerned with IT infrastructure and systems. The knock-on effects of a technology failure may in turn cause critical “non-IT” equipment to become unavailable and of course, this is a priority to fix.
As we’ll discuss later in this article, depending on the scale of a company’s “disaster” and their operational requirements, DR measures may kick in immediately or come into play later down the line (for example, in the event of fire or machinery failure).
What is disaster recovery?
DR is the planning, processes and technology you deploy to recover IT and connectivity following a “disaster” – here defined as an event that causes disruption or an inability to operate to full (or in any) capacity. It helps a business to maintain or quickly resume mission-critical IT, with the ultimate goal being to minimise impact on operability, revenue and reputation.
DR versus BC versus backup
DR sits within the umbrella term of BC. It’s often mistaken for BC which is the all-encompassing plan including DR and the processes that surround it. DR measures only deal with the technology infrastructure aspects of disruption and is one part of a wider strategy to protect a business from long-term or permanent damage. Depending on your type of business, other continuity issues will take priority.
For example, if you’re a manufacturer and a key machine breaks down and an engineer is unable to fix it for 3 days, a cloud server won’t solve your woes. Yes, office teams can complete a degree of work connected to the server. But new orders are unable to be fulfilled and a knock-on effect will inevitably cause a costly backlog.
Or, you could be an ecommerce retailer whose product is stored for dispatch at a fulfilment centre. If the centre is broken into and your product is stolen, you may be able to notify customers. order replacements and make insurance arrangements, but you can’t make any money in the meantime.
Perhaps a marketing agency is cyber attacked, and its server is infected with ransomware. Staff can continue working by connecting to a failover server, but a lengthy process may follow with banks and insurance companies to regain full capacity.
As BC is often confused with DR, DR is often confused with “backup”. Backup is simply the process of making duplicates of data and applications, stored either on a second server or in the cloud. Backup can be configured to meet business needs, such as cycles and how data will be restored.
Why is DR so important for business
Today, almost every business relies on fully functioning IT to operate as usual. As digital transformation enters its advanced stages and integration becomes commonplace, dependency is only set to grow. We all need connected IT to be successful but if an unprepared business is struck by disaster, these same IT systems that help us prosper could be the root cause of catastrophic damage.
Take these stats. In 2019 alone, 60% of UK companies were victims of successful cyberattack. Average losses related to incidents were £283,000. Without disaster recovery processes and technology, companies will face either temporary or permanent data loss and systems outages, leaving them unable to operate or make money. Tight data protection regulations also mean that hefty fines may follow.
The same consequences apply should a business be affected by any other disaster, such as hardware or software failure, theft, fire or major connectivity issues.
Considering that approximately 30% of disaster recovery plans fail and that 35% of companies experiencing failure lose temporary access to at least one business critical application, having a watertight plan is fundamental to operational continuity. Ask yourself; how long would your business survive without its IT? Are you in a strong position to mitigate this risk?
Typical DR metrics
Having Disaster Recovery in place gives IT managers and business leaders peace of mind that their infrastructure is protected 24/7. Every successful DR plan implements four key metrics:
Failover: Transfers data, apps and software to a secondary IT system, typically in a different location to account for fire, flood etc. This means that you can operate in some capacity, if only on a “skeleton system”
Failback: Returns data, apps and software to the original system following restoration. An effect failback process will ensure that no data is lost and operations resume seamlessly
Restore time objective: The big question of how long you can continue without IT. RTO references the amount of downtime your business can predictably manage
Restore point objective: This is the guideline you set for the maximum time that data can be lost. In short, it’s the update cycle set on your backup solution, i.e. every hour, every day etc.
Disaster Recovery typically involves a bespoke set of control measures designed to mitigate threats to business IT. DR control measures are typically classified as:
- Preventive measures – Prevent the threat from occurring.
- Detective measures –Detect and discover the threat.
- Corrective measures – Fix the threat if it does occur.
A comprehensive risk assessment is undertaken to detect every possible threat and disaster before control measures are put in place to mitigate risks. Some key terms that you’ll frequently hear when updating or implementing a DR plan are:
|High availability systems||Corrective|
|Backups to tape and disk||Corrective|
|Fire prevention/mitigation systems||Preventive/Detective/Corrective/td>|
|Wireless network access||Corrective|
A quick DR dictionary
Cold site DR – A basic space set up for IT infrastructure. With some site preparation, business operations can resume from here.
Hot site DR – Essentially a cold site, but better prepared and doesn’t need additional prep for a workforce to start using it.
Split Site – When IT departments and infrastructure is spread across multiple locations.
One site can help the other resume operations if backup has been implemented properly,
Virtual DR/Virtualisation – Data and apps are regularly backed up to a cloud-based virtual environment. the event of a disaster, data can be restored quickly.
Disaster Recovery as a Service (DRaaS) – An end-to-end service provided externally. It’s ideal for businesses without the time or expertise to scope, configure and test effective DR.
The role IT plays in DR
You can achieve a disaster recovery solution through on-premise, remote data centre or fully cloud-based infrastructure. A chosen solution will be dependent on industry, risk and operational needs, and it’s always worth speaking with an expert to develop a comprehensive understanding of business functions and essential continuity and disaster recovery requirements.
Today, when IT infrastructure is increasingly complex and faces unrelenting threats, many businesses choose to implement their DR through the DRaaS (Disaster Recovery as a Service) model. These are your most common options:
This model ensures that all corners are covered, and that your maintenance and operating responsibilities are minimal.
DRaaS is commonly pay-as-you-go too, meaning that you only pay for what you use but still benefit from having specialist management should the worst happen. Basically, you get to focus on your core business with the peace of mind that people are working in the background to keep your IT available.
DR technology is physically hosted and operated using local infrastructure and on-premise servers. Data is accessible without internet access but the chances of permanently losing data in the event of a disaster is significantly higher, which can undermine the whole point of DR.
On-premise DR (or at least some aspects of it) is preferred by companies who absolutely cannot afford to go offline – such as manufacturers.
3. Remote data centre:
Data centre DR uses hardware systems within a data centre, often managed by a service provider from a secure location. Data, apps and files are backed up using a DR software interface – similarly to cloud systems – but due to LAN (local area network) connections, reliable connectivity over large distances is a major challenge and scalability can be slow.
However, between shorter distances, the direct access from LAN and physical storage make backup, access and recovery faster. Remote data centre DR is a great option for companies needing robust security and the quickest possible complete recovery.
4. Cloud based:
Cloud-based DR works by replacing traditionally physical DR control measures with cloud-based applications. For example, instead of building an on-site secondary server, this could be a cloud-based virtual server. Cloud DR is popular due to its scalability, pay-as-you-go options, reliability and from-anywhere access to data and apps. It also allows for backup across multiple data centres for maximum resilience in the event of failure or cyberattack.
But an internet connection is required to resume operations and restore to full capacity. In some circumstances this may be challenging and delay recovery but cloud is still the preferred DR method for the majority of today’s IT.
The above methods can be configured to meet your RTO and RPO criteria and failover/failback requirements. K3 always recommends that at least a proportion of your DR solution is cloud based, particularly backup and failover procedures.
What DR technology do you need
Before implementing any DR technologies, you must create a plan. DR and BC are all about planning. A strong plan will ensure that DR becomes an effective BC solution and not just a series of actions taken to restore IT in a very siloed fashion.
Looking at how technology contributes to business operations, representatives from across the business should lay out processes that are triggered in the event of a failure. This plan should also include likely threat sources, a continuity analysis, success metrics, responsible owners and testing schedules. We recommend drafting in expert assistance to complete this work.
When these factors have been identified, you can build a DR and BC solution that fits business needs and ensures that you can operate and service customers with minimal disruption. Ideally, your customers will be none the wiser that a disaster has occurred!
The plan may lead to implementations in the following areas:
- Hardware and break/fix
- Network and connectivity
- Helpdesk support
The degrees of disaster
As mentioned earlier, DR may not always be the top priority if your business faces an adverse event. For example, in the case of fire, physical recovery and safety of people is of paramount importance – way ahead of restoring IT. Depending on event type, industry and severity, DR will come into play at different stages and only parts of the plan may be executed.
Here are a few examples to illustrate our point. These are hypothetical generalisations and only a tony snapshot of the actions companies in similar situations may face.
Turning a DR plan into a BC solution
It’s worth asking yourself the following questions about your current DR provision:
- Is a continuity analysis completed regularly?
- Is a disaster recovery plan in place?
- Can your business be fully operational 48 hours after a disaster?
- Do you have any cloud-based DR measures?
- Is disaster recovery technology in place?
- Is a disaster recovery plan tested regularly?
The first step to building a DR and BC plan is a consultancy session with a specialist. This service will assist you in documenting, building and deploying a business continuity and disaster recovery plan. If you’re concerned about how long you’d last without IT – and how you’d cope in the aftermath of a disaster – speak to a K3 consultant.