Broken backups: Why backup alone isn’t enough to ensure business continuity

null

Many organizations feel that they can sleep easy at night when faced with the prospect of an unexpected IT disaster, just because they’ve conducted a backup of their data at some point in the past. However, this false confidence might not be justified. This attitude can sometimes lead to serious data loss, potentially resulting in millions in lost revenues. 

For large enterprises, the smallest amount of downtime can have serious monetary consequences, averaging thousands of pounds per minute. Gartner’s ‘Downtime Cost Calculator for Data Centre Disaster Recovery Planning’ tool places the cost at around $5,600 per minute on average. Though data breaches are by no means the only way a company can lose data, the cost of downtime can clearly have a significant impact. 

Sources of Data Loss (Which You Might Have Overlooked)

Cyber-attacks have been one of the highest profile causes of data loss in recent years. In 2018 ransomware, distributed denial of service (DDoS) attacks, and other forms of malware have been a constant threat looming on the corporate horizon, threatening to freeze business operations for weeks at a time. Today’s cyber criminals never sleep and are always finding new ways to cause trouble for businesses.

But not all forms of data loss originate from large scale cyber-attacks. Everything from human error, to natural disaster can lead to data loss or deletions that effect what your business needs for continuity. Though these forms of data loss are less glamorous than large scale cyber-attacks, there are often more common examples of how corporate information gets compromised.

It might not be today or tomorrow, but the odds would indicate that you’re likely to suffer some type of failure in your systems eventually, regardless of the level of care and attention that you invest in safeguarding them. The existence of data loss is very real, but that doesn’t mean you should feel helpless. There are a few fundamental steps that can be taken by your business to minimize any potential damages.

Where to Begin: Changing Your Mindset

Improving your recovery process first depends on changing the way that you think about backup and recovery. This hinges on adhering to two main principles:

  1. Making sure your data is backed up as often as possible
  2. Being able to restore what you’ve backed up at lightening speeds

This might sound easy, but there are several considerations that your business would be wise to keep in mind to avoid disappointment. This starts with taking a step back and deciding which data is most important for business continuity. Then, you need to make sure that this data doesn’t become corrupted. If you’re not one hundred percent sure of your capacity to handle the above, then you’re potentially at risk.

The next step towards getting to grips with backup and recovery processes is to ascertain your company’s recovery time objective (RTO) and recovery point objective (RPO). RTO is a metric that describes how long it takes to restore your backups, while RPO measures the amount of the data that can be lost during the recovery process. If you can tolerate losing 6 hours of data, for example, then you have an RPO of 6 hours.

After you manage to work out what these metrics are for your company, you must then decide what your ‘crown jewels’ are, so you can prioritise which bits of data are most important to getting your business back up and running quickly. This can vary by industry to industry. For example, in retail it’s a must that transactional systems can be restored quickly, but a yet to be completed marketing document can wait a bit longer.

The task hasn’t been made any easier by the rapid changes which have rendered modern IT environments unrecognizable from those of proceeding decades. Companies often have a variety of different hardware and software collected from previous generations, whether this be on-premise, cloud or some type of hybrid solution. Company data is now spread of a variety of different, sometimes hard to co-ordinate devices. What’s more, the rise of mobile working, particularly among internal companies with decentralized operations, has made mobile devices a vital part of what needs to be backed up. These developments can make complexity hard to overcome and can create another obstacle to protecting what needs to be protected.

Re-imagining Backup for Disaster Avoidance

You’d be forgiven for thinking that disaster avoidance is the same as disaster prevention. But although both issues have similarities, they are distinct ideas. Disaster avoidance deals not just with preventing outages entirely, but in making sure that those outages aren’t damaging to business continuity - making the experience feel like a glitch rather than a full-fledged disaster for your stakeholders. This has never been more vital in today’s economy, where unharmonious experiences can seriously damage long-term customer loyalty.

What’s important to remember is that successful disaster avoidance is not something that can be entirely delegated to the IT team, it requires a concerted effort from the entirety of your company. Therefore, it’s critical for the company as a whole to collaborate closely with the IT team. Budgets also need to be considered, as companies often mistakenly devise their planned spending on disaster recovery before accurately estimating the risk of downtime and data loss (which can be costly).

Pre-empting IT disasters

Key to avoiding an IT disaster is being able to bridge the gap between the C-suite and technical teams to secure the funding required for building an effective DRAAS program. This means communicating to senior management that the threat posted by IT interruptions is very real indeed, and that the upfront investment can end up paying dividends many times over in the long term.

Making A Change: Four Moves for A Better Backup Strategy

Every company has different needs when it comes to data recovery, but there are some general steps that can be worthwhile for almost every type of organization, no matter the industry, when it comes to avoiding disaster.

1. Know you risk profile

It vital that business continuity managers understand their companies’ level of risk. Knowing what threats it may face, such as ransomware, and how long the organization can deal with system downtime are both key. Having a clear comprehension of internal and external threats helps identify the systems that are the most important to the business. Managers should identify which of their systems and data are top priorities for recovery and divide them into tiers based on this.

2. Streamline processes and workloads with automation

There’s a reason why automation is becoming so prevalent in the enterprise world. Workload automation can serve to free up large amounts of time for IT teams and reduce the always present threat of human error.

It might be difficult at first, so it’s best to begin with systems that aren’t business critical so that you can iron out any issues before full scale implementation. It’s also vital to ensure that these processes are tested often.

3. Determine which RPOs are business-critical

RPOs won’t necessarily be the same for every area of your business. In audits for example, you may be required to store data going back years into the past, but in other fields data older than a few hours may have little value. What’s crucial is being able to restore the right data when your business gets back to normal, which goes beyond just how long it takes to recover. Therefore, it is of upmost importance that you get your RPOs in line with your operational requirements if you want to avoid serious financial losses.

4. Employ the best emerging technologies to help your team implement their plans

Previously, if you employed a (DRaaS) provider you would need to call them to manually start up your virtual machine in the cloud, which can be a costly process. Today’s customers however can start the fail over process and access the cloud automatically. As DRaaS has improved over the years, RTOs have become much better, creating a solid use case for protecting transactional and near-transactional databases. Often, companies are apprehensive about adopting DRaaS technologies, because they perceive it as being too high cost or difficult to manage – this would be a mistake however. The new wave of DRaaS software can provide RTOs and RPOs of mere minutes and with simple and painless deployments. 

It's vital for companies, no matter what size they are, to recognize that sometimes it’s impossible to avoid certain types of data loss. However, accepting the problem is the first step in being able to fight against it, and safeguard against the potential damage to your company’s reputation and bottom line. Making the initial investment into understanding your risk profile, and protecting your crown jewels, is sure to pay dividends in the future.

Oussama El-Hilali, VP Products at Arcserve

Image Credit: Scyther5 / Shutterstock