Don’t Miss These Critical Details Of A Disaster Recovery Plan

Disaster recovery is risky business, but the trickiest part of dealing with risk will likely occur before an actual disaster strikes.

  • November 18, 2021 | Author: Rich Castagna
Learn More about this topic

Article Key

Disaster recovery is risky business, but the trickiest part of dealing with risk will likely occur before an actual disaster strikes and recovery efforts begin. The risky business is, of course, the up-front work that must be done to understand the type and scope of disaster recovery plan that an organization will require. 

In a perfect world, that effort will yield the ideal recovery time objectives (RTO) and recovery point objectives (RPO)—effectively, the insurance plan that will set the bar for a successful recovery and resumption of business. Acronym refresher: RTO defines the ideal time it would take to get systems up and running with access to their data after a catastrophic event, and RPO describes the point that systems and data can be rolled back to. 
 
A risk analysis study is still the foundation of a disaster recovery plan to identify the systems that need to be recovered first (and fast!) to get the client’s core business operations back on track. This is largely a tiering exercise where, after determining the critical apps and data, remaining hardware and software systems may be classified as “needed back online in a few days or so” and which ones can remain offline even longer.
 
You also must figure out what the actual risks are and how likely they are to occur, including both natural and manmade disasters. For example, if a business is located in Florida, you can probably rule out earthquakes as likely disasters, but hurricanes and tropical storms would be at the top of the list. And if your customer’s operations require maintaining a lot of personal information about its customers or clients, ransomware attacks and security breaches may represent the paramount risks. 
 
And given recent events, supply chain partners should also be considered. In its 2022 Predictions report, Forrester Research pointed out that “In 2022, 60 percent of security incidents will involve third parties.”
 
The bottom line of the analysis should be a set of RTOs and RPOs that are reasonably achievable and meet the client’s needs to keep the business on track. It should be understood by all parties that lower RTOs and RPOs typically come at a cost, whether the disaster recovery apparatus is in-house or contracted to a cloud DRaaS provider. So RTO/RPO in the context of available budget may be the determining factor. 
 
Customers need to understand that recovering access to data in only minutes via a DRaaS arrangement may only be the first step to getting the business up and running, and that a drawn-out recovery can have serious ill effects. In its BCI Horizon Scan Report 2020: An examination of the risk landscape for resilience professionals report, the Business Continuity Institute note that 69.3 percent of surveyed companies reported a “loss of productivity,” while 42.8 percent said a disaster event had a “negative impact on staff morale/wellbeing.”
 
These losses and impacts can be lessened if the customer conducts tests of their DRaaS backup plan and data emergency plans. A plan to regularly test different recovery scenarios will go a long way to exposing any gaps in knowledge – and give data staff a chance to become comfortable with data recovery plans in a non-emergency scenario. 
 
MSPs can help themselves and their clients a good deal by encouraging frequent data recovery testing, ensuring that when attacks happen, the right plans, technology and people can ensure uptime and business continuity. 

Related Content