Richard Nelson, senior technical consultant at Probrand
One of the biggest challenges facing organisations today is the ability to monitor and mitigate cyber security threats, with 39% of UK businesses suffering an attack in 2022. There are several steps organisations can take to minimise the risk, such as implementing multi-factor authentication and regular employee training. While these are all crucial cornerstones, they should only make up part of the defence. When approaching any security strategy, businesses should think of it like an onion – made from layers that support each other and act as a barrier should one fail. Some of those layers might be dedicated to preventing an attack from happening – but it’s just as important that you’re paying attention to backup and recovery.
Nobody wants to be subject to a security breach. But, as the statistics show, it’s no longer just something that happens to someone else. And the risks aren’t just financial. Having to tell customers that you can’t meet your commitments because your systems are down has huge consequences for your reputation and repeat business. To avoid a possibly fatal situation, it’s crucial that any disaster recovery system enables you to keep the business running, recover any vital data or sensitive information as quickly as possible, and prevent any further damage being caused.
When planning your disaster recovery strategy, it’s important to consider a variety of factors. The first step is to map your infrastructure. Where are your applications? Where’s your data? What are the key priorities and which elements are business critical? Next, review the inventory of your IT systems and define Recovery Point Objectives (RPOs) and Recovery Time Objectives (RTOs) for each. These will be different to those that you have defined for backup systems, where only individual data elements need recovery.
Once these questions are answered, you’ll be in a much stronger position to explore what option is right for you. Some will prefer an on-premises approach, replicating applications and data to a secondary location that they control. This requires integrated replication of data, and standby hardware to deliver resources should you need them – and a good deal of logical and physical segregation between the two sites.
However, an air-gapped backup and disaster recovery solution is a far more robust and secure way to ensure your data remains safe. An air gapped approach means there is no direct route from the core network to where the backup and disaster recovery is held, with no credentials shared between the two locations or systems. This ensures that, should the core network be compromised, any attackers can’t jump across to the backup site.
Another increasingly popular approach is DR-as-a-Service (DRaaS). Under this option, the requirement to run your own Disaster Recovery hardware is eliminated. Instead, the cloud steps in to provide the resources needed to store a replica of your applications and data, as well as providing the resources necessary to run those systems should the worst happen. This cloud-driven approach helps to eliminate much of the cost and complexity surrounding Disaster Recovery and removes many of the headaches associated with keeping production and Disaster Recovery environments in sync.
Much like an insurance policy, DRaaS is managed as an operational expense. It removes the worry of needing to source, install and maintain a secondary data centre, allowing you to take advantage of a third party’s buying power and scalability. You also gain support and advice from experts, who have experience handling this type of event and can assist with any data recovery efforts, reducing downtime and keeping disruption to a minimum.
There are several reasons why an organisation may still want to keep sensitive data on their own equipment. But for everything else, a cloud-based solution allows for a level of flexibility that the alternative cannot. The co-location of your own data centre, be it on your own premises or in a third party’s shared facility, requires organisations to estimate the resources they will require, and from this, commit to a certain location for an agreed length of time.
Choosing the DRaaS option doesn’t mean you can completely divorce yourself of any responsibility, however. Whatever approach you’ve opted for, it’s vital that you are regularly testing its capabilities. After all, you wouldn’t install a fire alarm and then never test it – why should disaster recovery be any different? Ideally, businesses should aim to carry out regular tests every 2-3 months, or when there’s a change in the senior management team. The idea is to enact a ‘disaster’ scenario in order to see if the system is up to scratch and whether it’s going to leave the business – and its customers – experiencing downtime for a day, a week or even longer. This is also a good way to identify any processes that need tightening up. Did everyone know who to inform and in what order for example? This is where a playbook can be incredibly helpful.
By following some of these steps, you can get one step closer to ensuring your business is able to preserve its sensitive data and critical systems. You’ll also be able to recover faster and protect your reputation in the process. In turn, this has the potential to save your business time and money – and allow you to stay focused on your core responsibilities and the key tasks that are helping to improve business performance.