February 1, 2017 by Daren Hanson, Vice President, Sales and Business Development, TeraGo
With the number of threats to data security growing, disaster recovery (DR) planning should be a top priority for businesses to ensure rapid recovery and minimal downtime. Yet, many companies do not even have a plan in place and, of those that do, most are not testing or managing those plans to industry standards.
With data security being a top concern for most organizations, TeraGo partnered with IDC Canada to conduct an evaluation of Canadian businesses and their responses to DR processes.
The survey involved more than 200 Canadian companies representing 20-plus industry aggregations, including business/professional services, manufacturing, financial services, government, retail, communications, healthcare and utilities. No single industry aggregate represented more than 13% of the survey base.
The study found that polled Canadian businesses are not prioritizing DR, and of those that do have a strategy in place, 81% are not testing them to industry standards. For example, ISO/IEC 27031, from the International Organization for Standardization and the International Electrotechnical Commission, is the primary international standard for DR and business continuity of IT and communications systems.
COST-BENEFIT ANALYSIS OF DR PLANNING
The Federal Emergency Management Agency (FEMA) in the United States reports that more than 40% of businesses do not reopen after a disaster, and another 25% fail within one year. Not having or properly testing a DR plan can have critical fallout, including likely resulting in financial loss from the following:
With the volume of data growing every year, now more than ever, it is critical for companies of all types to implement a robust DR plan.
EFFECTIVE DR PLANNING
There are eight essential steps to building, implementing and managing a DR plan.
1 DR planning begins with a comprehensive assessment of the threats and dependencies that could have an impact on business operations and data security, including the following different types of failures.
2 Conduct a risk assessment and a business impact analysis (BIA) to fully understand what IT services are necessary to support the company’s critical business activities.
3 Define the recovery time objective (RTO), the amount of time a company can effectively operate with systems down, and recovery point objective (RPO), a company’s loss tolerance to data, for all critical applications. RTOs and RPOs both play a critical part in creating a comprehensive BIA for the DR plan.
4 Identify key infrastructure and assess gaps, especially for mission-critical applications, and prioritize their failover, as well as plan for duplication of critical skills.
5 Define policies and establish which tools are necessary to have on site, off site or with a vendor that can validate the outlined DR procedures.
6 Develop an easy-to-use, repeatable process that covers off each step for recovering damaged IT assets and clearly outlines the procedures necessary to recover them and return to their normal operation as soon as possible.
7 Test frequently and simulate various disasters, implementing
the plan for all contingencies, including the training of relevant staff members on the processes and procedures in DR scenarios, and outlining who does what, when and how.
8 Document time-to-remediation for all elements of IT infrastructure so that the potential impact of downtime can be mitigated at all times.
TESTING THE DR PLAN
Just as important as having a DR plan is testing it regularly to determine its efficiency and effectiveness. The aforementioned study found that 81% of polled Canadian businesses are not testing their DR plan to industry standards.
Among ISO/IEC 27031’s testing objectives is to build confidence throughout the organization that the DR plan will satisfy business requirements; demonstrate that the critical systems can be recovered/restored to agreed service levels; provide staff with an opportunity to exercise the DR plan and its execution, including hands-on training; and verify that DR plans and the DR environment are properly synchronized with the production environment and the business.
In line with the aforementioned testing objectives, there are three recommended approaches to testing:
The test scenarios should be exercised at different intervals and are ideally introduced randomly to obtain a more accurate sense of the organization’s state of readiness and preparedness. Industry best practice defines regular testing as quarterly, though walkthroughs should be done whenever staff changes.
It is usually sufficient to conduct operational tests once a year, depending on the organization’s risk profile.
DR TESTING CHALLENGES AND SOLUTIONS
Regular DR testing requires a significant amount of resources, which many companies are hesitant to commit. Not only is there a time commitment, there is the logistical cost of organizing and executing DR testing, as well as the productivity cost from diverting staff time and effort away from other priority projects.
A lack of human resources is often where organizations fall short. In fact, 36% of surveyed businesses admitted that they do not have enough qualified staff to implement a DR plan successfully.
To overcome these challenges, organizations should first define their risk profile by conducting a full audit and cost-benefit analysis. This will determine the organization’s risk appetite and the most effective and efficient plan based on that assessment.
Next, breaking down the testing will eliminate the difficulty of testing the whole set of DR plan elements and processes in one test exercise. Finally, consider using a managed service provider to outsource the test to a third party, thereby allowing the core business team to concentrate on operating the business while the provider deals with any technical difficulties.
DR PLANNING FOR THE INSURANCE INDUSTRY
For insurance companies that are in the business of helping people through disasters, having a robust DR plan is paramount. Insurance companies have an obligation to their clients to be available when disaster strikes, so they must be fully functioning regardless of extenuating circumstances.
The implications of downed systems, data loss or being unable to service customers in their time of need could not only damage their reputations, it could also impede their responses to policyholders and the ability to satisfy regulatory requirements of provincial and federal regulatory bodies.
A robust DR strategy, though perhaps not explicitly regulated, is a critical adjunct to an insurance company’s overall risk management and governance strategy.
THE BOTTOM LINE
Disaster recovery planning is critical in this globally connected environment. Canadian companies need a robust data recovery plan to protect data critical to their business operations, including their customer’s private personal data, or risk financial loss.
When developing a DR strategy that will hold up against internal and external threats, a company needs to consider budgets, senior management’s tolerance to risk and industry-specific regulatory obligations.
An advisor can help to strategize, develop, test, manage and execute the plan, while also assisting in minimizing business disruption.