Why the disaster recovery plan should no longer be considered an option for your business.
The causes of incidents on the information system infrastructure can be diverse: hardware failure, software failure, backup failure, cyber attack, human error, natural disaster, etc. But there is a solution to prepare for it: the disaster recovery plan.
One in three companies has already experienced an incident or failure that required the initiation of a disaster recovery plan (Evolve IP study, 2015). As Evolve IP indicates, it is not a question of knowing whether or not a company's information system will one day encounter a disaster, but rather knowing when it will occur.
And when it does, will the business be prepared to deal with it?
Due to the proliferation of computer networks, companies must now establish their data protection strategies also taking into account potential attacks and frequent intrusions on information systems ( ransomware , cryptolocker, phishing, etc.). The opening up of a market for solutions designed to combat cyber attacks clearly reflects this problem which has become a major issue for many companies.
In 2017, these cyber attacks should no longer be considered as epiphenomena in the activity of a company.
However, 54% of organizations surveyed during the Evolve IT study would spend less than $ 50,000 per year implementing a disaster recovery or business continuity plan . Statistics which tells us that the effort made by companies to safeguard their digital assets, in view of what an organization may cost the total or partial loss of its data , remains low.
What risks does a business run without a disaster recovery plan in the face of a disaster?
93% of companies that lost their data how to get ungated on amazon or access to it for 10 days or more went bankrupt within a year of the disaster.
This data reported by Continuity Central can be scary, but it concretely indicates the short-term consequence of a disruption of activity or discontinuity of services of a company.
So, what are the risks to which a company is exposed if it has not drawn up a business recovery plan or has not at least started thinking in this direction?
THE IMPACTS OF A LOSS ON THE COMPANY
The effects felt will first of all be operational and functional. If no measures exist to restore services, teams can be directly impacted in their work (downtime of machine, server, network access, etc.); internal and external communication tools may be unusable. , etc.
Quite quickly, the company's pulse slows down and its activity, as well as its visibility, can disappear from the radar of its suppliers, partners, customers and prospects. In other words, the shorter the “invisibility period”, the less negative the impact will be for the company. From a commercial and financial point of view, this can lead to losses on sales or the signing of contracts. But it is also the loss of customers, or even of market share that can be observed. The shorter the sales cycle specific to the company's business model, the more immediate the losses from a business perspective will be.
Let's imagine for a moment that the Amazon web platform is no longer accessible during 1 hour of high traffic.
To try to imagine this, on Monday, December 8, 2014, Amazon recorded a record number of more than 1 million packages shipped in one day. from the France distribution network. We can assume that the hour of unavailability of the service, during this day, would have strongly impacted Amazon's financial income.
Conversely, with an average to long sales cycle, the business is likely to experience fewer direct losses. It will then be for her to restore her services as quickly as possible.
However, this could have other impacts, such as on the image and reputation of the company or on the confidence of partners. A marketplace, an online payment system, a hotel room reservation platform could see some of the users moving towards new providers or communicating negatively against the failing service.
How to prepare in anticipation of a disaster on the activity of your organization?
Although the response has multiple components depending on the types of disasters, their scope, the structure of the organization affected, it is imperative to build upstream a business recovery plan, that is to say recovery of data and reactivation of lost services which will be tested and tested before its implementation on the day of the disaster. The objective for a company will therefore be to set up a business recovery plan which ideally should be coupled with a business continuity plan.
During the process of developing the disaster recovery plan, it will be mandatory to identify the business activities considered to be critical, to interview those responsible for each activity, to detect the probable origin of future disasters, to define the human and material needs that will support the implementation of the plan, estimate the costs related to the realization and execution of the recovery plan, etc. So many criteria to be understood, which will be numerous and collected in a precise manner, will promote the initiation and realization of the IT recovery plan by all the actors concerned.
11 STEPS TO FOLLOW TO PROPERLY DOCUMENT A COMPUTER PRA Whether the IT PRA is built on a standby site, a datacenter or whether it is built in the Cloud on virtualized IT resources, a logical and well-documented approach must be adopted to ensure the performance of an IT disaster recovery plan.
As a guide, here are 11 preliminary and essential steps to have in mind to carry out the constitution of a business recovery plan for your company:
- Perform an audit of all the risks of possible failures on the information system and identify the probable causes: hardware failure, software failure, cyberattack, power cuts, fire, natural disaster, human error, etc.
- Detect and assess each risk to identify business applications that will not be able to operate in degraded mode. It is therefore necessary to understand and measure the fault tolerance of the entire information system.
- Define the criticality of the application environments and the backup and replication as well as restoration needs that must apply. The RTO (Recovery Time Objective) and RPO (Recovery Point Objective) must be defined here.
- Provide automatic backups at a frequency corresponding to the needs of the organization.
- Do “Crisis Management”, that is to say assign roles and tasks to specific people who will be responsible for intervening when the time comes. In other words, you have to organize and mobilize your teams to act effectively during the disaster.
- Define priorities and a cost of resumption of activity: evaluate the thresholds of unavailability of services and prioritize them in order to define the cost of putting the infrastructure back into service. Depending on the case, the resumption of activity must be able to be carried out in less than a minute. The necessary implementation of synchronous environments will then quickly increase costs, for example.
- Define the choice of backup and recovery equipment as well as the budget that will be devoted to it. You should know that the simple duplication of the existing equipment on a remote site may not be sufficient depending on the case. The choice of material is therefore important if we want it to be able to bear the burden of putting it back into service.
- Regularly test the disaster recovery plan: although the cost of an IT PRA test is substantial, it is imperative to regularly assess its reliability at least twice a year.
- Change the business recovery plan according to the changes made to the information system : the IS of a company constantly evolving, it is essential to pass these changes on to the IT PRA initially built in order to ensure its reliability.
- Document the PRA precisely: it is necessary to encourage feedback from the actors who guarantee the reliability of the PRA by documenting it precisely. The sharing of knowledge of the IS will directly impact the performance of an IT PRA. Thus, the test phases or the reports of failures must be systematically documented, which is generally not often the case.
- Take into account the regulatory constraints to which certain types of organizations must comply in the execution of their activities.
Launch your IT PRA What criteria should be retained for maintaining a reliable and efficient business recovery plan in your company?
Each company advances differently in its strategy for safeguarding and protecting its digital data. Some already have a PRA associated with a PCA; others have initiated preliminary procedures with specialized service providers or are simply evaluating the relevance of a PRA / PCA for their organization.
Among these stages of advancement around an IT PRA project, certain questions must be raised upstream:
• What scope can a service provider cover in carrying out an IT PRA? • What elements must be taken care of by the service provider and recorded in the disaster recovery plan contract? • In the event of a breakdown, what are the guarantees of recovering its services, its data and under what timeframe? • How will the service provider be able to detect possible future risks and how will he react to alerting the company?
Whether we are talking about a disaster recovery plan on site or in a data center, the transparency of information and the nature of the communications between the service provider and the company are essential to the conduct of a successful PRA. The quality of the disaster recovery plan will also be based on the ability of a technical team to regularly question the reliability of its infrastructure throughout the duration of the contract.