“Sooner or later, everyone will understand the virtue of having a backup, some before a data disaster strikes, and the rest after.” –T.E. Ronneberg
Today, losing your information is certain for individuals and organizations.
According to a 2015 Data Breach Investigations Report by Verizon:
A small data breach of 100 lost records, costs an organization on average between $18,120 to $35,730. It could rise to $555,660. For a larger breach of 100 million records, an average cost is between $5 million and $15.6 million for an organization. The maximum could rise as high as $200 million.
Comparing backups, disaster recovery, and business continuity
Business leaders often get confused about backups, disaster recovery (DR) and business continuity (BC) planning until after a disaster happens.
A backup strategy requires having a copy of your data. Backups are done daily and weekly to ensure a duplicate copy of your files are in one place. If you lose a file on your computer, the easiest solution is to restore the files to your computer from the most recent backup. Backups are useful for immediate access to a file that needs to be restored in the same environment.
Disaster Recovery is a process used to rebuild or resume operations in an organization after a disruptive event occurs. Disaster recovery needs an RTO (Recovery Time Objective) and the RPO (Recovery Point Objective). The RTO is the expected duration of time and service level in which a business process must be restored after a disaster. The RPO is defined by business continuity planning – the maximum targeted period that data could be lost or destroyed because of a disaster or breach.
Unlike backups, disaster recovery requires a separate production environment where all data resides. The most important question to periodically ask is,
“Will the DR plan work?”
The main goal of a disaster recovery plan is to assist an organization in having business continuity and minimizing damage, data loss and productivity.
Business continuity refers to the activities necessary to keep the organizations running for small and large disruptions up and including a natural disaster. A business continuity plan is the set of procedures to follow in the event on an emergency or disaster to minimize disruption.
Business continuity (BC) and disaster recovery (DR) go hand in hand and are usually referred to as a BC/DR plan with cooperation and collaboration between business and IT departments.
7 tips will help your company’s disaster recovery plan succeed.
1. Follow the Backup 3-2-1 Rule
Hanselman on his blog says for a computer backup to succeed in all disaster cases, the Backup Rule of Three (also known as the Backup 3-2-1 rule) must be followed. It requires that three copies of any piece of data exist on two different storage media with one of those being offsite.
* Three copies of anything information that is important to you. Two is insufficient.
* Two different storage media for storing your information. Examples include Hard Drive + Memory Stick, Dropbox + DVDs, cloud backup storage service + CD.
* One off-site backup. If your house burns down or there is a burglary, all your information is gone. Backing up data on a hard drive that is located beside your computer is also not an adequate backup.
At the minimum, backup everything weekly to two physical backup devices. This includes phones, tablets, and cameras.
2. Establish a BC/DR dedicated team with assigned roles and responsibility
Key staff members in business, IT and other relevant departments should be involved in creating the disaster recovery plan. Staff should be able to perform the failover at both the organization’s primary site and the recovery site. The BC/DR team must have support from the executive management team.
3. Test your BC/DR plan works
BC/DR teams must have practice test sessions to check the plan works. With every test, shortcomings are observed that may relate to hardware, dependencies, and applications that need resolution.
After each test, the organization’s performance must be measured for clarity around predicting RTO (Recovery Time Objective) and predictable site recovery times. The objective of testing is to continuously improve by identifying gaps and weaknesses.
4. Update and review the plan often
Disaster recovery plans often fail because changes happen but are not documented properly. For example, the production and recovery parameters and configurations will change as applications, hardware, and staff change. The BC/DR coordinator should facilitate all plan owners correctly update the document.
5. Consult experts on BC/DR best practices, strategy and implementation
It is important to explore resources in Business Continuity through websites, forums, magazines and trade shows to learn what is relevant and a priority for your organization. Some examples of the online resource are the BCI Forum, BCI Standards, The Business Continuity Institute, Disaster Recovery Journal, and DRI International. Taking courses and certification is also an option for those that want to become expert practitioners.
6. One-size fits all for DR does not work
It is not good practice to try to make all application fit into on DR approach. For example, all data may not need disk-to-disk replication over distance, disk-to-disk mirroring, and continuous data replication via snapshots or other technique. In some cases, tape backup for certain data is more cost effective and reliable compared to using disks for everything.
7. Don’t backup everything
Data is not equal. While some data changes frequently, about 40-70% is read-only and does not change. Read-only data should be moved to archive storage. The other 30% of data requires frequent backup or replication. If only 30% of data is backed up and replicated, the solution would be less expensive with cast recovery times.
The biggest concern for any organization is to effectively design and execute is a DR/BC plan in a cost effective and non-complex manner. The cost of doing nothing and delaying selecting the right team with buy-in from senior management is too big a risk today.