Plugging the holes in your BC/DR plan

Read time 7min 10sec
Hemant Harie, MD at Gabsten Technologies.
Hemant Harie, MD at Gabsten Technologies.

The business case for having a business continuity and disaster recovery (BC/DR) plan is quite simple – uptime guarantees productivity. Without it, organisations can’t deliver their services. Should a disaster strike, having a documented strategy ensures that all stakeholders know what they’re supposed to be doing, notes Byron Horn-Botha, Arcserve’s lead for channel and partnerships. From making sure that you’re protecting the right material, to highlighting flaws and inefficiencies, creating a well thought-out plan means that you can very quickly identify what works and what doesn’t, he adds.

If BC and DR are compiled in isolation, your plan may not fit in with broader business needs.

Iniel Dreyer, DMP SA

For Brian Pinnock, cyber security expert at Mimecast, three key elements make up any robust BC/DR plan. Firstly, it’s important to have an easy-to-use archiving solution that is sleek, intuitive, requires minimal training and can automate as much of the data classification needed for e-discovery as possible. Secondly, he continues, security is a must to protect important data and support your broader cyber resilience strategy. Finally, speed is everything. Not only in terms of how quickly business-critical systems and access to email/documents can be restored, but also how quickly users can get to the information they need upon restoring systems to a pre-incident state.

The missing links

So how do you check if your plan is sufficient? The experts agree that it all comes down to testing, testing, testing, especially around unplanned or unscheduled simulations. So advises Andrew Cruise, MD of Routed. 

Don’t just document your plan and then wait until something goes wrong, notes Iniel Dreyer, MD of DMP SA. Collaboration between business and IT is often forgotten when it comes to compiling BC and DR plans and there’s often a disconnect between what is documented and the processes that are actually followed, he says. This is typically because a consulting firm comes in and helps the business put together their plan. They then write up all the documentation and leave. This may tick the boxes for auditors, but if you don’t run tests on your own, it’s highly likely that your plan will never actually be implemented should there be a disaster. In line with this, Dreyer believes that your BC/DR plan should be revised on a regular basis so that changes in technology and business processes can be considered, otherwise, when disaster strikes, the business won’t be able to recover.

During BC/DR tests, businesses generally have their ‘A-team’ in the room to ensure everything works, notes Trent Odgers, cloud and hosting manager for Southern Africa at Veeam. But the A-team might be at a conference or on leave at the time of a disaster. As part of your testing, it may be a good idea for your A-team to run the tests and plan the first phase of the plan to be sure everything runs smoothly. That plan should then be given to people who were not involved in these tests. If the plan is still a success, you know your continuity and recovery processes are sound. Tests are also an important part of compliance. In the past, BC/DR was about ensuring key stakeholders sleep better at night. But now, businesses are required to test their BC/DR plans and show that they’ve tested them in order to meet regulatory requirements.

BC and DR: understanding the difference
Business continuity is about keeping essential parts of a business running during a disaster, says Andrew Cruise from Routed. Disaster Recovery, on the other hand, is about restoring all business functionality following a disaster. Certainly, there are elements of each plan (in particular the IT parts) that overlap, but, typically, business continuity addresses minor disasters (disk failure, power blackouts), whereas disaster recovery must also cover major failures (fire, theft, terrorism).

In running through the pieces of your plan, you can easily identify what may be missing, which gives business leaders greater peace of mind, says Heidi Weyers, Redstor’s GM of sales in SA. Because time is critical following an incident, testing also allows everyone to gain a realistic idea of how short or long the planned steps may take to execute. 

Testing isn’t just about putting the technology through its paces, adds Odgers. Most companies forget the people part of the business when they develop their plans. The IT side has become much easier to manage when there’s a plan in place and the right technology is being used. The people aspect of the conversations is all about connecting the dots – the who, what, how, when and where is often overlooked. Hemant Harie, MD at Gabsten Technologies, agrees. Yes, the IT department is in charge of managing technology, but they need to see the bigger picture if they want to do so successfully. Today, your IT team has to manage the people and processes that affect the technology; it is thus critical that business units provide IT teams with concise and up-to-date information so that they can make informed decisions.

Maybe this sounds obvious, but one must have a working, isolated recovery environment for true BC/DR, says Cruise. Having a backup is not enough, especially if it can’t be brought up in good time and perform as it should.

Simulations give us a safe space to go through the motions and see how it feels when we are under attack or facing any other crisis.

Brian Pinnock, Mimecast

Drills are crucial for executives and staff, and for your crisis response team, adds Pinnock. These rehearsals – some announced, some not – develop preparedness and identify areas that need more attention. “Simulations give us a safe space to go through the motions and see how it feels when we’re under attack or facing any other crisis. After each drill, do a performance analysis to understand how your plans and processes worked (or didn’t) and to see how employees reacted under realistic conditions.”

The dreaded load-shedding

With reliable power in short supply, outages in South Africa have become common and have increased over time, laments Harie. If you’re considering including an alternate power source in your BC/DR strategies, ensure that the size of this investment is driven by business requirements and your level of dependence on systems and data accessibility.

Dragan Petkovic, security product leader for ECEMEA at Oracle, believes that an Uninterruptible Power Supply (UPS) network is mandatory in areas where electricity supply isn’t reliable and uptime is a must. In the event that disruptions are more regular and occur for longer periods of time, alternative energy sources will be required. Advanced batteries, super capacitors and solar cells will surely make it into power continuity architectures, and in extreme cases, self-reliance will be required with fossil fuel generators, he adds.

The case for cyber insurance

With breaches becoming increasingly prevalent, it makes sense to cover your bases, says Byron Horn-Botha from Arcserve. Having preventative measures in place for when disaster strikes is an absolute necessity.

Insurance not only provides availability for the business, but also gives the board confidence that they’re well prepared, says Veeam’s Trent Odgers. Many South African insurers have started offering cyber liability solutions because of the increase in malicious attacks. This is especially important as the Protection of Personal Information Act, SA’s Cybercrimes and Cybersecurity bills, as well as the General Data Protection Regulation in Europe put complex compliance requirements at the door of businesses. Failure to adequately protect data can result in significant financial and reputational damage, in addition to potential fines and other associated costs.

Cyber crime affects everyone. No business is safe, according to Iniel Dreyer from DMP SA. The reputational aspect of not being able to conduct business, as well as public liability, are realities if businesses cannot trade because of a cyber attack. Cyber insurance may not bring customer confidence back, but it can mitigate some of the expenses involved and assist businesses to recover.

Fragile power supply makes cloud computing an attractive business continuity solution, notes Aaron Thornton, MD at Dial a Nerd. SMEs, in particular, should maximise this option. With cloud, it becomes someone else’s problem to keep the systems running and the data secure.

The traditional model of maintaining a secondary fully equipped site as part of your disaster recovery strategy is fast becoming outdated given the expense involved and the electricity supply issues only exacerbate this, adds Dreyer. DR as a Service has become an attractive option to address the issue of unstable power. This approach not only ensures your DR is always available, it also reduces expenses and protects data. 

All too often, businesses only dedicate the required time and resources to their BC/DR plans after they’ve had a disaster, an incident that has already cost them intellectual property, data and valuable revenue, says Thornton. In essence, it’s the lack of any proactive thinking and strategies that can turn any brand from a winner into a disaster or cyber-crime statistic. Technology evolves, and people come and go, so all plans need to be updated regularly, says Redstor’s Weyers.

While digital transformation has resulted in technology effectively running businesses, the reality is that the IT department can’t make decisions without business input, Dreyer says. The entire business needs to collaborate when it comes to drawing up BC/DR plans. “If BC and DR are compiled in isolation, your plan may not fit in with broader business needs.”

See also