You may have heard the terms Business Continuity and Disaster Recovery used seemingly interchangeably, however there are some important differences. A DR Plan covers how each business application or essential IT service would be recovered or access maintained during a crisis. Business Continuity Planning is a much wider discussion and is not limited to IT. It looks at the bigger picture & includes contingencies around buildings, people, utilities and other aspects of the supply chain.
When we think of IT, we are usually talking about building a Disaster Recovery Plan, which forms part of a wider Business Continuity Plan. Typically, the type of scenarios considered are major disasters that involve a total loss of a business’s server or hosting platform, for example a fire, earthquake, or power cut affecting a business’s office or their primary datacentre. Often however, a total loss of the business’s systems is not what occurs. As we have all recently found out with COVID-19, the ability for all staff to be able to work remotely for a prolonged period is something that needs to be well-thought through!
Common Pitfalls to Watch Out For
Remote access strategy is not well-thought though or fully tested.
How did your business fare when Alert Level 4 was announced, and large portions of your workforce were suddenly required to work remotely? Most businesses would have had several methods of remote access in place, for example, VPN, Citrix or Remote Desktop, or some or all applications being cloud hosted. What we have seen however, is that the remote access solution was often something of an afterthought. Many SMB’s were caught without suitable remote devices for all staff, devices that were not set up correctly and tested, or staff unaware of how to connect remotely. Another common problem has been the solution not being able to cope with the load, for example a Remote Desktop Server farm without enough capacity for all staff to use it concurrently, or a lack of available VPN licenses.
Not fully testing server failover scenarios or failing to test at all.
Full end-to-end DR testing is important as it uncovers all sorts of weird and wonderful issues that you may never have otherwise thought of. It also tests all the little interdependencies and other technical things that tie everything together. At CodeBlue, we usually take a pragmatic, staged approach to this, as comprehensive testing requires investment and can involve risk.
Overlooking cloud hosted applications or making assumptions about their uptime and backup SLA’s.
We find it is a common misconception that cloud services such as Microsoft Azure and Office 365, for example, will ‘never go down’. While these services have excellent SLA’s and a prolonged outage is unlikely, it is important to consider what would happen if one should occur, and plan accordingly. As an example, in Azure there is a great optional feature called Azure Site Recovery (ASR) which allows for a failover from Microsoft’s Sydney datacentre to Melbourne or vice versa in the event of a major incident. However, you need to check that this been turned on in your environment, as well as tested.
Not reviewing, testing and regularly updating the DR, and wider BCP plan to account for changes in the business.
I usually recommend an annual DR and BCP review. This takes into account changes in staffing (increase in number of users), the deployment of a new application across the business, or the deployment of new server and network infrastructure, or end user devices.
How to Prepare – Our Approach
Understand your business processes.
Identify all key business processes, and the applications & systems that support these. Then work on a per application basis – it is not a one size fits all approach when it comes to DR.
Work out your acceptable downtime & data loss.
Define these on a per application basis. What is appropriate in terms of protection and investment in DR for your key ERP application is unlikely appropriate for an application that is a ‘nice to have’, such as a meeting room booking system.
Consider the alternatives.
Cloud hosting such as Infrastructure-as-a-Service (IaaS) & Software-as-a-Service (SaaS) can play a role, as well as potentially also insurance. For the average SMB these options may be more economical than trying to build a robust, gold plated DR solution from scratch.
Implement a documented DR plan, which forms part of your wider BCP plan.
Revisit it regularly and keep it up-to-date!
Most importantly – test, then test again!
This verifies things will work as expected under various scenarios, uncovers potential issues and ensures the relevant staff understand what to do in the event of a disaster.