The lack of understanding around data protection presents a serious barrier to proper planning. Some organizations fail to adequately plan simply because they do not realize its importance. Others do not feel that the danger justifies the effort. The lack of a plan presents the greatest danger of all. This article helps you to paint a fuller picture of the risks that a disaster recovery strategy can mitigate.
Negative Attitudes Toward Disaster Recovery Planning
No one has conducted in-depth studies into the behaviors and attitudes around disaster planning. We do not know what percentage of organizations minimize or even skip this critical component. Most importantly, we do not conclusively know why system designers tend to reduce the importance of disaster recovery.
We do have common anecdotes from individuals that have worked with companies to plan for or recover from disasters. Some reasons frequently cited:
Success breeds a success mentality
The longer an organization survives without experiencing a catastrophe, the less its members believe in the possibility of it occurring. As is true for humanity in general, few people tend to strongly consider emergencies until one strikes.
Generally, businesses perform infrastructure computing and storage deployments in bulk. They purchase and install several components all at once. In the case of clusters and replicated storage devices, they may have no other options.
Usually, planners design the functional portions first, then add in the protection schemes. As the capital expenditure sum climbs, the willpower to spend tends to decline. As cloud-style subscription pricing gains popularity, the same behavior shifts to operational expense. Providers show a handful of attractive pricing options upfront, but as you check “optional” boxes, the value proposition loses appeal.
Just as with bulk purchases, each add-on prompts questions of what the organization can live without.
Building and implementing a proper disaster recovery strategy requires time. Much of it requires the involvement of principals and senior staff. They may feel that they have better ways to allot their time than sitting in meetings and filling out questionnaires to prepare for an event that might never occur. They may also feel that their technology teams should focus on other endeavors.
Frequently, a backup plan does exist but falls short of organizational needs. Taking a nightly backup certainly grants better protection than doing nothing at all, but that cannot represent the entire strategy.
Even in today’s world of ubiquitous technology, few people understand the differences between the datacenter and the desktop. Or the difference between a server in your own datacenter, or one located in a public cloud. Consumers rarely back up their personal computers or devices. They simply do not comprehend the risks. Without an experienced guide, they tend to underestimate the hazards.
In most cases, improper planning results from innocent ignorance and naiveté. However, not everyone will have the organization’s best interests in mind. A consultant might try to win a contract by providing a cheap solution with little or no backup functionality.
A less-than-scrupulous business manager might decide to check that important “underbudget” box by skimping on backup. Or, a well-meaning principal might adopt a “let’s deal with that later when we have a little more money” stance – but later never comes.
As you work on your disaster recovery plan, keep all of these things in mind. Because backup and disaster recovery have no immediate benefit, you will almost certainly face resistance. You need to remain prepared to answer “why” at any time. The next section can help.
Assessing the Risks That Necessitate a Disaster Recovery Strategy
If you study computer security, you will have heard of “threat modeling”. Essentially, it means that security experts first identify potential threats. They can use that list to predict the extent of possible damage from an attack. That in turn helps them to design a clear strategy for defense and mitigation. You can use a similar approach to building backup and disaster recovery systems.
In the case of disaster recovery, the risks consist of a superset of the security threat model. Malicious actors pose one kind of threat out of many. You also must worry about hardware failures, natural disasters, and human error.
With each risk, you must consider its possible impact. What are the ramifications if an attacker steals data? What would happen to the organization if a failed storage system caused complete data loss? What are your prospects if a flood makes your entire building unusable? What if someone deletes a critical e-mail that places your organizations in a legally vulnerable position? Each danger type presents a unique challenge for every organization.
At this point, you may only be able to draft a cursory idea of your risks. A proper assessment includes a detailed analysis. However, in all but the smallest companies, these investigations need more than one person. At this stage, you only need enough to make a solid case for spending time and capital on designing and creating a comprehensive backup and disaster recovery solution.
A List of Common Risks
- Data theft
- Physical theft
- Malicious digital attacks
- Rogue insiders
- Social instability
- Power failures
- Natural disaster
- Departure (or worse) of critical staff
Take some time to research risks particular to your industry. You may not add anything to the list, but you might need to adjust its priorities. For instance, if your organization creates software, then “intellectual property theft” will feature prominently. If you transport commodities, then physical threats will rank higher. This might be the point at which you create and present the business case for undertaking disaster recovery planning. If you need more material, then perform preliminary work on some or all of the other items in the checklist.
Determining Key Stakeholders
Depending on your organization’s size and your position within it, you may not have the authority or knowledge to conduct a deeper investigation on your own. Whatever your role, start with what you consider important. If you’re a systems administrator, you may think of your e-mails or files.
If you have an operational position, you might think of your equipment or inventory. If you handle sales, your mind might dwell on your book of business. To define a fuller plan, you need to adopt a more holistic evaluation.
To gain the necessary perspective, you will likely need the approval of your organization’s executives. Properly analyzing risk requires time and attention. In the absence of an obvious threat or recent catastrophe, you will likely struggle to move this phase of the plan along. Even people that understand the risks tend to consider it a low-priority task.
Set a goal of getting the appropriate people involved in the conversation and ensure that they have sufficient motivation and opportunity to participate.
To start the conversation, use an informal approach. Start asking things like, “Which people would know the most about our risk profile?” and, “Who has the best knowledge of what we need to protect?” Expect to need input from:
- Executives or principals
- Head and leads of IT
- Key stakeholders – these vary greatly between organizations. It might mean department heads or product owners or individuals in major roles
- Intellectual property creators and proprietors
With a starting list of names, you have options: individual interviews, forms, or group meetings. You may eventually use all these things, but you will likely find that brainstorming meetings will get you the farthest in the beginning. However, the risk discovery task neatly connects with several of the following activities. Therefore, you will likely want to read ahead before scheduling anything.
Every organization has at least one antagonist. For-profit companies have the most obvious: their competitors. Even without a profit motive, the most altruistic charity is formed to handle a problem. Effectively working toward a goal requires a plan. Therefore, everyone should understand the value of strategy. Bring this mentality to your disaster recovery planning.
Of course, you do not need to use the term “war gaming” if it is inappropriate for your audience, industry, or organization. Try out terms such as “threat response simulation” or “disaster exercise”. Whatever you call it, you do need to distinguish this type of activity.
First, do not stop at simple hypotheses. For example, your threat model could list “malicious hack attempts”. A war gaming exercise might flesh out a scenario in which a competitor had successfully compromised a firewall, found an old password repository on an unprotected file share, and was actively deleting your orders database.
The story that you concoct does not matter much – do you have any competitors that would do such a thing? – but could draw more interest and involvement than bland bullet points.
However, the components do matter: unpatched equipment, misplaced sensitive data, improperly secured resources, and unrotated passwords exist in greater numbers than anyone wants to admit. Instead of pretending that they don’t or that you can perfectly fix them all with simple determination, sketch out several “what if?” scenarios.
Second, war gaming involves actual activity. This chapter focuses on identification and prioritization, so we will revisit this later. As a quick introduction, your organization’s teams must practice dealing with problems.
Account for that in your plans. While you may choose to focus such efforts on IT and other teams that will handle the bulk of event responses, don’t forget that the people who use the systems will need some idea of what to do and could use the practice as well.
Bringing the concept of war gaming to disaster recovery will also help to highlight the indispensable part that your backup systems play in your organization’s overall data security posture. Sometimes, and notably in the case of ransomware, your best option means to wipe out some or all your production environment completely.
Your path back looks remarkably like what you would do if those systems burned in a fire or shattered in an earthquake.
Meetings and discussions about risk will inevitably cover the vital portions of your organization’s systems. As you outline your exposure, you can take the opportunity to rank your assets. Most disaster recovery plans will encompass everything, but even in the best cases, restoration takes time.
For now, do concern yourself with the rebuild order. Focus on mission-critical applications – what does the organization need for minimal operation?
At this phase, organize your priority list at its highest level. For example, instead of making line items that make sense to administrators, such as “customer database”, use business-oriented labels such as “ERP system”. You can work out the technical details later. Things will necessarily look different once you translate this list into an implementation document.
As you build up this list, ensure that everyone involved remembers that top priority belongs to the systems that your organization requires for operational performance. Try to avoid using terms like “critical”, as not everyone will agree on the definition, and sometimes, you can function for a while without a crucial system.
As an example, consider a company that transports freight. No one can dispute the importance of keeping the electronic customer record system available, but can the operation continue without that longer than it can continue without the system that maintains contact with delivery and pickup drivers?
The question to ask of every system: “What is the business impact of an outage?” For now, you may need to keep those answers short.
Microsoft 365 and Other Cloud-Based Products
Cloud products have taken an enormous burden from datacenter administrators. Vendors assume the responsibility of securing, delivering, and updating servers, software, and underlying hardware.
Thoroughly investigate every solution you utilize or contemplate. At Hornetsecurity, our unwavering commitment to customers is evident, and we provide the following quartet of services tailored for Microsoft 365 users:
365 Total Protection – deliver complete security for Microsoft cloud services, designed exclusively for Microsoft 365. It is seamlessly integrated and offers easy setup and intuitive use, streamlining your IT security management. 365 Total Protection is the all-in-one protection suite for Microsoft 365 security, backup and compliance.
365 Total Protection Enterprise Backup – help safeguard your Microsoft 365 from phishing, ransomware, advanced threats, and data loss using 365 Total Protection Enterprise Backup. This distinctive cloud-based suite combines security and backup.
365 Total Backup – with 365 Total Backup, access a full backup and recovery solution for Microsoft 365 mailboxes, Teams Chats, OneDrive for Business, SharePoint libraries, and endpoints. Effortlessly set up, manage, and restore your company’s Microsoft 365 data with its user-friendly configuration and multi-tenant management capabilities. It is automatic and hassle-free.
365 Total Protection Compliance & Awareness – 365 Total Protection Compliance and Awareness is the 4th plan in the 365 Total Protection Suite. It covers all aspects of an organization’s Microsoft 365 security management and data protection: email security, backup and recovery, compliance, permission management, and security awareness. Features can be managed via one central cloud-based console. The solution protects your company’s digital environment, improves end-customer trust, and guarantees business continuity.
365 Permission Manager – effortlessly oversee Microsoft 365 permissions, ensure compliance policies and track violations using our user-friendly GRC service. It facilitates real-time collaboration and remote work access to business data from anywhere. While working with tools and constructing data infrastructure is straightforward, permission management can be intricate and risky. That’s where 365 Permission Manager steps in.
Widen the Search for Essential Data
Meetings alone will not uncover everything that you need to protect. They serve as a starting point for the attendees. They will need to look within their departments. To complete the data protection model, key staff in each department must create a thorough inventory.
The search should not restrict itself to digital assets. Your organization may predate the advent of digital record keeping, or it may fall under the purview of regulations that require physical copies. Business continuity and disaster recovery will mean protecting those items as well.
Legal and Compliance
Amidst all the doom and gloom talk of fires and security breaches, backup has its mundane purposes. Many organizations fall within the scope of regulatory agencies and industry commissions. Some organizations, such as health care institutions, must abide by rules specific to them. Laws range so widely that almost everyone that gathers data probably has some requirement to keep it.
In most cases, regulators or commission representatives can show up unannounced and demand to examine your data. You will need to prove that you can retrieve data from any point within the regulated time frame. Internal and contracted auditors may do the same to prepare you for compliance verification.
Even if you have no reason to fear mandated reviews, no one has a guaranteed way to avoid civil action. Surviving a lawsuit may depend on your ability to retrieve a specific e-mail or document.
To properly protect your virtualization environment and all the data, use Hornetsecurity VM Backup to securely back up and replicate your virtual machine.
For complete guidance, get our comprehensive Backup Bible, which serves as your indispensable resource containing invaluable information on backup and disaster recovery.
To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.
Wrapping up Risks and Priorities
Business continuity and disaster recovery both mean working through and after major problems, regardless of how they occur. Smaller events need different responses. For instance, you might need to restore a single database after an accidental deletion. So, you need to know how an accidental (or malicious) deletion might happen.
As you and your colleagues work through the discovery phase, you might find mitigation strategies that allow you to reduce exposure to your unique risks. Where possible, choose prevention over response. You will not remove many items from your list of concerns but take every advantage that you can.
Be mindful of course-altering events. For instance, if your organization centers on physical products in a warehouse, and a disaster annihilates the facility and all its contents, then you probably won’t concern yourself as much with a pickup scheduling application.
As your risk and priority models take shape, you will naturally build up an idea for the tolerances and expectations that you have in your disaster and data recovery planning. You might be able to define all of those in the same meetings. However, they often require a more detailed examination of the supporting systems. Department managers may need to break to gather input from daily operators.
What are the consequences of data loss to a company?
Aside from regulatory compliance lawsuit costs and lost productivity, data loss can lead to expanded costs in the short to medium term, making day-to-day operations more costly and significantly affecting a company’s growth and profitability.
How do you manage data loss risk?
- Back up your files;
- Protect your hardware;
- Educate your employees about data leakage;
- Keep your computer clean;
- Apply antivirus and anti-malware software;
- Ensure sensitive data is encrypted;
- Keep software patches up-to-date;
- Develop robust security policies for devices and endpoints.
What would happen if data is lost?
Data loss can disrupt productivity timelines and potentially lead to customer loss if associated with security breaches. When sensitive data is hijacked or compromised, your company must inform clients, pushing you to lose their trust and respect.