The following is a guest article from Dr. Cindy LaChapelle, principal consultant at ISG.
A large-scale natural disaster like a hurricane, earthquake or flood may lead to hardware failure, network outage or a total shutdown of facilities.
Without a comprehensive disaster and recovery plan in place, a company may risk a business shutdown during the time it takes to recover access to critical systems, suffer millions of dollars in losses and alienate hard-won customers. Or, in the extreme case, companies could be forced to shutter forever.
A well-planned and regularly tested business continuity and disaster recovery strategy goes way beyond the traditional DR plan, which is often created by a committee with great fanfare and expense, then put in a drawer and revisited once a year for an update. Worst case scenario, plans are not looked at until disaster strikes.
There is only one thing worse than not having a disaster recovery plan, and that's having an ineffective and outdated plan that leads to a false sense of security.
Common disaster recovery misconceptions
Creating an effective DR strategy starts with understanding what it is, what it's not and what people think works but really doesn't.
First of all, many organizations believe that simply backing up data and storing it off-site is enough. Backup by itself is not disaster recovery, which has a much broader scope that includes not only backing up data files, but entire systems.
Organizations also have to ensure that they are readily accessible and recoverable at any time, and that the protocols, procedures and processes of day-to-day business can be easily and quickly replicated in the event of disaster.
Another major misconception is that DR is for catastrophic events like hurricanes or other natural disasters. But a wide range of less dramatic, but no less devastating, events can trigger a DR plan — including hardware failures, network outages, security breaches or human error.
The "fallacy of direct control" has become a big problem in disaster recovery today, especially as cloud solutions become far more effective than the alternative. The belief that if you can touch it and control it, it is better and more effective, is false.
In fact, cloud-based data centers with DR facilities are far better equipped, far better staffed and have far better equipment in more locations.
Even cloud solutions, however, need to be architected, tested and vetted to ensure the right level of availability and redundancy is factored into the solution, as many businesses discovered when AWS suffered an outage earlier this year.
An extended ecosystem
The days of doing it all in-house are over, and even small companies often have global footprints with multiple partners and suppliers.
Increased reliance on a global service delivery chain and the cloud — even for smaller or mid-size businesses — has forced companies to re-evaluate how they approach disaster recovery planning.
This extended ecosystem delivers great reach and advantage but may make a company susceptible to natural disasters halfway around the world.
That older, in-house mentality may have created an illusion of control — but efficiency, cost-effectiveness and access to services that may be unavailable or unaffordable locally have created a new mandate for going outside one's own corporate walls.
The new normal of an extended ecosystem has created new concerns, not the least of which is making sure that not only are your own disaster recovery protocols adequate and compliant, but that the protocols of each partner are as well.
Disaster recovery in the cloud
Outdated disaster recovery methods that involve physical backup stored in a vault, or even in an off-site location, are nowhere near as effective as a cloud-based DR system, which is not only more affordable but more accessible and effective.
The server virtualization that is commonly offered by cloud data centers enhances the modern DR plan, allowing for faster recovery time objectives.
Internally maintaining backup and recovery servers is a bit like serving as one's own lawyer in court — it's best left to the professionals.
Those data centers typically have the highest-end equipment, the best-trained specialists and, often, multiple physical locations, offering a DR system that would be far too costly for many organizations to try to duplicate on their own.
Modern DR is never one-and-done
A written disaster recovery plan, a system for regular backups and maybe even access to an alternative office space are never enough. The most important part of a DR plan is continuous testing and frequently re-visiting the plan for possible updates.
Over time, software and systems used as part of a static plan may become outdated. Protocols put into writing were created by people who are no longer with the company.
Even small changes could potentially make processes non-functional. Regular testing is essential to allow the DR plan to be predictable and reliable. Fortunately, this testing can be more easily automated when DR is done with a cloud-based system.
Only about 60% of organizations in a recent survey have a documented DR plan in place, and just 40% test those plans annually. Only those respondents who use cloud-based systems expressed more confidence.
New business requirements constantly evolve
In addition to the availability of superior cloud-based systems, other factors have come into play in this new imperative.
Greater compliance regulations and retention requirements force companies to ensure that data is not only backed up but can also be easily restored under any circumstance.
E-discovery requests, which often come with legal time limits, have become more common, and failure to comply with such requests may put a company in legal jeopardy. Judges will not accept "we can't access it" as a response.
Together with incorporating these new realities is an imperative for ongoing testing and updating of the DR plan, so that disaster recovery solutions can evolve as business requirements change.
Rapid growth of a company's extended ecosystem, as well as the rapid explosion of data that even smaller companies store, require a constant revisiting and redesigning of the backup and DR system so that as the business evolves, the DR system evolves along with it.