Disaster planning in the wake of increased threat vectors

Disaster planning in the wake of increased threat vectors

Typically, Disaster Recovery planning involves an analysis of business processes and continuity needs. Before generating a detailed plan, an organisation often performs a business impact analysis (BIA) and risk analysis (RA), and it establishes recovery objectives. Industry pundits share with us insights and look at a step-by-step plan, precautions organisations should take to minimise the effects of a disaster.

A Disaster Recovery (DR) plan is a documented, structured approach that describes how an organisation can quickly resume work after an unplanned incident. A DR is an essential part of a Business Continuity plan (BCP). It is applied to the aspects of an organisation that depend on a functioning IT infrastructure. A DRP aims to help an organisation resolve data loss and recover system functionality so that it can perform in the aftermath of an incident, even if it operates at a minimal level.

The step-by-step plan consists of the precautions to minimise the effects of a disaster so the organisation can continue to operate or quickly resume mission-critical functions.

As cybercrime and security breaches become more sophisticated, it is important for an organisation to define its data recovery and protection strategies. The ability to quickly handle incidents can reduce downtime and minimise both financial and reputational damages. Furthermore, DR plans allow organisations to ensure they meet all compliance requirements, while also providing a clear roadmap to recovery.

Nasser Bostan, Head, Security Sales, Middle East and Africa, BT, said since the onset of the pandemic companies, regardless of size and industry or sector, have made changes across virtually all areas of their infrastructure. Bostan said this rapid shift towards more digitally-led processes have seen gaps emerge in their cybersecurity posture.

He said while the cloud has injected organisations with work from anywhere capabilities, the more prevalent its use and the more disparate the workforce have become, the more operational risks emerge that directly impact on the efficacy of Disaster Recovery solutions. “Disaster Recovery is no longer just about the data, systems and processes that are in place, but must account for individuals who are accessing the network environment from virtually any devices and geographic location,” he said. “This has changed the risk profile of a company that must now treat remote employees as individual network endpoints. Now, more than ever, key organisational data is stored on and accessed from the cloud. In addition to the risks this can create, it also creates confusion about where data is stored, whose responsibility it is to safeguard it and how policies must be updated to reflect the ‘new normal’”.

Muhammad Khaled, Senior Solution Engineer, Middle East, Acronis, said while the COVID-19 pandemic affected people, it also prompted a heavier reliance on technology than ever before: “We may never see anything like COVID-19 again, but the effects on IT will likely be long-lasting. Businesses pivoted almost immediately to remote work and online e-commerce,” he said. “In the case of remote work, business-related devices moved outside of the regular IT infrastructure, creating a whole series of planning scenarios that IT departments may not have previously considered, including but not limited to: maintaining regulatory compliance, backup and recovery of remote devices, protecting the supply chain, changes in documentation, automation and testing, prioritising data, systems and needs, and communications and training.”

Khaled added that each of these considerations need to be addressed when an organisation is planning its Business Continuity and Disaster Recovery (BCDR).

Bostan said from natural disasters, network intrusions, human error, cybercriminal and other security concerns, the list of potential threats facing an organisation today continues to grow in numbers, severity, and complexity. “The pandemic has been the catalyst for those organisations still undecided about the cloud to embrace Digital Transformation at a rate and scale previously unanticipated,” he said. “However, this means that Disaster Recovery is crucial to ensure that companies can rapidly recover from any potential risk, regardless its origin. While natural disasters might be a relatively rare occurrence in South Africa, for example, these cannot be ignored completed especially in areas prone to flooding.”

According to Khaled, the definition of ‘disaster’ is changing. He explained that while power outages, hardware, software failures and human errors are still prevalent, cyberattacks such as ransomware are becoming an increasingly widespread threat to small and medium-size businesses (SMBs). “To recover any data during a ransomware attack, you will need a highly customised DR plan and the right enabling capabilities. Your two-year-old DR plan won’t cut it,” he said. “There are several different Disaster Recovery plans, so choosing the right one for your business can seem daunting. Four primary categories to consider are:

Data centre DR – a separate physical facility located at a safe distance from production systems, cloud DR – Backup and recovery of systems and data, to and from a public cloud, virtualisation DR – Backup and recovery of IT infrastructure to an offsite virtual machine (VM) and DRaaS – Cloud-based solution offered by third-party providers.

Khaled added that since Disaster Recovery planning is unique to every business, it is imperative to understand available options, flexibility and scalability, and the costs associated with each.

Bostan said becoming more flexible is one of the key learnings from the past 12-months especially when it comes to Disaster Recovery planning. He added that while this applies to how business leaders think about the new challenges emerging, it is also relevant when talking about infrastructure and the way business is done.

According to Bostan, a Disaster Recovery plan must now incorporate all data touchpoints and be able to cope with its decentralisation. “To this end, a company must understand where its critical data resides and how to manage it tightly while still having the agility to ensure employees can fulfil their job functions regardless of their physical locations,” he said. “It must also factor in the risks to its supply chain when delivering products and services to customers. Any disruption can potentially have significant financial and reputational repercussions on the business.”

Bostan said organisations must regard the likes of Disaster Recovery and Business Continuity as key organisational activities and maintain a comprehensive programme to implement and manage its information systems, business premises, employees, and any other workers. “To this end, the plan must ensure the company can still access key resources to support critical activities while limiting the disruption to business products, services, employees and infrastructure,” he said. “Disaster Recovery and Business Continuity, while each having different focus areas, are two sides of the same coin. Executives cannot ignore either and must put tailored plans in place that reflect the business priorities of the organisation.”

Given that the objective of a Disaster Recovery plan is to ensure that you can respond to a disaster quickly and seamlessly while minimising the risk and cost to your information systems and business operations, it is imperative that restoration is as unified without causing any downtime.

Khaled said DR is now easier to use and can be rapidly implemented by workload and location. “By tiering your applications and departments by criticality, you can provide different levels of services based on the organisation’s needs.

With CIOs and their IT teams being urged to go about building their Disaster Recovery plans prudently, it is important that all lines of business are considered when hammering out an encompassing DR strategy.

Khaled said the IT department has long been solely responsible for BCDR and the result has been the development of recovery plans that are indifferent to the needs of the business. “DR planning isn’t just an IT issue. An extended outage can have a devastating effect on a business, so plans must include input from stakeholders in human resources, finance, legal, communications, operations and facilities to be effective,” he noted. “Be sure to include team members from all departments, with a variety of job titles and roles for a five-step DR plan that should include: assessing business-critical data, systems and applications, designing a schedule of deliverables, testing the efficacy of your plan, managing and maintainingto stay current and activating when necessary.”

Khaled said not having a Disaster Recovery plan can put an organisation at risk due to data loss. He pointed out that an organisation could experience high financial costs due to downtime, loss of employee productivity, damage to brand reputation and loss of customer or stakeholder trust. “A DR plan helps mitigate these risks by quickly getting back to normal – activating business operations at the right time and in the right order,” he said. “DR isn’t just knowing about technology. Members of a DR team also need to be critical and strategic thinkers with skills in project management and communications – all while remaining calm in a crisis.”

Looking ahead Bostan said digital will be the way forward for any organisation, but embracing it throughout the business is challenging especially when it comes to the dearth of cybersecurity and data skills. “With Disaster Recovery teams now requiring these elements in this connected environment, companies must either reskill or upskill its current employees or work with a credible solutions provider with the required industry experience,” he said. “Such a partner is about more than the technology and systems. The ideal service provider is one that also takes the time to understand the human impact of a disaster and how best to take the business forward to overcome the associated challenges.”

That said, Bostan pointed out that IT and digital infrastructure have become the foundation on which business longevity is built, so Disaster Recovery is crucial to ensure that companies can rapidly recover from any potential risk. “Companies must understand where its critical data resides and how to manage it tightly while still having the agility to ensure employees can fulfil their job functions regardless of their physical locations,” he said. “A phased approach becomes critical in structuring the Disaster Recovery plan, providing assurance that critical business processes will continue operating at acceptable levels by focusing on the availability of information and infrastructure.”

Browse our latest issue

Intelligent CIO Middle East

View Magazine Archive