Crash testing your business

Blog by: David Griffiths, Managing Director, Adept4 - 06-Dec-2017

How will your business cope when disaster strikes? Perhaps an employee opens a phishing email and your systems are gripped by malware or ransomware. Perhaps there’s an internet outage causing systems to go down. Perhaps you lose access to your office or data centre.

Or perhaps it’s simply a system failure due to low disk space. Maybe it’s not a disaster at all that disrupts your business but a planned move to new office premises.   

In every case, the imperative is to resume operations as quickly as possible and that means bringing systems back online in order of their priority to the business. Speed of recovery is everything. But a full restore could cost you unnecessary delays when what is required is business continuity. It pays to sequence recovery so that the most mission critical data and operations are brought back online first, enabling the business to function. 

It’s this invocation process that distinguishes Disaster Recovery from Back-up. Disaster Recovery (DR) focuses on your business-critical systems and maps these to business processes to ensure that there’s a clear sequence of events that will determine how recovery is invoked. But where DR also differs is in its ability to measure that recovery time. 

The test of time 

There are two key measurements associated with DR. The Recovery Time Objective (RTO), used to determine the time during which business processes are to be restored in order to avoid adversely impacting the business (essentially, the time between the event and recovery), and the Recovery Point Objective (RPO), the tolerance level of time during which it is acceptable to lose connectivity. Depending on the sensitivity of the business, that tolerance may number in the minutes with the Beaming survey[1]suggesting more than 1 in 10 businesses will begin to lose money immediately. 

Metrics provide us with the ability not just to measure DR but to prove it and this provides the business with a valuable source of information it can use to its advantage. If you can prove the resilience of your business you can increase confidence in your reliability. Businesses that are able to prove DR can use it to: 

  • Third parties – meet the demands of partners and suppliers seeking assurances of maximum downtime in order to limit their own exposure/losses
  • Security purposes – assure customers that you will honour minimum downtimes or compensate them accordingly
  • Insurance purposes – prove resilience in the event of various attack scenarios enabling the business to benefit from lower premiums
  • Compliance purposes – accurately meet compliance requirements and fulfil e-discovery requests that often come with set time limits 

To meet the requirements of these parties, the organisation needs to regularly test its DR capability to show that systems continue to meet the stated RTO/RPO times.

Both backups and DR have always had a level of “fingers crossed” when it comes to recovery. Historically it would require the organisation to implement a full Test DR Invocation project to gain the confidence that the service is reliable.  On demand anytime DR testing allows you to explore what would happen if only part of the infrastructure failed, how you could quarantine and clean systems in the event of a ransomware attack, or how you would access the data needed to continue to conduct Business as Usual (BAU). 

Crash testing your business

So how often should you crash test your business? A recent survey[2] found that only 16 percent tested their DR once a month, 26 percent once a quarter, 25 percent once a year and 26 percent infrequently. A worrying 7 percent never tested at all. In our experience, the window tends to be between six months and a year which is simply too wide. While it’s true the number of times you test the system will depend upon the risk appetite of the business it’s generally advisable to test at least every quarter. 

Businesses don’t test their DR as often as they should for a variety of reasons. Responsibility often falls on one individual and testing is seen as a low priority. It may also be onerous and complex, particularly if the organisation is using an on premise or second site DR solution, requiring them to physically visit the site. Or testing may be seen as nearly as disruptive as a outage itself because it interrupts business processes or causes loss of access. 

DR-as-a-Service (DRaaS) eradicates these issues. Number one, it is non-disruptive, so there is no impact to the business, with tests scheduled to focus on systems when loads are light or even out of working hours. There’s no need for a second site location, with system and data access coordinated via the cloud providing extremely fast synchronisation to prevent data loss. Plus, cost is substantially reduced because there is no longer the need to invest in additional hardware or dedicate staff to maintaining the DR capability. 

Historically DR required significant investment in hardware, processes and time. As a result of maturing cloud technology, it’s now possible to provide not only a robust, proven DR solution at a fraction of the original cost but with the added benefit of real time, on demand test invocation. 

At Adept4 we can help you make disaster recovery work for you. We develop a Business Continuity and DR (BCDR) Plan, establish and test DR using Microsoft Azure Site Recovery (ASR), and work with you to iteratively test and determine an acceptable RTO/RPO. Establishing a tried and tested recovery time, we enable you to prove the resilience of your business and benefit as a result. Contact us to today to find out more about the Adept4 DRaaS solution.

[1] ‘British businesses lost £7 billion to internet outages in 2016’, March 2017

[2] CloudVelox, ‘State of Disaster Recovery 2016’, published January 2017

Topics: disaster recovery, disaster recovery as a service

Sign up to our blog