With businesses of all descriptions now completely dependent on IT and telecoms to keep functioning, the need for a disaster recovery plan, no matter what size the business, has never been more compelling.
Smaller businesses, lacking the standby facilities and support services enjoyed by their larger counterparts, can be hit particularly hard. Downtime is one of the biggest IT expenses that a SME can face. If your network and systems fail for just a few minutes you can resort to manual methods and losses will be minimal, but a downtime of even a few hours will mean that these manual processes won’t keep up with the business workload or meet customer expectations. For SMEs particularly, any extended loss of productivity can lead to a reduced cash flow through late invoicing, lost orders, increased costs as staff work extra hours to recover from the downtime, missed delivery dates and so on. A frequently quoted finding from KPMG states that 40 per cent of companies suffering a major business disruption go out of business within two years as they are unable to recover from the long-term impact of the failure.The job of a disaster recovery (DR) plan is to ensure that whatever happens, vital data can be recovered and mission-critical applications brought back online in the shortest possible time. Particularly difficult to plan for are compound events in which one seemingly minor incident leads to others and creates a domino effect.
Recently, Computing surveyed 132 IT professionals in SMEs to discover how effectively they think risks are managed within their organisation and the items included in their disaster recovery plans.
While the vast majority (86 per cent) do have a formal disaster recovery plan, it appears that once that plan is in place it is only given cursory attention thereafter in many businesses. Fifty-three per cent of respondents said they test their plans only annually or less frequently than annually. Only nine per cent of the companies surveyed test their disaster recovery plans monthly, while 29 per cent say they test their plans a few times a year.
There appears something of a disconnect between these findings and the review process in place in the businesses surveyed, as over half (57 per cent) of respondents say that they have reviewed their disaster recovery/business continuity plans within the past six months and a third say they have done so within the past year. So they are reviewing their plans but not testing them.
Minor disasters only please
What typically does a disaster recovery plan encompass in a small or medium-sized business? For many companies it is little more than a glorified data backup plan, without the all-round services typical of a fully-fledged business continuity plan. All companies surveyed said that their disaster recovery planning provided for data backup. Contingency planning also featured highly, but this was far from the case for other services, with third party workplace recovery procedures, cloud services, and ship-to-site of pre-configured IT equipment all minority pursuits.
Data backup is essential to prevent loss, of course, but if the mission-critical applications and other systems cannot be brought back online quickly serious damage can still be done.
There was a broad spread of opinion among respondents about how much downtime the business might sustain – 22 per cent thought the sustainable downtime for the business was only a matter of hours while 40 per cent of respondents thought that the business could sustain a downtime of between one and two days. An optimistic 20 per cent of respondents thought the business could sustain a longer downtime of between two and seven days and 16 per cent thought that downtime of a week or more would be sustainable.
What we term “disasters” in this context are more common than many people think. Hardware failure and loss of connectivity may be more likely to occur than fire and flood, although all must be catered for in the DR plan, as must human error – some interesting examples of which were uncovered in a previous Computing research project.
Just over a quarter (26 per cent) of companies have had to implement their disaster recovery plan at some point, so are very likely to have sustained some business loss as a result. Some smaller businesses simply may not see the need for advanced DR services. But as mentioned, they are likely to suffer disproportionately should the worst occur.
Disaster recovery as a service
Half of the respondents said that they would consider the cloud for disaster recovery (20 per cent said that they didn’t know), whereas 29 per cent said they would not consider it, mostly for reasons of security and trust. Given the historical objections to moving services away from the server room, the fact that half would now consider it is a significant result and may be a sign that relations between cloud providers and IT departments are thawing as the cloud model matures.
As cloud services have become better understood solutions have emerged that bring enterprise technologies within reach of smaller organisations, one of which is disaster-recovery-as-a-service (DRaaS).
DRaaS can bring enterprise-style disaster recovery plans within the reach of more businesses, replicating physical or virtual infrastructure to the cloud and automatically switching production environments or individual applications to cloud-based facilities on failure and augmenting in-house capabilities. Ensuring that a company’s IT systems and data are consistently available to and accessible by its staff can assist with regulatory compliance.
Customers are more demanding
The most popular drivers for forming a disaster recovery plan are customer demand and legislative and regulatory compliance – in fact half (49 per cent) of those questioned said that customer demand was their key driver for a disaster recovery plan (see figure 2).
There is good reason for this. A recent report by IronMountain and PricewaterhouseCoopers found that more than half of mid-sized businesses across Europe would refuse to do business with an organisation that has suffered a data breach. Reputation and trust are hard won and easily lost.
This means that a simple backup plan is often insufficient, and that it is unwise to wait for a real-life disaster to test the efficacy of your plans.
It is clear from the survey that many businesses are failing to fully consider or are unaware of the full range of disaster recovery options available to them and that many are ill-prepared for a disruptive event such as extreme weather, fire or data loss. There is also the suggestion of a degree of complacency among the survey respondents, perhaps a case of misplaced optimism or a perception of control that leads respondents to believe that “it won’t happen to me”.
Perhaps these businesses are underestimating their reliance on IT and telecoms continuity and are unaware of the potential seriousness of the impact on the business that an outage could cause.
As with everything cloud, the watchword for DRaaS is caveat emptor, especially with regard to ongoing costs and data location, but as a potential safeguard available at low capital cost, many SMEs would be wise to at least investigate it.