• United States



Neal Weinberg
Contributing writer

Business continuity and disaster recovery planning: The basics

Mar 25, 20219 mins
Business ContinuityDisaster RecoverySecurity

Good business continuity plans will keep your company up and running through interruptions of any kind: power failures, IT system crashes, natural disasters, pandemics and more.

storm disaster recovery disruption rain umbrella tornado challenge weather
Credit: Getty Images

Editor’s note: This article, originally published on March 27, 2014, has been updated to more accurately reflect recent trends.

Wildfires in California. A snowstorm in Texas.  Windstorms across the Midwest. Floods in Hawaii. Hurricanes in Florida and Louisiana. Russian hackers and ransomware attacks. And let’s not forget the global pandemic.

If anyone still thinks that having a disaster recovery and business continuity plan isn’t a high priority, you haven’t been paying attention to recent events. As we begin to emerge from the COVID-19 pandemic, organizations are shifting to a new normal that will certainly be more remote, more digital and more cloud-based. Disaster recovery plans will have to evolve to keep up with these changing business conditions.

On top of that, business requirements for disaster recovery have changed dramatically. There was a time when it was acceptable for recovery time to be measured in days or hours. Now it’s minutes. In some cases, business units are demanding zero down time in the event of an unplanned outage.

Here are the basics of a state-of-the-art disaster recovery/business continuity (DR/BC) plan for 2021 and beyond. (Without getting too hung up on definitions, let’s say that disaster recovery is getting the IT infrastructure back up and running, while business continuity is a broader discipline that gets the business back up and functioning once the lights are back on.) 

Integrate cybersecurity, intrusion detection/response, disaster recovery into a comprehensive data protection plan

For CISOs, the first goal of a disaster recovery plan is to avoid the disaster in the first place, which is becoming increasingly challenging. First, data is no longer safely tucked away in an on-premises data center. It’s distributed across on-premises environments, hyperscale clouds, the edge and SaaS applications. ESG Research Senior Analyst Christophe Bertrand points out that SaaS presents a serious data protection and recovery challenge because “now you have mission critical applications running as a service that you have no control over.”

Second, the pandemic drove millions of employees out of the secure confines of the corporate office to their home offices, where the Wi-Fi is less secure and where employees might be sharing sensitive data on collaboration applications.

Third, hackers took notice of these expanding attack vectors and launched a barrage of new and more targeted ransomware attacks. According to the Sophos State of Ransomware 2020 Report, hackers have moved from spray-and-pray desktop attacks to server-based attacks. “These are highly targeted, sophisticated attacks that take more effort to deploy. However, they are typically far more deadly due to the higher value of assets encrypted and can cripple organizations with multi-million dollar ransom requests,” according to the report.

In response to these changing conditions, CISOs should focus on beefing up endpoint security for remote workers, deploying VPNs and encryption, protecting data at rest no matter where it lives, and also making sure that collaboration tools don’t become a source of security vulnerabilities.

Conduct a business impact analysis (BIA)

Organizations need to conduct a thorough business impact analysis to identify and evaluate potential effects of disasters through the lenses of financial fallout, regulatory compliance, legal liability, and employee safety. Gartner estimates that 70% of organizations are making disaster recovery decisions without any business-aligned data points or based on an outdated BIA. “Without the fact base the BIA provides, teams can only guess at the appropriate level of DR and what risks are tolerable. This results in overspend or unmet expectations,” according to Gartner.

Remember, you don’t need to protect everything. Organizations that conduct these exercises are often surprised to discover servers that do nothing but run a routine back-end business process once a month, or even once a year.

Organizations need to prioritize applications by their criticality to the business, and to identify all the dependencies associated with a business process, particularly applications that may have been virtualized across multiple physical servers, might be running in containers in the cloud, or in serverless cloud environments.

Classify data

Along the same lines, you don’t need to protect all data, just the data that you need to keep the business running. You do need to go through the process of locating, identifying, and classifying data. Be sure to protect data that falls under regulatory requirements, customer data, patient data, credit card data, intellectual property, private communications, etc. The good news is that tools can automate data identification and classification.

Consider disaster recovery as a service (DRaaS)

DRaaS is an increasingly popular option for CISOs at small- to mid-sized organizations who want to cost-effectively improve IT resilience, meet compliance or regulatory requirements, and address resource deficiencies. The DRaaS market is expected to grow at a rate of 12% a year over the next five years, according to Mordor Intelligence. DRaaS services cover the full gamut of disaster recovery and business continuity, providing flexibility and agility to enterprises, according to the Mordor report.

Gartner adds that as the DRaaS market has matured and vendor offerings have become more industrialized, the size and scope of DRaaS implementations have increased significantly, compared with a few years ago.

Develop a solid communication plan

Simply getting servers back up and running is essentially meaningless unless everyone knows their roles and responsibilities. Do people have the appropriate cell phone numbers and email addresses to share information? Do the relevant stakeholders have a playbook that spells out how to respond to a crisis in terms of contacting law enforcement, outside legal teams, utility companies, key technology and supply chain partners, senior leadership, the broader employee base, external PR teams, etc.?

Depending on the nature of the disaster, networking groups might need to establish new lines of connectivity for remote workers and reconfigure traffic flows; maintenance teams might need to perform remote troubleshooting, security teams might need to re-set firewalls, change access policies, extend security protection to new devices or to cloud-based resources. The biggest problem in a disaster isn’t related to data backups, it’s not having the right people in place and understanding all the steps required for the business to recover, says Bertrand.

Automate testing

To test disaster preparedness, companies traditionally conduct tabletop exercises in which key players physically come together to play out DR scenarios. However, only one-third of organizations perceive the exercises as “highly effective,” according to a July study by Osterman Research in association with Immersive Labs, a company that develops human-readiness skills in cybersecurity. The research also found that organizations don’t perform tabletop exercises often enough to keep up with evolving threats and that these exercises cost an average of $30,000. During the pandemic, it’s fair to assume that tabletop exercises fell by the wayside.

Doug Matthews, vice-president of enterprise data protection at Veritas, says there’s a better way. New tools can automatically test backup and recovery procedures on an ongoing basis and identify potential issues that need to be addressed. Modern testing solutions are also able to use sandboxing technology to create safe environments in which companies can test the recoverability of applications without impacting production networks.

Create immutable data backups

Ransomware attackers are targeting backup repositories, particularly in the cloud. They are also targeting SaaS applications. In response, organizations should keep one copy of data that can’t be altered. “Be sure that you have an immutable copy of backup data that nobody can touch,” advises Matthews, who says companies should have three copies of data at all times, not just two.

Companies should also investigate isolated recovery environments, such as air gapping, in which one copy of the data lives in an environment not connected to the production environment.

Consider data re-use

“Business is the data and data is the business,” says Bertrand. Once organizations have a copy of their important data sitting in a safe backup environment, why not think about ways to reuse it to advance the company’s digital transformation efforts.

The idea is for organizations to “understand what you have, where it is, how to protect it, store it and optimize it.”  Ultimately, Bertrand predicts that organizations will evolve an intelligent data strategy that encompasses regulatory compliance, disaster recovery/business continuity and data analytics.

Perform continuous updates

CISOs updating their DR/BC plans should take their cue from DevOps. It’s not about one-and-done, it’s about continuous improvement. DR planners need to be plugged into any changes at the company that might affect recoverability, including employees working from home permanently, stores or remote offices opening or closing, applications being replaced by SaaS, data moving to the edge, or DevOps moving to the cloud. Also, the technology is constantly improving, so be on the lookout for new tools that can help automate DR/BC processes. The plan should not be sitting on the shelf collecting dust. It should be updated on a regular basis.

Do long-term planning

In light of everything that has happened over the past 12 months, it’s a good time to shift thinking about DR/BC from reactive to proactive. Unfortunately, between public health emergencies, climate change and the increase in cyberattacks, disasters seem to be occurring more often and are certainly more devastating. DR/BC plans need to get ahead of the threats, not simply respond to them.

For example, if your company is in California, your DR/BC plan has to assume that there will be power outages from next season’s wildfires. Companies concerned about losing power when the next natural disaster hits might want to think about generating their own power from alternative sources.

A successful DR/BC plan requires that companies perform the basics, but it is also an opportunity for companies to find creative and innovative ways to keep the business running when disaster hits.