Disaster recovery not a sideline

May 2016 Security Services & Risk Management, Infrastructure

Organisations need to move away from treating business continuity and disaster recovery as isolated IT conversations. Unless businesses ensure they also take people and processes into account when planning for disasters, they run the risk of not surviving them.

This is the view of Sakkie Burger, managing executive at Business Connexion. “Most companies prioritise the need for restoring IT in the event of a system breakdown,” he says. “What they do not focus on, however, is what processes are in place to ensure the business can continue when automated or digital processes fail and specifically the role that employees have to play as they are ultimately the custodians of the processes that drive operations.

“It’s easy to, for example, provide a company with 10 seats to go and restore their IT systems and get them up and running again, but how do you accommodate a company with 100 employees that have just lost their premises in a disaster? This poses a different challenge and there are not many companies, providing disaster recovery in South Africa, that have the luxury of having that amount of space available waiting just to be occupied when there is a need for disaster recovery.”

Burger says that although most companies are going the route of digitisation, manual processes still have a fundamental role to play. “Take an airline, for example. If their electronic system for checking passengers onto the plane goes down, they have to have a manual back office process in place to perform this function. They cannot just ground the aircraft until the electronic system is restored. And herein lies the challenge: not many companies have these contingencies in place and they are putting themselves, their businesses and most important, their customers at risk.”

He adds that while many organisations have these failover processes in place, they either do not test them regularly enough or their testing practices are inadequate. “Many organisations have testing in place, but they perform a paper-based test. They see that there’s a manual process in place, the configur-ation is there and that it is documented, but that is where it ends. There is no actual testing from end-to-end by recovering on a piece of hardware and making sure it works, that the network is connected and that users can actually sign in and check the data,” says Burger.

“People tend to do disaster recovery tests to satisfy their auditors rather than making sure the business can continue to run in the event of a disaster.”

There are a number of challenges in adopting an adequate disaster recovery strategy. “The biggest challenge is the cost. You know you have to have it, but also that you might never need it,” he says. “The second challenge is distance. What distance is the correct distance for you to have a disaster recovery site, particularly when you take incidents that could affect a broader geographical area into account? Here connectivity also comes into play, because the further away your disaster recovery is from your main site, the more expensive network constituencies become.”

Burger believes that possibly one of the biggest risks companies face is that, while they have disaster recovery processes in place, they tend to set it up on equipment that has become redundant or obsolete. “In these cases companies have had to upgrade their equipment, so they use the new technology for their production line and then run their disaster recovery on the old machines. The challenge with this is that when they do need to do a recovery, they find that it’s not compatible or supported anymore, which means they are not capable of recovering core systems in reasonable timeframes.”

He adds that DR often does not get the attention it deserves because it is an expenditure that is not really productive. “That is why there is a trend to outsource their disaster recovery to a third party, where there is an agreement that they have to have the necessary equipment in place to ensure they can run your disaster recovery effectively and efficiently”.

Burger advises companies that are either relooking their disaster recovery strategy or implementing it for the first time, needs to ensure that they understand which of their applications are the most critical as a first step. “Some applications don’t need disaster recovery contingency and you can run your business without them. Interestingly though, between 5 and 7 years ago mail wasn’t deemed a high priority application. Today, that is deemed the first thing companies want to have recovered, because it has become mission critical to the running of their businesses. Times have certainly changed”

He adds that companies must also understand the technology that is involved. “You can’t just move a workload from a Unix platform to a Microsoft platform. You must ensure that the work breakdown structures and standard operating procedures and processes are documented, tested and updated at least twice a year. It’s easy to just write a process and file it away in a cupboard and do nothing further with it. It needs to be tested vigorously and on a regular basis. It is not just about testing it, it’s about change management and fixing problems as and when you are presented with them.”

Burger says that often change management is the biggest problem in disasters. “A disaster happens because something changed and a change request didn’t notify the disaster recovery process of this change. If your disaster recovery manual is not up to date, it could significantly increase the amount of time spent to fix the problem,” he concludes.





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Deception technology crucial to unmasking data theft
Information Security Security Services & Risk Management
The ‘silent theft’ of data is an increasingly prevalent cyber threat to businesses, driving the ongoing leakage of personal information in the public domain through undetected attacks that cannot even be policed by data privacy legislation.

Read more...
Data security and privacy in global mobility
Security Services & Risk Management Information Security
Data security and privacy in today’s interconnected world is of paramount importance. In the realm of global mobility, where individuals and organisations traverse borders for various reasons, safeguarding sensitive information becomes an even more critical imperative.

Read more...
Proactive strategies against payment fraud
Financial (Industry) Security Services & Risk Management
Amid a spate of high-profile payment fraud cases in South Africa, the need for robust fraud payment prevention measures has never been more apparent, says Ryan Mer, CEO of eftsure Africa.

Read more...
How to prevent and survive fires
Fire & Safety Security Services & Risk Management
Since its launch in August 2023, Fidelity SecureFire, a division of the Fidelity Services Group, has been making significant strides in revolutionising fire response services in South Africa.

Read more...
A long career in mining security
Technews Publishing Editor's Choice Security Services & Risk Management Mining (Industry)
Nash Lutchman recently retired from a security and law enforcement career, initially as a police officer, and for the past 16 years as a leader of risk and security operations in the mining industry.

Read more...
Risk management: There's an app for that
Editor's Choice News & Events Security Services & Risk Management
Zulu Consulting has streamlined the corporate risk management process with the launch of Risk-IO, a web-based app designed to consolidate and guide risk managers through the process, monitoring progress as one proceeds.

Read more...
Integrated information platform for risk management
Editor's Choice News & Events Security Services & Risk Management
Online Intelligence recently launched version 7 of its CiiMS risk and security platform. Speaking to SMART Security Solutions after the launch event, the company’s Arnold van den Bout described the enhancements in version 7.

Read more...
Global Identity Fraud Report revealing eight-month ‘mega-attack’
Editor's Choice Security Services & Risk Management
AU10TIX recently released its Q4 Global Identity Fraud Report, with the research identifying two never-before-seen attack patterns, with the worst case involving 22 000+ AI-generated variations of a single U.S. passport.

Read more...
Linking of security officers by security businesses
PSiRA (Private Security Ind. Regulatory Authority) News & Events Security Services & Risk Management
[Sponsored] By law, all security businesses are required to declare their employees to PSiRA so that they can be accounted for administratively. Failure to link employees by security businesses is a contravention of the Code of Conduct and a criminal offence.

Read more...
AI augmentation in security software
Security Services & Risk Management AI & Data Analytics
The integration of AI technology into security software has been met with resistance. In this, the second of two articles, Paul Meyer explores the challenges and obstacles that must be overcome to empower AI-enabled, human-centric decision-making.

Read more...