Managing business continuity and disaster recovery

November 2018 IT infrastructure, Security Services & Risk Management

Organisations are increasingly reliant on their IT systems and data, but they are faced with risks in the form of anything from accidental data loss, to deliberate acts of sabotage such as infections by ransomware. One of the most disastrous examples of how things can go wrong was when the English bank TSB’s failed migration to a different IT platform earlier this year left its customers without access to their accounts for weeks, and eventually resulting in the CEO being sacked.

Gerhard Fourie
Gerhard Fourie

It is therefore vital for businesses to have business continuity and disaster recovery plans in place. While there are key differences between those two components, they go hand in hand, explains Gerhard Fourie, district channel manager for South Africa at Commvault. “The difference essentially lies in the scope. Disaster recovery is the process of getting all the important IT operations back up and running after a disastrous event, whereas business continuity is the actual plan you require to make sure that you can recover. This means making sure that the sales guys have access to the CRM system, the marketing people have access to their marketing videos, the HR department has access to the payroll systems, and so on.”

Michael Davies
Michael Davies

Michael Davies, CEO of ContinuitySA, describes business continuity as “a more proactive approach to withstand potential incidents and disasters, including elements of crisis management, communications, etc., whereas disaster recovery is seen as the more traditional, reactive recovery of data and IT systems. Disaster recovery evolved into business continuity which in turn has evolved into building business and operational resilience,” he says.

“Building business continuity capability and resilience is vital and more important than ever before in this volatile, uncertain, complex and ambiguous world we live in,” Davies continues. “Big data and the acceleration of change in technology, together with social media, growing expectations on privacy and confidentiality with more legislation, means that business continuity needs a comprehensive approach to safeguarding not only data and technology but processes and people too.

More than data

“Business continuity is not only about protecting data. When a disaster occurs, it is highly likely that a company would need to deploy an emergency response, crisis management and communications in addition to recovery of the business. On the topic of cloud computing, cloud providers have experienced outages which affect an organisation’s ability to continue through disruption. There is a common assumption that cloud means that backup is included but that is not necessarily so. Cloud providers are an important part of any organisation’s business continuity plan but that is only part of a comprehensive plan.”

Fourie concurs that, while access to cloud storage services do give companies a way of managing their data backup themselves, it is only one piece of the puzzle. “We saw what happened last year in the US when Microsoft’s Azure platform went down,” he points out. “Many of those customers were thinking they don’t need disaster recovery plans because Azure is taking care of it, but the fact of the matter is if a disaster strikes one of the cloud providers, what are the plans to actually help you get your data back and applications back up and running?

“This can be mitigated by replicating your data to a secondary data centre in a different location. You need to identify your critical systems that you can’t do without. Other things like file servers and print servers can come back online as and when the server is back up, but email and CRM and so on are more critical systems in terms of day to day operations.”

To assist companies with this, Commvault offers a full-spectrum service that goes beyond disaster recovery, by doing a backup and ensuring that it can be restored. The company engages with the customer to identify their key and critical systems, and understand whether it would be necessary to replicate data in a near-live environment in an asynchronous manner, so if there is a disaster they can automatically failover to the disaster recovery site and bring up the services on that side.

In terms of backing up data, Commvault indexes the data so its metadata can be interrogated, and also tests the integrity of the data. Another part of the service involves handling conversions between VMware and Hyper-V data formats if necessary, so that the customer can get their backup restored from the data centre seamlessly.

Explaining ContinuitySA’s role, Davies says: “The primary focus of ContinuitySA is to provide peace of mind to our clients by ensuring that their business continues in times of adversity and potential disasters because they have comprehensive cyber resilience, business continuity plans, recovery site and technology solutions in place. We have 30 years of experience in helping organisations through disasters and tests, ensuring that they stay in business.”

Controlling BYOD

“The business continuity plan (BCP) may or may not include personal devices, depending on the organisation’s policy on personal devices and whether work related data is kept on personal devices,” Davies continues. “Businesses should include personal devices into the BCP for a number of good reasons, and definitely should if work related data is kept on the device. However, the BCP should also include a cyber resilience policy and programme as personal devices may be an easy target for cybercrime and data breaches, putting confidential business data in jeopardy. This in turn has an influence on an organisation’s information security and cyber policy.”

Fourie adds that while the BYOD (bring your own device) phenomenon was a challenge for organisations initially, it is now commonplace and effective solutions have been worked out. “More and more businesses these days are using software containers to isolate important corporate data,” he says. “Many also require when you bring your device that you install a form of agent to allow you to backup that data.

“It is key to understand, particularly when PoPI comes in, what data the company owns and what they don’t own. My personal documents are not necessarily the property of the company, but then you also need to have the sense if using a corporate laptop, not to save your personal stuff on it. That’s where the container solution comes in, to make sure all corporate information is managed, and if something should happen with the device they can quickly recover it and restore it on similar hardware. The advent of GDPR and PoPI is forcing companies to think about this seriously, and the consequences,” says Fourie.

Building a plan

“In the normal course of drafting a business continuity plan, an organisation undertakes a business impact analysis and a threat or risk assessment, highlighting key areas of single points of failure and what the business understands to be their recovery time objectives and recovery point objectives for different departments and systems,” says Davies. “It is a common-sense approach to understanding your business better and putting plans in place to mitigate risks and manage incidents when they occur. The plan will always be influenced by the company’s risk appetite, legislation within the industry which the company operates in, and the size of the company.

Fourie says there are a few steps companies can take to make sure what their business continuity and disaster recovery plan is, and they revolve around being proactive and identifying potential risks in the environment, and how those risks will affect their operations. “Take ransomware as an example: if my laptop gets infected will it affect the entire business?” he poses. “The next step is implementing the actual stopgaps and procedures for getting around those risks.

“After that it is vital to test those procedures to ensure their effectiveness, and then review and audit the process as you go along, because no business continuity plan or disaster recovery process is perfect. Once you’re sure the entire environment is as compliant as you can possibly get it to, it’s about constantly testing, which is why automated disaster recovery testing is of vital importance. Once you’ve done a backup copy you should run spot checks to see if you can restore certain systems and applications,” Fourie says.

For more information contact:

Commvault, +27 11 575 6570,,

ContinuitySA, +27 11 554 8000,,


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

From the editor’s desk: Presenting … how you were hacked
May 2019, Technews Publishing , News
“It’s all fun and games until you hit the wall.” Someone said that to me once (an American, so I don’t know if that’s a common saying in the US). At the time I thought he watched too much reality TV. These ...

TAPA 2019 conference: A layered approach to cargo security
May 2019, Technews Publishing , Calendar of Events
26 July 2019 Emperors Palace, Gauteng TAPA members: no charge (maximum of three delegates per member company), Non-TAPA members: R1780 excl VAT. The South African chapter of the Transported Asset Protection ...

iLegal 2019
May 2019, Technews Publishing , Calendar of Events
iLegal 2019    Johannesburg, South Africa    12 September 2019 iLegal, hosted by Dr Craig Donald and Hi-Tech Security Solutions, returns in 2019 with another full-day event covering insights and advice into ...

Securex Preview 2019
Securex Preview 2019, Technews Publishing , Conferences & Events
Securex is upon us once again and Hi-Tech Security Solutions is here with another brief preview of what the show has to offer.

30 years of business continuity
May 2019, ContinuitySA, Technews Publishing , Editor's Choice, Security Services & Risk Management
ContinuitySA is celebrating its 30th anniversary this year and Hi-Tech Security Solutions spoke to CEO Michael Davies about the changes he has seen in the business continuity and disaster recovery markets.

The benefits of background screening
May 2019, iFacts, Managed Integrity Evaluation , Editor's Choice, Security Services & Risk Management
Companies need to be more vigilant about the people they employ by making sure comprehensive background screening checks are conducted.

Does your control room add value?
May 2019, Fidelity Security Group, G4S South Africa, Progroup , Editor's Choice, CCTV, Surveillance & Remote Monitoring, Integrated Solutions, IT infrastructure, Commercial (Industry)
Whether on- or offsite, control rooms are a critical aspect of security today and care must be taken in the design and rollout of these nerve centres.

iLegal 2019: Augmented surveillance - realising the full potential of CCTV
May 2019, Technews Publishing , Editor's Choice, News, Conferences & Events, Training & Education
iLegal 2019 will look at what is becoming known as Augmented Surveillance – using technologies and people interactively to maximise results from operators and control rooms in order to make intelligent security and business decisions.

Simplifying fire detection system installations
May 2019, Elvey Security Technologies , Editor's Choice, Fire & Safety, Security Services & Risk Management
A fire detection system needs to be selected with extreme care, as is selecting an installer that not only understands the various technologies employed in fire detection, but that also has the necessary accreditations and certifications.

Security workforce management platform
May 2019, Secutel Technologies , CCTV, Surveillance & Remote Monitoring, Integrated Solutions, Security Services & Risk Management
Secutel Technologies says the South African market is excited about body-cam technology and clearly sees the potential benefits.