Managing business continuity and disaster recovery
November 2018, IT infrastructure, Security Services & Risk Management
Organisations are increasingly reliant on their IT systems and data, but they are faced with risks in the form of anything from accidental data loss, to deliberate acts of sabotage such as infections by ransomware. One of the most disastrous examples of how things can go wrong was when the English bank TSB’s failed migration to a different IT platform earlier this year left its customers without access to their accounts for weeks, and eventually resulting in the CEO being sacked.
It is therefore vital for businesses to have business continuity and disaster recovery plans in place. While there are key differences between those two components, they go hand in hand, explains Gerhard Fourie, district channel manager for South Africa at Commvault. “The difference essentially lies in the scope. Disaster recovery is the process of getting all the important IT operations back up and running after a disastrous event, whereas business continuity is the actual plan you require to make sure that you can recover. This means making sure that the sales guys have access to the CRM system, the marketing people have access to their marketing videos, the HR department has access to the payroll systems, and so on.”
Michael Davies, CEO of ContinuitySA, describes business continuity as “a more proactive approach to withstand potential incidents and disasters, including elements of crisis management, communications, etc., whereas disaster recovery is seen as the more traditional, reactive recovery of data and IT systems. Disaster recovery evolved into business continuity which in turn has evolved into building business and operational resilience,” he says.
“Building business continuity capability and resilience is vital and more important than ever before in this volatile, uncertain, complex and ambiguous world we live in,” Davies continues. “Big data and the acceleration of change in technology, together with social media, growing expectations on privacy and confidentiality with more legislation, means that business continuity needs a comprehensive approach to safeguarding not only data and technology but processes and people too.
More than data
“Business continuity is not only about protecting data. When a disaster occurs, it is highly likely that a company would need to deploy an emergency response, crisis management and communications in addition to recovery of the business. On the topic of cloud computing, cloud providers have experienced outages which affect an organisation’s ability to continue through disruption. There is a common assumption that cloud means that backup is included but that is not necessarily so. Cloud providers are an important part of any organisation’s business continuity plan but that is only part of a comprehensive plan.”
Fourie concurs that, while access to cloud storage services do give companies a way of managing their data backup themselves, it is only one piece of the puzzle. “We saw what happened last year in the US when Microsoft’s Azure platform went down,” he points out. “Many of those customers were thinking they don’t need disaster recovery plans because Azure is taking care of it, but the fact of the matter is if a disaster strikes one of the cloud providers, what are the plans to actually help you get your data back and applications back up and running?
“This can be mitigated by replicating your data to a secondary data centre in a different location. You need to identify your critical systems that you can’t do without. Other things like file servers and print servers can come back online as and when the server is back up, but email and CRM and so on are more critical systems in terms of day to day operations.”
To assist companies with this, Commvault offers a full-spectrum service that goes beyond disaster recovery, by doing a backup and ensuring that it can be restored. The company engages with the customer to identify their key and critical systems, and understand whether it would be necessary to replicate data in a near-live environment in an asynchronous manner, so if there is a disaster they can automatically failover to the disaster recovery site and bring up the services on that side.
In terms of backing up data, Commvault indexes the data so its metadata can be interrogated, and also tests the integrity of the data. Another part of the service involves handling conversions between VMware and Hyper-V data formats if necessary, so that the customer can get their backup restored from the data centre seamlessly.
Explaining ContinuitySA’s role, Davies says: “The primary focus of ContinuitySA is to provide peace of mind to our clients by ensuring that their business continues in times of adversity and potential disasters because they have comprehensive cyber resilience, business continuity plans, recovery site and technology solutions in place. We have 30 years of experience in helping organisations through disasters and tests, ensuring that they stay in business.”
“The business continuity plan (BCP) may or may not include personal devices, depending on the organisation’s policy on personal devices and whether work related data is kept on personal devices,” Davies continues. “Businesses should include personal devices into the BCP for a number of good reasons, and definitely should if work related data is kept on the device. However, the BCP should also include a cyber resilience policy and programme as personal devices may be an easy target for cybercrime and data breaches, putting confidential business data in jeopardy. This in turn has an influence on an organisation’s information security and cyber policy.”
Fourie adds that while the BYOD (bring your own device) phenomenon was a challenge for organisations initially, it is now commonplace and effective solutions have been worked out. “More and more businesses these days are using software containers to isolate important corporate data,” he says. “Many also require when you bring your device that you install a form of agent to allow you to backup that data.
“It is key to understand, particularly when PoPI comes in, what data the company owns and what they don’t own. My personal documents are not necessarily the property of the company, but then you also need to have the sense if using a corporate laptop, not to save your personal stuff on it. That’s where the container solution comes in, to make sure all corporate information is managed, and if something should happen with the device they can quickly recover it and restore it on similar hardware. The advent of GDPR and PoPI is forcing companies to think about this seriously, and the consequences,” says Fourie.
Building a plan
“In the normal course of drafting a business continuity plan, an organisation undertakes a business impact analysis and a threat or risk assessment, highlighting key areas of single points of failure and what the business understands to be their recovery time objectives and recovery point objectives for different departments and systems,” says Davies. “It is a common-sense approach to understanding your business better and putting plans in place to mitigate risks and manage incidents when they occur. The plan will always be influenced by the company’s risk appetite, legislation within the industry which the company operates in, and the size of the company.
Fourie says there are a few steps companies can take to make sure what their business continuity and disaster recovery plan is, and they revolve around being proactive and identifying potential risks in the environment, and how those risks will affect their operations. “Take ransomware as an example: if my laptop gets infected will it affect the entire business?” he poses. “The next step is implementing the actual stopgaps and procedures for getting around those risks.
“After that it is vital to test those procedures to ensure their effectiveness, and then review and audit the process as you go along, because no business continuity plan or disaster recovery process is perfect. Once you’re sure the entire environment is as compliant as you can possibly get it to, it’s about constantly testing, which is why automated disaster recovery testing is of vital importance. Once you’ve done a backup copy you should run spot checks to see if you can restore certain systems and applications,” Fourie says.
For more information contact:
Commvault, +27 11 575 6570, firstname.lastname@example.org, www.commvault.com
ContinuitySA, +27 11 554 8000, email@example.com, www.continuitysa.co.za