A Guide to Business Continuity, Disaster Recovery, and High Availability

It’s an unfortunate reality that, as the world becomes increasingly digitised, cyberattacks will only become more commonplace – and it only takes one successful attempt to destroy a business.

But say the worst happens, and a cyber-attack or system failure does slip through your defences. Do you know:

• How long you can afford to have systems inactive?
• Which applications your business needs for minimum functionality, and how long you can be without each one?
• How current these applications need data to be in order to function properly?

Being able to answer these questions forms the basis of a Business Continuity Plan (BCP) – but disturbingly, already having a BCP in place means that you’re technically in the minority.

A recent study by ZipDo illuminated some worrying statistics. As of this year:

•         Only 40% of small businesses have a BCP in place, with the remainder in danger of losing their business in case of a sudden attack or disaster,
•          Nearly 70% of organisations do not have a fully documented BCP, which means that their archives are at serious risk,
•          Only 35% of businesses have off-site backups to protect their data – therefore, for the remaining 65%, on-site disasters such as fires and floods will also put their back-ups at risk,
•          60% of small companies that suffer a cyberattack are out of business within just six months.

This lack of awareness around BCPs isn’t just worrying, it’s downright dangerous – especially considering that 90% of businesses without a BCP in place fail after a data loss.

So, assuming that you don’t have a BCP in place already, the next question should be obvious: where do you start.

RPO and RTO

First, we must explain Recovery Point Objective (RPO) and Recovery Time Objective (RTO).

•           A Recovery Point Objective refers to the maximum amount of data loss that can be accepted without disastrously impacting your operations. For instance, RPO will be considerably lower for a CRM system than it will be for an internal company blog.
•           A Recovery Time Objective refers to the maximum length of time that systems can be down before serious damage has been done to your business.

These two factors will differ from company to company depending on multiple variables, which we will explore later in the article.  

What’s the Difference between Disaster Recovery and High Availability?

When customers ask for assistance with creating their BCP, there is some confusion between Disaster Recovery and High Availability – which, while related, operate very differently and fulfil different roles in a BCP.

•            Disaster Recovery prioritises files and backs them up at regular intervals, with the aim that your more crucial files can be restored with a short turnaround; since less crucial systems should be relatively unchanged regardless.
  What we’ve described here is how this method centres on RPO – the criticality of the information being backed up – and RTO – how long it takes to restore them. This method is far more cost-effective than High Availability, since it operates by targeting specific information.
  
  
•           High Availability instead involves continuously replicating every file and application in a system as a preventative measure, with the aim being to let you more-or-less pick up instantly where you left off in the event of a disaster.
  This method also allows for system maintenance without impacting user operation and is not concerned with RTO or RPO, with the main drawback being that it is extremely costly – since systems must be replicated in their entirety every time, for the same cost.

Things to Consider for your BCP

So, now you have probably made a decision about what kind of approach you wish to take with your BCP, here are some things to consider:

1. Criticality of Data

How business-crucial is the information you want to back up? Prioritisation is key - for example, backing up financial records and confidential data housed on a Document Management system should always be highest on the list.

2. Important Services

If you require special software to provide your services – for example, CRM software - it’s crucial to back this up regularly. This will ensure that, in the event of a disaster, your people could get back to work as quickly as possible; since your customers are unlikely to tolerate zero functionality for long. Again, prioritisation of your services is key.

3. Frequency of Updates

Deciding on the frequency of your back-ups will depend on how regularly data is updated. For instance, data that is constantly in flux will need to be updated more frequently than data that is more static.

In summary, BCP can be a complex and expensive process to setup and manage if you don’t have access to all the critical technical information required to plan efficiently. Apogee’s specialist architects are on hand to support, review, design, and build these processes with you.

For more information on disaster recovery, contact us by using the form below.