pixel - Fotolia

Disaster recovery for SMEs: Five key areas to consider

We look at key disaster recovery considerations for SMEs, including why backup is not enough, how to create a disaster recovery plan, best-practice DR testing and DR as a service

This article can also be found in the Premium Editorial Download: MicroScope: MicroScope: Stepping forward after Covid

Over the past 18 months, businesses of all sizes have learned to live with disruption. As lockdowns forced offices to close, organisations moved to remote working en masse.

For some, this was new territory. For others, it was part of an existing business continuity and disaster recovery (DR) plan. Staff working from laptops with data in the cloud is an established way of coping with incidents that can range from power outages to natural disasters.

Disaster recovery plans have long been common for enterprises and large public sector bodies, but they are equally vital to smaller organisations. If a small or medium-sized enterprise (SME) supplies enterprises or government, a disaster recovery plan is often mandated.

But many of the principles behind disaster recovery planning apply regardless of the business’s size. And technology, especially cloud-based services, is making disaster recovery more accessible to SMEs.

Disaster recovery, or backup and recovery?

Disaster recovery is often viewed as a purely technical exercise, focused around data backup and restoration. Although protecting data is still a key part of any disaster recovery process – no organisation will survive if it cannot recover its data – DR is broader than that.

A DR plan needs to consider how data is protected. This is vital to deal with potential failures caused by software or hardware problems, but also environmental incidents, such as the recent flooding across the UK and continental Europe.

Planners need to consider how and where the business will operate in a recovery situation. This includes physical premises, including failover or recovery workspaces, and the ability of employees to work from home.

The organisation will also need to consider replacement equipment, in the event that existing hardware is damaged, destroyed or inaccessible. This includes laptops, tablets and other endpoint devices, but also communications and networking equipment, and servers and storage for on-premise systems.

Most SMEs will not be able to afford duplicate datacentres or standby servers. In some cases, organisations will be able to failover to the cloud, or use the cloud temporarily. For others, the recovery strategy will mean obtaining and setting up new hardware in order to recover applications and data.

The key to any approach, however, is planning.

DR planning: Not if, but when

Over the past few years, organisations have moved from working on the basis that a disaster could happen, to a recognition that disaster will happen. In part, this has been driven by the growth in cyber crime, especially ransomware. Meanwhile, the pandemic has pushed disaster recovery up the corporate agenda.

Regardless of size, organisations need to start with a disaster recovery plan that sets out what should be done in the case of a disaster and, critically, who will do it.

The plan should be comprehensive, reviewed and practised. CIOs need to understand where their data and critical systems are, how they are backed up, and how they should be recovered. With organisations operating a growing number of IT systems, they may well need to prioritise a staged recovery, too. It will not be possible to spin up all systems at once.

Read more on disaster recovery

Once the CIO or the project team has agreed the plan, it needs to be communicated across the organisation.

All too often, organisations fail because of a lack of preparation, says Tony Lock of analysts Freeform Dynamics. “DR is far more than IT system recovery at a technical and data level,” he points out.

“Beyond the tech and data, it is essential to make sure that recovery processes are well understood, including who is going to take responsibility for initiating the recovery and covering any costs incurred. Do staff know where to go, how to be contacted and are the recovery processes clearly written and easy to find in an emergency?”

Organisations also need to look at their supply chains, and how they depend on others for the supply of goods, services, and even data.

“Firms often fail to consider third-party dependencies, and rarely examine inter-company arrangements, but in a disaster, their priorities aren’t necessarily going to be aligned with yours,” says Adam Stringer, a business resilience expert at PA Consulting. A clear plan will help to identify these dependencies, and how an organisation would function if a key supplier fails, he adds.

Risks, and recovery timescales

In order to plan, CIOs and business resilience managers need to understand the risks and the requirements for the business to return to normal operations.

The key metrics used in disaster recovery – regardless of business size – are the recovery point objective (RPO) and the recovery time objective (RTO). RTO is how quickly data needs to be recovered, and accessible. For some systems, this will be measured in seconds; in others, it might be hours or even days.

The RPO is how much data the organisation can lose. Again, some organisations will have a very low tolerance for data loss.

For RPO and RTO, not all systems will be equal. Some, such as customer-facing applications or those with regulated data, will have fast recovery times and a low threshold for data loss. Others will be less critical, or updated less frequently. The key is for planners to work with the business to understand the priorities and timescales.

Planners also need to consider RPO and RTO in terms of threats, says Stephen Young, director at DR and cloud backup company AssureStor. He pinpoints the risks of data theft and data loss as key considerations, along with RPO and RTO.

Test, and test again

Disaster recovery planning is not finished once the plan is in place, however. Organisations need to communicate the plan – and test it

“Firms may have written plans and procedures, but they may not be practical or widely known and aren’t actually then applied in a crisis,” says PA Consulting’s Stringer.

“They need a clear decision-making structure and playbooks that have been agreed and refined through practice and testing, plus easy-to-understand approaches like a gold, silver and bronze command structure. These are more practical use to firms during a disaster than a detailed 100-page manual.”

Organisations also need to consider who will manage the crisis response. This might not always be the MD or CEO; it could be the head of finance or the IT director. The key is to ensure everyone knows who will take charge, and how they will communicate.

Freeform Dynamics’ Lock agrees. “Testing will consume time and budget, but without it, the odds are that the recovery will at best be incomplete or slow,” he says. “At worst, either it will not work, will take far too long for the business, or may lose important information.”

Testing should be regular, with DR experts suggesting once a year as a bare minimum. Critical systems might need testing at least monthly.

Disaster recovery as a service, and SaaS

Smaller firms, however, will not have access to large IT teams that can build duplicate IT systems.

Fortunately, the cloud offers various options, ranging from dedicated disaster recovery as a service (DRaaS) providers to business applications such as Microsoft Office 365.

Office 365, Google Workspace and cloud-based enterprise applications enable a business to recover much of its operations as long as its staff have access to a web browser. Cloud storage can also be a lifeline.

But there are caveats. Consumer-grade cloud storage raises compliance issues, and SaaS suppliers provide only limited guarantees for clients’ data. CIOs should check terms and conditions, and look at dedicated DRaaS even if most of their applications, and data, are already in the cloud.

Read more on Disaster recovery