Business continuity management on the rise

Business continuity management (BCM) and disaster recovery (DR) are often used interchangeably but erroneously so. Business continuity planning involves a holistic approach to business protection, seeking to ensure that mission-critical functions – from HR to manufacturing – continue to operate during and after an unforeseen event.

Disaster recovery on the other hand typically involves contingency for recovering and restoring business applications in the event of outage or systems loss.

A 2012 report from cloud services provider, MJ Flood Technology revealed that just over half (51 per cent) of organisations had no DR plan and 48 per cent no business continuity plan in place.

However, Pat Larkin, chief executive with information security consultancy, Ward Solutions is now seeing a steady stream of clients addressing this very issue.

“Organisations have become quite mature in terms of understanding their business dependence on digital services. As shareholders and stakeholders become more aware of that critical dependency, they’re starting to ask much more reaching and telling questions of risk managers and CIOs about business continuity requirements.

“And apart from asking questions, they’re now starting to articulate specific requirements, which I think is a real boon for CIOs, because typically business continuity and DR planning were driven by IT,” he said.

Larkin believes that one of the most salient drivers of increased BCM adoption is supply chain governance, particularly where businesses form partnerships and not just engage in one-off transactions. Organisations are starting to demand more compliance and governance of their suppliers and this is filtering right through the fabric of Irish industry.

“As we do business with customers for example, we get a due diligence questionnaire as part of their supply chain governance. And that questionnaire is very searching in terms of our information handling security processes. They recognise us as an IT supplier and a potential risk to their data handling and they want to know if we have a mature approach to our own business continuity planning,” he said.

Niamh Townsend, enterprise solutions director at Dell Ireland believes that an increased focus on BCM has positive, knock on effects for DR.

“Modern architecture design now allows for true automatic failover of systems from a main site to a remote location. This is often in place purely to facilitate remote workers but with the added benefit of providing business continuity in the event of a major disruption. Whilst designed for BCM they add the benefit of supporting a good DR response,” she said.

Townsend believes that it’s easy to develop a good business case for an effective, overall BCM solution but perhaps more difficult to justify one for DR as a standalone entity.

“You need to assess how much will be lost by the organisation in the event of a system failure. That amount multiplied by the probability of the risk being realised delivers the budget for the solution. It is important to draw the distinction between both because as technology has progressed, the support for BCM now allows the easy support of DR. The biggest mistake an organisation can make is setting out to build a DR solution without taking into account business continuity,” she said.

Cloud brings disaster recovery to the masses

Cloud technologies have made disaster recovery easier and more accessible for organisations of all sizes. But they can also foster complacency and lead to security risks, writes Deirdre Cashion

Disaster recovery (DR) was traditionally seen as beyond the reach of most small and medium-sized organisations in terms of cost. But advancements in public cloud technologies in particular, have changed the DR landscape forever.

“We’re seeing a huge uptake in disaster recovery by the SME market simply because it’s more accessible, more user friendly, easier to set up and most importantly more affordable,” said Darragh Canavan, sales operations manager with online backup and disaster recovery provider, KeepItSafe.

“Traditionally, DR involved a big capex cost with upfront spend required for hardware but now DR has become a service and a lot more attractive,” he said.

Canavan believes that organisations are moving beyond traditional backup solutions such as tape and hard drives to full blown, online DR, recognising the fact that they can’t afford to be without mission-critical business applications and services for an extended period of time.

Estimated hardware rebuilds stand at anything from two to five working days but with DR as a service, clients can be back up and running in a fraction of that, eliminating the risk of lost business, reduced staff productivity and reputational damage.

“A lot of organisations will say an acceptable recovery point objective (RPO) for us should be on an hourly basis. But for more critical databases they may have a 15 minute RPO,” said Canavan.

“If you have an onsite failover, you can be back up and running within 5 minutes. If you have a full site disaster, you can be back up within two hours. It really depends on how many servers you have and the nature of the business. We sell our solutions based on the recovery time objective (RTO) or how quickly we can get you back operational,” he said.

With KeepItSafe’s DR as a service – incorporating onsite and offsite replication and failover – starting at €250 (RRP) per month for one server and economies of scale kicking in as servers are added, it’s not difficult to see why smaller organisations look to the cloud as a realistic and affordable option.

Pat Larkin, chief executive with Ward Solutions also acknowledges the role that the cloud has played in bringing DR to the masses but strikes a note of caution.

“Cloud has made DR solutions much richer and more accessible. But the danger is, people look at it as a panacea. One thing we could caution them to do is to look at the security challenges. It’s got to be fit for purpose,” he said.

Larkin has come across scenarios where organisations believe that by putting a few virtual servers into the cloud and replicating the data, their corporate obligations in relation to DR are fulfilled. But many fail to consider even the most basic security questions.

“While the cloud provides a very neat solution, you still need to apply an appropriate level of diligence and a systemic approach,” he said.

“Is the data securely transferred, both on transfer and at rest in the cloud? Is it a public or private cloud? How are users authenticated? Is the cloud provider meeting regulatory requirements? Where is the data resident and where is it replicated to? Are you coming under safe harbour obligations?

“If these systems are on premise right now and you put them into the public cloud, there might be a greater level of exposure than your own security infrastructure. So as you spin it up, it’s almost like spinning up your information systems in a shop window,” he said.

Angela Madden, managing director with Rits Information Security Specialists also points to the risks of including cloud services as part of any business continuity or DR strategy.

“If an organisation includes cloud services as part of their BCM and the cloud provider is affected, i.e. is the target of a denial of service attack or goes out of business, then the organisation will be significantly affected in terms of its ability to continue business operations as normal or to initialise business continuity management,” she said.

“The other element to be aware of is where an organisation attempts to recover data from the cloud to an alternate location. Bandwidth availability, encryption of data and access to keys (potentially held by the cloud provider), jurisdiction and compliance with data protection requirements – if you move your data out of Ireland or the EU – have to be carefully considered,” she said.

Larkin believes that best DR practice is an ongoing process, which requires continuous review, assessment and learning.

“You need to verify, trust and verify. Verify that it is what it says it is and delivers the service as promised. You trust for a while and re-verify. The acid test is whether you can live run off your DR solution. If you can’t, it begs major questions of your DR strategy,” he said.