Disaster Recovery – you get what you pay for. Be Informed.
Over recent days and weeks I’ve been reminded yet again about the cost of keeping business critical computer systems and the data they contain safe and available.
Every business makes a decision about two things when it comes to investing (money and time) in keeping their I.T. systems available and their data safe. They weigh up how much data they are prepared to lose in the event of a disaster (a Recovery Point Objective – R.P.O.) and how much time they are prepared to lose during the disaster (Recovery Time Objects – R.T.O.).
The cost of reducing these two values rises exponentially.
Whether this is a conscious, informed and proactive decision or an unconscious or reactive acceptance of the default consequences of a disaster, whereby “we do what it takes if and when it something goes wrong”, a decision is made.
There is really only something wrong with the latter approach if it is unconscious. Deciding to invest very little time and money into protecting your systems is certainly valid if you have in fact assessed it and are willing to wear the cost when the threat materializes. That is OK as long as you know you’re doing it.
So the process of making an informed decision involves:
1. Identifying what systems you need to protect and have available. (E.g. Email, Internet Access, key databases, network connectivity for all staff, remote access, business applications like Constructor… – the answer will vary for every business).
2. Choosing an R.T.O. and R.P.O. you’re comfortable with for these systems. (Some will say, it’s ok to lose a day’s work, but I want to be up and running again in an hour, others may say, I can wait until tomorrow, but I don’t want to lose any data.)
3. Next, identify the components (tangible and non-tengible) necessary to have these systems running. (Hardware, support agreements with suppliers and availability and education of staff, databases, Internet Connections and so on)
4. Identify some practical threats to the availability of these key components. These threats might range from a flood or fire, a theft, a power outage, a failed hard drive, a failed motherboard, someone spilling coffee on the server, employees leaving your company, a contractor digging up a cable outside your building or a meteor showing hitting your city – everyone’s idea of practical threat is different right?
5. Determine what measures need to be taken to recover those components identified in step 3, against the events identified in step 4..
6. Calculate the cost of implementing those measures.
7. Does that match your available budget – if not, go back to step 2 and reassess your goals.
8. Once you’re happy with the measures and the cost, test it.
As a test, revisit some of the threats in step 4, – do the measures you have in place, recover those components within your desires RTO and RPO goals?
Also remember that for each incremental improvement in RPO and RTO (that is losing less time and recovering more quickly) the cost increases significantly – exponentially.
For example, the cost of the measures required to improve your recovery time from 2 days to 1 day won’t be that high – probably just better backups, maybe some more storage and a little more time monitoring those backups. However, the cost of improving from 1 day to half a day may involve extra staff, better hardware or some very powerful backup software and the expertise to run it. Furthermore, the cost to improve your recovery time even further, say, to 15 minutes, probably involves replication of data to another server, or depending on what factors you’ve identified as threats to your systems, maybe another physical site.
It is also important to realise that disaster recovery planning is not a task, it is a process. The tasks identified above should be repeated regularly. The systems you use change, the importance of various components of your systems change over time and the level of investment you can make also change. The importance of a fast reliable Internet connection for example if far higher now (and therefore far more worthy on investment) than it was 5 – 10 years ago. Connectivity of devices is far more important than it was even 12 months ago. The list goes on….
So, brainstorm all this. arrive at an informed decision that suits you, then repeat…