IT Directors Disaster Recovery & Availability Summit 2010

What is disaster recovery?

Disaster recovery is a service that allows organisations to continue operating after a disaster or a disruption.

The aim is to ensure that key personnel have access to the organisations' computer systems and critical information if the company is affected by some sort of disaster. Disasters can be caused by natural elements such as fire or flood, by human errors or mistakes, or by a computer virus or hacker.

Naturally in the event of a disaster it is not only the network that needs to be recovered, but also several other systems and processes. This is known as business continuity. [http://en.wikipedia.org/wiki/Business_continuity]

To illustrate, a taxi driver generates an income by driving his taxi. Every year he pays an insurance policy to ensure that in the event that his car is stolen, has a crash or the car is somehow immobilised, he can still have access to a loan car of some kind. This ensures that whilst his car is being replaced or repaired, he can still earn a living. He hopes that he will never have to use this policy but it is an important safeguard.

Disaster recovery plans are often seen as a subset of business continuity planning which is a process. A contingency plan should be drafted in order to ensure that a business can continue to operate if a disaster occurs.

While the notion of disaster recovery seems quite dramatic, a disaster as outlined above can be anything from an earthquake, fire or flood, to malicious damage caused by a computer virus. There have also been instances of damage caused by disgruntles employees and by thieves.

The future of disaster recovery

The market for disaster recovery services is continuing to grow. Catalysts such as the events of 9/11 and terrorist attacks in the UK make companies increasingly aware of how potentially vulnerable they are. The market for disaster recovery services has always been healthy in the UK primarily because of potential attacks by the IRA and other terrorist organisations in the 1970s, 80s and 90s.

Terrorism is not the single driver here, there have been issues caused by floods, major power outages and in some countries, earthquakes and hurricanes. We often read of natural disasters both in the UK and globally, so it does demonstrate that a contingency plan is needed for all organisations.

Why disaster recovery

Traditional disaster recovery systems are reliant upon individuals backing up [link to backup] data from a computer or network on a daily basis. This would normally be to tape (rather like an old fashioned cassette but able to store more information). Because backups are taken daily, it is possible to lose up to 48 hours worth of information and work. Coupled with the length of time it might take to rebuild and restore a network, this could lead to frustration by employees and customers.

Disaster recovery is needed for a number of reasons:

e">If a company is unable to trade or continue to do business even for just a day the results can sometimes be potentially catastrophic.
The inability to access vital information.
The impact upon an organisations' brand.
The impact upon a company's reputation.
Loss of customers.
Potential drop in share value of a publicly traded company – loss of sales = loss of profit.
A company may need to comply with data retention laws and potential penalties for breach. Losing such information due to a disaster will not be an excuse for failing to comply (see link: Go Understand Data Archiving).
Cost of advertising to reassure customers of the longer term prospects of the company.

Key statistics

Some important statistics should be noted:

90% of businesses that lose data from a disaster are forced to shut down within two years of the disaster.
50% of businesses experiencing a computer outage will be forced to shut within five years.

(Source: London Chamber of Commerce http://www.londonchamber.co.uk/)

20% of all companies will suffer fire, theft, flood or storm damage, power failures, terrorism or hardware/software disaster at some point during their operation. Of those without a business continuity plan:

43% will never re-open,
80% fail within 13 months,
53% of claimants never recoup the losses incurred by a disaster.

(Source: Aveco http://www.aveco.com/)

Less than 50% of all organisations have a business continuity plan in place.
43% of companies that do have a business continuity plan do not test it annually.
80% of companies have not developed any crisis management to provide sufficient IT coverage to keep the business functionally effectively.
40% of companies that have crisis management plans do not have a team dedicated to disaster recovery.

(Source: London Chamber of Commerce http://www.londonchamber.co.uk/ )

Types of disaster recovery services
Disaster recovery specialists such as Share (www.share.org) have developed methodologies such as the Seven Tiers methodology, to demonstrate ways of recovering computer systems that have been affected by a disaster of problem. The aim is to easily demonstrate how a disaster recovery service can be used to support an organisation from a business continuity perspective.
The Seven Tiers methodology is worth evaluating by companies that are in the process of reviewing their a Disaster Recovery plan as it outlines what types of services are available, and what is the most suitable according to an organisation's needs and naturally, budget.

These are the tiers demonstrated by the Seven Tier Methodology:

Tier 0

Organisations that have no disaster recover plan or any saved information are described as Tier 0. At such point it may be impossible to recover any information at all and indeed to recover as a business entity.

Tier 1

Organisations that implement a Tier 1 recovery plan backup their data and send it to an off-site storage facility. This ensures that in the event of a disaster, the information is recoverable but there are no computer systems on which to download the information. It should be noted that the information retrieved may be several days old.

Tier 2

Organisations that implement a Tier 2 system, backup their data regularly but combine this with an off-site facility and a 'hot-site' (*1). This enables organisations to restore their computer systems relatively quickly. As above, the information may be several days old but there will be computer systems in place in which to continue working.

Tier 3

Tier 3 is often referred to as electronic vaulting. This includes the elements outlined in Tier 2 but some mission critical (link to relevant glossary) information is sent automatically to an off-site or remote premises ensuring that the information is generally more up to date.

Tier 4

Tier 4 is used by organisations that require faster recovery than Tier 0-3 can provide. This form of disaster recovery ensures that far more information is backed up but still may require the recovery of several hours of information rather than days of information.

Tier 5

Tier 5 solutions are used by organisations that need to have very little data loss in the event of a disaster.

Tier 6

Tier 6 is implemented by organisations that require the vast majority of their information and systems to be completely up to date.

Tier 7

Tier 7 is similar to Tier 6 but the process is fully automated allowing systems to be restored extremely quickly and easily.

Data recovery

Data recovery is a sub-set of disaster recovery. It is a service provided by a specialist technology company that can recover the information held on a hard disk that has been damaged or has failed in some way.

What can I expect to gain by implementing a disaster recovery service?

This is a particular conundrum as it may well be that you will never be required to use the disaster recovery service and you hope very much that you will never need to.

However, in the event of a catastrophic incident, it could potentially pay for itself many times over. To illustrate, a taxi driver can see that paying hundreds of pounds for an insurance policy that he (hopes) will never be used over period of years is potentially wasted money. But what happens if he has the need to invoke this policy but has not paid up?

In this case, you will only ever recognise any financial benefits in the event there is a disaster. [link to the statistic quoted from the London Chamber of Commerce]

What type of organisations would benefit from disaster recovery?

All organisations ideally should have some sort of disaster recovery plan. This may be as simple as having a backup of key information at a third-party's premises, such as home, a friend etc. For larger organisations, more complex recovery plans are usually required.

It should be pointed out, that even for small companies and individuals working from home, they should copy critical information and store it perhaps with a friend or similar. Keeping a copy at home or on site can be useful but in the event of a fire or flood, it can be destroyed.

Benefits of disaster recovery

Organisations can gain a number of benefits by implementing a disaster recovery plan.

Disaster recovery plans ensure that legislation and compliance issues are adhered to. Many organisations have to comply with strict codes of conduct or face being fined. These include banks and other financial services organisations as well as legal practices and organisations that retain medical records.
Prevent financial loss. The inability to be able to generate sales even for 24 hours can be catastrophic. This will not only impact upon revenue streams but can have a major impact upon cash-flow.
A disaster recovery programme can prevent loss of credibility and goodwill.
It will ensure that staff will continue to be paid. There is nothing as de-motivating to your personnel as not being paid!
It will ensure that the organisation's services and production can continue.
A disaster recovery programme will prevent the loss of important operational information (link to Go Understand ERP and CRM).

Potential pitfalls

Data must be backed up regularly. It should be an automated process otherwise it will be a wasted system. There is very little point in having a disaster recovery plan in place when the archived data is so old that it has little or no practical value.
You must ensure that a data and disaster recovery plan is drafted and implemented.
Key personnel must know what to do in the event of a disaster.
Disaster recovery planning can be labour intensive and key personnel would need to be involved.

Six steps to successfully buying a disaster recovery service

Step one

Identify the needs of your organisation and your users.

Do I need daily backups?

Do I need all of the data on my network to be backed up?
What system do I require for making those backups? (link to: Go Understand Data Archiving)
Do I need a hot-site (link)?

Are there any requirements that a particular group may need? Don't take anything for granted.
What information must be saved at all costs?
Who will conduct the backup and how often?
Where will these backups be kept?
What systems best suits your needs and budgets? (link to types of disaster recovery services)
Analyse the potential risk and which departments' information is vital.
Who has overall responsibility for the plan?

Step two

Identify your needs for a disaster recovery system.

What equipment will I require? Will I require tape or another media to backup to?
How much will it cost?
How much will it cost to maintain and support?
Consider future options – you may be looking to open another office or expand your current operation. As a result you will need to ensure that whatever you purchase now will be able to meet your future requirements.

Step three

Identify the right supplier.

Use the search box on the right hand side of this page.
Look through magazine and online reviews.
Talk to others who have recently installed an e-mail archiving solution in the same area as you.
Use forums, networks and personal contacts to obtain recommendations.

Ask questions such as:

Who has the experience of working with a company of the same size and profile as yours?
Are any of those suppliers local to where you are located?
How many similar installations have they made?
Ask for references – ensure that the company is capable and reliable.
Talk to a couple of their customers in order to see what benefits have been gained and what pains those customers went through when installing the system.
Obtain a credit check through ICC Credit directly from within your chosen supplier's listing in Conjungo to ensure that they are financially stable.

Step four

Request a detailed proposal from three or four of your preferred suppliers.

Set a deadline for when you need the proposal back.
Give out details in advance as necessary to ensure that the suppliers you have selected can give you the best proposal.
Go and meet them in person – get a good feel for whether you will be able to work with them.

Step five

Select a supplier.

Who best demonstrates that they understand your business and your requirements?
Is the solution flexible and scaleable and therefore able to meet future demand? You don't want to find out later that by investing a little more money now you could have saved money in the long term.
Is it cost effective? Have they shown how and where you will save money?
Does it clearly demonstrate the functional benefits – rather than just listing particular features? Does the proposal clearly show what the benefits are? There is no point on spending money for a system full of features that are of no benefit or that you will never use!
Have you spoken to a couple of your preferred suppliers' customers?
Agree on financial terms - Will the service be payable monthly or annually?

Step six

Implementation, testing and go live

Install the new system. Only when you are entirely satisfied should you pay any balance outstanding on the invoice. This way, if there are any problems, your supplier will sort them out as a matter of urgency.
Don't forget to account for user training!

Points to remember when implementing a disaster recovery system

There are many types of disaster recovery plans and services. These range from the simplest solution like keeping a backup of data on a single PC, to others which use a service that automatically backs up all information across networks, with a supporting infrastructure to allow full operational capability when disaster strikes.

You will need to structure a data retention policy. This must be constructed with the input of legal, HR (Human Resources) and IT departments. If your organisation does not have this infrastructure, then you should take specialist advice. This should be supported by an Acceptable Use Policy (link to Go Understand Content Filtering).
You must chose a service or system that best meets your requirements and budgets.
The disaster recovery plan must be taken seriously.
The contingency plan or business continuity plan needs to be developed by all key operational areas of the company.
The plan should include a list of potential incidents that could occur, no matter how unlikely. These can be identified by carrying out a risk assessment (http://www.hse.gov.uk/pubns/indg163.pdf)
The next part of the plan is to prioritise which departments and information should be able to access the information first. For example, this may well be sales and support functions as they are revenue generating.
Key individuals need to be allocated against each activity and they should know what to do in the event of a disaster.
Once the plan has been developed, it must be tested in order to ensure that it is feasible.
Key personnel should be well trained so that they can react immediately to any major issues.
Any changes made to the plan must be communicated and potentially tested in order to ensure that everyone is comfortable with their roles and responsibilities.
Finally, the plan needs to be kept up to date and take into account changing circumstances e.g. people leaving, joining the organisation and new IT systems being put in place.

Conclusion

A disaster recovery system or service is a necessary function of a business and of any IT department. The costs for not having a contingency plan in place can be extremely high even to the point where a company can actually go out of business.

There are many types of service and products to help companies to be able to plan and have a system in place that will meet most budgets.

Glossary of Terms
*1 Hot-site. A hot-site is a separate facility that can be used or relocate to in the event that a disaster occurs. This means that all of an organisation's computer systems can be accessed at the hot-site. The hot-site should have a copy of the data and a computer network in place that enables the company to continue operating. The hot-site will also be able to provide telephones, PCs and furniture required to continue operating.
Disaster Recovery - FAQ's

What is a disaster recovery system or service?

Disaster recovery is a service that allows organisations to continue operating after a disaster or a disruption.

Why do I need it?

Quite simply, if you don't have one it can seriously damage your company's reputation even to the point where it can go out business.

What procedures should I put in place?

You will need to ensure that a data retention policy is in place. This needs to be written by HR, IT and legal departments or by a specialist organisation.

How will I know what to backup?

Every department will place a 'value' on their information i.e. what should be stored. What is important to one person may not be to someone else. As a result, you must involve all those elements within a company and agree on what should be retained. From an administrative perspective, that person must be fully capable of recognising the 'value' of that information.

From that point, you can decide what to keep, what to delete or what to purge.

What are the implications of not having a disaster recovery service or plan in place?

The result can potentially put your company out of business. Statistically, the majority of organisations' without such a service or system will fail if they are impacted by a disaster.

Is it expensive?

This depends on the size of organisation and its' operational requirements. Some companies really need a mission critical, water-tight service. Others really just need to take regular (daily if possible) copies of data on the network or PC and retain this in a safe place. It is still worth investigating the services available as there are many solutions that are very cost effective.

Is it something that I can install myself?

This depends on your needs, but yes it is possible to install it yourself. Generally, however, disaster recovery works as a service so it is still worth investigating.

What is data recovery?

Data recovery is a service that allows information that has been stored on a hard drive to be retrieved, even if the hard drive has been damaged or broken.

How do I find the right vendor or reseller?

Conjungo [link] is a great starting point because it will let you search for a supplier according to your location, company type, size and whether they have the right accreditations. Furthermore, Conjungo is completely unbiased, lists most of the major vendors' resellers and it is free to use.

Is a data archive easy to use?

It should be! Depending on the system users should be able to access the information easily.

What about the Data Protection Act?

You must be particularly careful with certain records, for example, employee details should be kept secure (with HR) in order not to contravene the Data Protection Act.

How will I know if my organisation is regulated in some way?

You can either ask your lawyer, accountant or potentially a trade body that deals with your type of company.

Do the regulations and codes of practice apply to small companies?

Small organisations need to be aware of all of the issues and codes of practice that might have an impact on their company. The law applies to all organisations regardless of size.