The dangers of backup – how to lull your business into a false sense of security
Tue 7 Jun 2016
Mark Whitehead, GCI, details why businesses of all sizes need to have some kind of disaster recovery plan and data backup service in place should disaster strike…
Many businesses are in a state of backup denial. Nearly all enterprises have some kind of backup in place these days, as it’s been drummed into everyone that it’s an essential. However, very few have taken the next step of understanding why they need these backups, or to put it another way – when and how will you access these backups?
There’s a prevailing head-in-the-sand mindset, wherein people think: “It simply wouldn’t happen to me, or it can’t happen to us”, and that mindset is demonstrated by the technology that has been used by a lot of businesses for their back up in their disaster recovery services.
This approach is the reason that around 70% of businesses are only backing up to tape – it’s a bit like watching video on VHS or Betamax, while the rest of the world around you is streaming videos over the internet.
Unfortunately, as a Managed Service Provider that offers IT support services, we find it’s often a continuation of the old adage: 80% of alarms are fitted to houses immediately after they’ve had a break in. Businesses tend to sleepwalk into difficulties, and then get very serious after they’ve been bitten.
The biggest misconception with disaster recovery, is that it’s just about data
When you look at extreme weather caused by climate change, like the levels of flooding that are now occurring in unusual places, and then load in the other potential risks, enterprises have no excuse for a poorly prepared Disaster Recovery plan. We all face such a range of threats these days, from the media favourites of hardware and software malfunctions, malicious attacks, rogue staff, but then the more mundane too, basic everyday human error.
A good example is the 123reg incident, where a typo in a maintenance script and some bad timing meant the popular host wiped clean 67 of the company’s 115,000 servers, consequently knocking hundreds of websites offline. The company apologised to customers, but pointed out: “Our VPS product is an unmanaged service and we always recommend that customers implement backups to safeguard against unexpected issues”. From the concerned tweets that were seen that day, we can assume that some businesses took that step.
Now the biggest misconception with disaster recovery, is that it’s just about data. Of course, data is important, but there are two fundamental parts to a good DR solution. Data, and the applications that use it – the applications that run your business’ critical processes. So whether that’s your Customer Relationship Management (CRM) system, your billing system, your stock management system, or the processing system, those apps are the critical cogs in your business, so they’ve got to be safeguarded properly as well as the data they generate.
After a major disaster one in four businesses was still struggling two years later
The point is that DR is not just about backup, nor a single point failure, but a more holistic overview of both applications and data. On the data point, we did some very illuminating research into the 2005 Buncefield disaster in Hemel Hempstead. A fuel depot exploded catastrophically, creating the UK’s biggest peacetime blaze, which took days to extinguish. There was a business park nearby, and the huge fire affected 620 businesses, and thousands of staff at the time. However, fast forward two years from the fire, and 25% of those businesses were still struggling as a direct result. The reason wasn’t because their buildings had been damaged, and windows blown out; it was because they’d lost their data.
It’s a big, big message; after a major disaster one in four businesses was still struggling two years later. So do most businesses know the cost of downtime vs the cost of a rigorous DR solution? No, I don’t believe they do.
The solution must address the ability to safeguard data and applications, and must be truly enterprise grade, like the solution we have with Datto. If the hardware fails with a Datto solution, then the software effectively automatically self-heals, virtualising the application environment. What that means in plain English is you actually wouldn’t notice any interruption to normal business services. Back at our Managed Service Provider operations center, we’ll get a ticket, a flag, or show on a board that the hardware has failed so we can fix it, but from your business process point of view, it’s invisible.
The disaster recovery plan needs to take into account all sorts of devices, not just your laptop, desktop, mobile phone and smart devices
From a pure backup point of view, you’re not fiddling around with tape in a manual process, but restoring from a master backup which is updated on a timed basis. The first time you install Datto it backs up everything, but after that just updates any changes – so it’s effective, conservative on bandwidth usage, efficient, and gives you really quick restore, if required.
Of course, coming up with a solid DR plan in the first place is critical, and we believe that the best DR plans are developed in partnership. Again, it’s back to partnership; the service provider with their extensive experience, the vendor with a great product, and collaborating with the customer to understand what the specific challenges are. Of course, that’s as varied as you can imagine – how many sites are you protecting, how many mobile workers, etc – and one size certainly doesn’t fit all! The disaster recovery plan needs to take into account all sorts of devices, not just your laptop, desktop, mobile phone and smart devices. You’ve got to make sure that it’s covered everything.
One final point, perhaps the most obvious, but often overlooked, is that the internal stakeholders need to be familiar with the disaster recovery plan. Without this final step, you’re still all at sea, which is probably no better than denial!