Weathering the storm with Business Continuity and Disaster Recovery (BCDR)

Sometimes it can feel like there are a million different threats to your business operations. Everything from natural disasters and unexpected power interruptions to the ever-present threat of rapidly evolving cyber attacks hell-bent on taking all of your vital systems and defenses offline. Add to this the fact that customers expect maximum uptime from your processes, and you’ve got the recipe for a potentially difficult business environment. 

But it is possible to survive and even thrive. A bulletproof BCDR plan that defines your vulnerabilities and implements guidelines on how to minimize their effects is vital to your organization’s resilience. In this article, we’ll cover why BCDR is so important, as well as the steps you can take to develop and execute one properly. 

Why Business Continuity and Disaster Recovery is critical for the modern enterprise

Data is like oil in the digital era. It is so vital to daily operations that operating without a BCDR plan in place could fundamentally alter your organization for the worse.    

BCDR helps the organization recover critical business functions

Unplanned downtime and disruptions are a normal part of doing business, especially when most businesses are powered on a wide variety of different infrastructures, IT and otherwise. However, if left untreated over a certain period of time, the disruption can have significant impact on maintaining continuous business operations, which can, in turn, have major financial, reputational, and compliance impacts. 

What’s worse is that the combination of these three problems can have compounding effects. For example, a cyber attack could lead to the leak of PHI (patient health information). The breach in your systems by a ransomware attack also breaches HIPAA regulations on sharing sensitive patient data. You not only have to pay the ransom as well as regulatory fines, but you also have to deal with the loss of revenue from a loss of trust in your organization’s reliability, stability, and security. 

A well-thought-out business continuity plan focuses on the seconds, minutes, hours, and days that you have to resume business after a disaster or a disruption. That means they need to be plotted out thoroughly and well in advance prior to the unexpected event. With the domino effect of a disruptive event costing hundreds of thousands to millions of dollars, it is paramount to employ BCDR strategies that minimize data loss, recover operations, and ensure vital business processes. 

BCDR means accelerated recovery time

The time between disruption and getting all systems up and running is critical. When one second can be the difference between life or death for your organization, it’s easy to see why having a BCDR plan ready to go in the event of a disaster shouldn’t be an option but a necessity. 

Thorough business continuity planning is proactive and involves business impact analysis teams conducting rigorous tests to exploit potential vulnerabilities across all departments. Well-executed strategies showcase BCDR initiatives reducing the amount of time needed to recover from disruptions by providing the necessary backend technology. Close cross-departmental collaborations and transparency can help recover from disruptions faster and more efficiently. The downstream effects include reduced downtimes, decreased loss of data, and greater overall resilience. 

---

---

A disaster recovery plan reduces the risk of a cyber attack and data loss

From a customer information perspective, data is the lifeblood of your business. Unexpected disruptions can leave sensitive data unprotected and vulnerable to a data breach via an external cyber attack. 

With the threat of ransomware, data breaches, and other cyber threats growing every day from the sheer volume of attacks as well as the sophistication of how attacks are carried out, organizations need to be constantly vigilant. Disruptions enable tactics like data exfiltration to occur more easily as preventative mechanisms like authentication/authorization and end-point detection are not available.  

Well-defined and executed BCDR plans account for these protective defenses going offline and use strategies like regular and robust data backups and recovery mechanisms to minimize the impact of a breach. By implementing  BCDR, the business can significantly enhance the security posture of its sensitive data while minimizing long-term impacts.

The components of bulletproof Business Continuity and Disaster Recovery

Seamless BCDR plans include information on the specific backups needed during and after the disaster, details on how to communicate with key stakeholders, and how to test and refine the entire BCDR process. 

But first, it will be important to take stock of your current vulnerabilities and the kinds of threats that might disrupt their proper functioning. 

1. Risk Assessment

The initial starting point for BCDR is to take an inventory of all critical elements and functions. For companies that deal with software specifically, it will uncover specific vulnerabilities across network infrastructure, hardware, software, cloud services, and other data:  

• Hardware
  • Vulnerability: Outdated devices and/or legacy systems
  • Threat: Device theft
• Software
  • Vulnerability: Outdated operating system (OS)
  • Threat: A ransomware attack
• Network Infrastructure
  • Vulnerability: Lack of encryption
  • Threat: Cyber-attack
• Cloud services
  • Vulnerability: A misconfigured cloud environment
  • Threat: Data and cloud network breach
• Mission critical data
  • Vulnerability: Business-critical data needed for continued operations
  • Threat: Downtime

Identifying each asset and understanding the possible threat that could disrupt normal business operations will give you a better idea of what you need to prepare prior to anything getting disrupted. 

Conducting an impact questionnaire and surveying your senior management team can be an effective way of organizing and discovering all of the critical components that play key roles in keeping the organization up and running on a day-to-day basis. Performing the assessment will also help to uncover the likelihood and what kind of impact a threat could potentially have. This will allow you to prioritize the appropriate strategy to focus on. 

2. Backup metrics

The next component of an optimal BCDR plan is to determine your backup strategies for business continuity.

The two main areas of this will include figuring out your Recovery Time Objective (RTO) and your Recovery Point Objective (RPO), as these metrics will help identify and analyze how long you can continue operations without having to stand up your normal IT infrastructure. 

Recovery Time Objective 

Your RTO is the maximum amount of time your infrastructure can be down after a disruption occurs before major consequences set in. It can be calculated by adding up the total amount of time it takes to successfully execute each step to bring the business back and recover from a disaster. Since each of these steps needs to be adjusted properly and requires the specific tools and the right permissions, it can take some time to configure ahead of time. 

Steps can include: 

• Bringing servers back online
• Making sure storage devices are working
• Bringing in network devices from secondary locations
• Restoring mission-critical data
• Having emergency work locations for critical staff 

For example, if an outage occurs at midnight and it takes until 6:00 am to complete each step to become fully operational again, the recovery time is six hours. Comparing this length of time to existing service level agreements (SLAs) will allow the organization to see if its processes and efforts are efficient or need to be improved. 

Recovery Point Objective 

Your RPO, on the other hand, is the maximum amount of data loss after a disruption that your organization can manage before data loss is simply irrecoverable. This metric tells you how resilient your organization would be against a cyberattack that breaches sensitive information. It is expressed as the amount of time that you have to recover data. 

For example, if a backup occurs at noon, 12:30 pm, and 1:00 pm, your RPO is set at 30 minutes. A backup occurs every 30 minutes, and any data lost within the half-hour time frame is manageable. 

While it is good to calculate your RTO and RPO ahead of time, you will want to put your infrastructure through some stress tests to determine whether or not it is equipped to handle a sudden unexpected event. This can involve on-site and off-site data centers as well as a number of different kinds of backups, including full backups, incremental backups, and differential backups. 

2. Alternative infrastructure

The largest companies stay successful because they can quickly pivot and stand up alternative worksites and infrastructures relatively quickly. But with the right BCDR strategies set up well ahead of time, you can set up a process that rivals what the largest conglomerates can do. 

Executing alternative infrastructure involves having backup data centers or even cloud-based infrastructures where your critical functions can be shifted over in the event of an unexpected disruption. Alternative worksites, power generator backups, and other components to ensure business continuity will also be critical. 

3. Communications

Communicating your issues to key stakeholders, employees, or the public can put you in a tight spot and make you look foolish. On the contrary, not properly communicating can make problems hundreds of times worse than they already are. 

An effective BCDR plan includes an optimized communications and PR strategy in the event of a major disaster. They should outline: 

• Communication channels and how to specifically message different stakeholders—internal and external—in the event of a disruption. 
• How the organization communicates with employees, customers, upstream and downstream suppliers, as well as any other vital partners with a vested interest in the continued success of the business. 
• The kind of messaging that is used, and the kind of tone involved. This can make all the difference when your goal is to instill confidence in the company.  
• Outlines of who will be responsible for communicating and what channels they will use.

Monitoring and updating these plans through different stages of business continuity and disaster recovery is critical to keeping everyone informed of what they need to know and how they can act accordingly. 

4. Tests and refinements

Getting your BCDR plan off the ground with unanimous buy-in will require ongoing tests and refinements.

Test and refine disaster recovery on a regular basis

Planning means nothing without testing. Testing BCDR solutions is one of the most critical steps in making sure that what you are doing runs efficiently and in step with your SLA contracts. If you put your BCDR plan through a stress test and it fails, you will want to have a deeper conversation and analysis around what went wrong and pinpoint why the specific solution did not work or did not work in the amount of time required. 

Remember, these plans are not a one-and-done solution. They need to be constantly refined to stay in step with the current threat possibilities of the day. This could involve setting up a full-time business continuity and disaster recovery team and regular testing schedules. 

This can be structured according to how you define testing, including: 

• What is the purpose of the test?
• How can the test be measured?
• What defines success?
• Detailing what made it a successful test.
• What the implications for a successful result are.
• What the implications for a failure are.

Testing might take the form of drills, simulations, and tabletop exercises meant to test plan efficiency and effectiveness. It can also be used to discover vulnerabilities in all aspects of routine business operations, including emergency workstation setups and employee understanding of key roles and responsibilities during a business disruption. An ongoing approach to BCDR work will result in an airtight course of action when disaster does strike. Assume that it will, and have your processes and systems in place for when it does. If you aren’t sure what steps to take, speak to an expert on how you can get started today.