By Sungard AS
Disaster Recovery (DR) planning: don't just prepare to recover – prepare to be resilient
How would your business cope in the event of an incident that resulted in significant data loss? Of course, it depends on the nature of your business, the type of data and the amount of time elapsed before you're able to resume normal service. The loss of email for a few hours might lead to some administrative disruption, inconvenience and lost productivity, not to mention a bit of customer frustration. But the loss of transactional or production data for a similar duration is more likely have a direct impact on your operations and customer satisfaction - and your profitability.
In fact, significant loss of data could be enough to put you out of business for good. Consider how rapidly the situation could escalate if proprietary or confidential information were to be lost forever. Not only could this adversely affect your ability to remain competitive, but as of next year, there will implications for compliance with the forthcoming General Data Protection Regulation (GDPR), which will affect any business that holds customer data on EU citizens.
We'll spare you the ordeal of reading and deciphering the opaquely-worded article 32(1) of the GDPR, but suffice to say it covers the requirement to have adequate disaster recovery provisions in place in order to comply. So, with less than a year to go, not only will you need an adequate disaster recovery solution that can restore both the availability of and access to personal data, but if you outsource your disaster recovery provision, you'll need to make sure your provider (as a 'data processor') is compliant, too.
Failure to comply could lead to punitive fines of 4% of net sales or €20million, whichever is greater, plus there's the spectre of reputational damage stemming from any sort of data theft. So, it's now even more critical than ever to your survival that your business has a disaster recovery plan in place.
But it'll (probably) never happen to us, right?
When thinking about disaster recovery, the first things that spring to mind tend to be headline-grabbing hurricanes or man-made threats such as terrorism. These types of events are extreme and the statistical likelihood that one of them will affect your business is relatively slim. But you can't be complacent: it doesn't take a major disaster to disrupt your operations when there are much more commonplace, localized environmental problems such as a burst water main, power outage, hazardous material spill or transport accident. And then of course, there are people-related risks, which fall into two categories:
- Premeditated human actions - including vandalism, sabotage, arson, corporate espionage, malicious denial-of-service attacks, theft, public protests and riots
- Human error - installing the wrong patch, deleting a file in error, data corruption, inadvertent loss of portable storage media or laptops
The probability that your organization will experience one or more of these incidents is much greater. Oh, and don't forget good old-fashioned hardware failure. That is truly an inevitability and, at some point, a network outage will happen.
So, it pays not to regard your disaster recovery plan as simply some kind of insurance policy – in light of today's culture of information dependency, and the benefits of documenting your process will far outweigh the effort. After all, it will help you improve the resilience of your business as a whole, not just data or IT.