IT Business Recovery guide for SME Business Owners

IT Business Recovery guide for SME Business Owners

Introduction

According to searches on the TechTarget platform, there are 10 different tags associated with Business Continuity, the process of recovering your business, continuing operations and protecting your critical data & applications. Listed search terms encompass the phrases IT Backup, IT Recovery, Availability, Data Surety, Continuous Data Protection, Snapshotting, Secure Rollback, Uptime, Disaster Recovery and Single Point of Failure elimination. How can so many terms lead to the one desired goal of keeping your business running and what levels of business continuity do you need anyway? How do you keep your organisation secure and protected without breaking the bank? This article gives you pointers that will allow you to baseline your current situation and match any solutions against your real needs.

Writing your Business Recovery Plan

  • Get your senior team on-board – Don’t try writing this alone and don’t hand it our to your administrator or IT guy (or girl). You need sign-on from your most senior people to make it work.
  • Keep it simple – Best practice for larger companies might be a separate incident management plan, business continuity and disaster recovery plans. We suggest keeping it simple and try combining the core elements of these in to 1 working document.
  • Scenario planning – use a range of scenarios to influence and test your recovery plans, getting your group to ‘imagine’ this or that incident and let that lead your planning.
  • Know your key processes – Understanding from technical, commercial and financial perspectives will help prioritise how you address recovery.
  • Understand your IT – You need to fully understand your IT systems and applications and how these support your critical applications. Even if you are cloud based, don’t assume everything is ‘fine and dandy’ – check and make sure provisions are in place and you know how to recover.
  • How long can it take? – Start thinking about recovery point objectives. i.e. the time you need to get that machine back on-line or that customer web portal restored. If you fully understand the impact to your business, establishing a recovery time should follow.
  • Who are the key people? – Who else is needed from your list of key stakeholdering including staff, vendors, suppliers, etc.
  • Step-by-Step – Lay it out, step-by-step so that everyone knows the key steps and sequencing of events

Mistakes to Avoid

  • Lack of support – You need to have management on-board, including the resources and funds to implement a successful plan
  • Don’t ignore the risks – It’s easy to ignore the potential risks, but the more work you put in to scenario planning and identifying risks the better. Its also no good just identifying the risk, you need to mitigate risks whenever it is practical to do so.
  • Keep testing – We suggest testing once or twice per year and always documenting your test.
  • Blow off the cobwebs – So you have a plan, but no one has reviewed it for years! Key contacts left the business years ago and systems have changed. Make a schedule task to revisit and update your plans

Understanding your Data

At Charlton Networks, we always recommend that customers spend time to truly understand their present environment, the applications they run each day and the data that sits within these apps. In the event of a serious incident, such an understanding is critical to the survival of the business.

We then ask our small & medium business customers to assess the risk and reflect on the negative, grading likely / possible / improbable risks and exploring worse case outcomes. Our intension is not to create ‘Project Fear’, but more to create a ‘mind-map’ of what is really important to keep the business trading. For example, thinking about your local physical environment, such as extreme weather conditions, their rising regularity and if mitigation is needed. Or perhaps human resource issues, such as an ex-employee with knowledge of your IT system set upon vengeance against your business.

To help generate such ‘risk scenarios’, we also ask customers to consider recent events and explore how their organisation would have coped had this happened to them. For example, the Wannacry ransomware outbreak in 2017 is a classic example of how such reflection can really help. Businesses were gripped with fear of arriving at their office each morning to infected systems. However, as business customers confidence grew that the immediate outbreak was protected against, our conversations with SME business owners shifted toward planning and getting the latest expert advice on how to build a solid last line of defence around backup & recovery.

Planning to Succeed

If all this reflection sounds pretty negative, take comfort that good planning and committing your ideas to paper is far easier, more likely to be more effective and cost less than just installing the first solution you come across. Such a planning exercise invariably opens the eyes to the types and levels of threats facing your business for both owners and their management teams. In the same way board members would not dream of leaving your premises unsecured, a well-constructed vulnerability plan will quickly highlight gaps in your data & application protection and focus your whole team on what is important. We recommend keeping your plans simple and suggest developing a ‘roadmap’ to capture these ideas. Focus your attention on the most important and the immediate activity, so the detailed planning is about the next 3, 6 or 12-months, beyond this keep it short, simple and allow yourself the scope to change, adapt or develop your planning as you progress.

Larger companies, operating multiple site can justify geographical resilience, inter-site backup & replication and an off-site recovery site. This won’t be possible for most SMEs, but with good planning and design, similar results can be achieved with hybrid solutions, mixing public & private cloud, on-site and off-site solutions that give the highest levels of resilience where the business most needs it.

Solutions and their Deployment

Extending the idea of ‘keeping things simple’ should also be applied to any backup & recovery solution you select. For example, look to deploy a seamless set and forget backup software layer that can automatically notify you in the event of problems and present a simple ‘top-level’ view of your data & application protection.

But backup is pointless if recovery is difficult and slow. Speed of access doesn’t have to cost the earth and make sure that you don’t over-egg what you need as you can become quickly blinded by the latest technology ‘must have’ features and the whole ‘up-sale’ process. Here are some tried and tested things to consider when looking for a backup & recovery solution;

  • How easy is the backup solution to use? Is it really set and forget? Does it require distinct amounts of customisation for rollout? Does it suit the amount of data you have and do you need enterprise features like Disaster Recovery?
  • Compare costs – gone are the days of having just one or two vendors supplying niche backup solutions, now you can really shop around and buy a reliable backup solution that does what you need without over-doing features and complexity.
  • Remember your needs – Keep checking what problem you are aiming to solve. Are you trying to alleviate the chore of backup with automated, reliable, failsafe recovery?
  • What do others say – how many companies are already using the solution? Perhaps the most candid advice can come from your peers and what they truly think about everyday usage of the solution. Most of which are shared warts and all on sites such as SpiceWorks, Gartner Peer to Peer, IT Central Station to name but a few.
  • Understand your solutions – Don’t overly trust Cloud based apps to be automatically ring-fenced – for instance, who knew that Microsoft are not responsible for backing up Office 365 mailboxes? Who then is? Yes, that also falls to you!
  • Give it a try – Download trial software and actually stretch test it – any software company of repute will want you to test the software in your own non-production environment.

More Information

Here are some useful additional information to help you analyse, plan, select and implement the right data backup and recovery solution and ensure you stay on top of your business continuity plans;

Business Continuity & Disaster Recovery Glossary

Altaro:

Altaro is a complete backup and recovery solution for your IT systems and provides a wide range of features that help protect your data and recover it quickly too. At its heart is a web-based centralised management function making it easy to configure & manage from any location. Data is fully encrypted, with options for both on-site and off-site backup. Mostly importantly, Altaro recovery time is super quick, ensuring system outrages or data loss is kept to a minimum. More details here https://www.charltonnetworks.co.uk/altaro-backup-and-recovery/backup-and-recovery/#altaro

Azure:

Microsoft Azure extends the functionality of the Altaro backup & recovery system, providing the ability to simply add and automate off-site backup, with unlimited capacity, encryption, choice of geographical location. The Azure ‘plug in’ for Altaro means we can recover clients data or systems from this off-site storage location in the event of a total on-site disaster, such as a fire or major cyber-security incident. Off-site Azure backup provides the ultimate recovery if your local data is encrypted via a ransomware attack. More details here https://www.charltonnetworks.co.uk/altaro-backup-and-recovery/backup-and-recovery/#azure

Backup:

Backup describes the processes and regime for the on-going backup of your company data and systems.

Business Continuity:

Business Continuity (BC) is concerned with identifying, managing and reducing business risk. This is done via a defined process / methodology, that identifies and prioritises improvements to overcome these risks. An effective BC plan will support the strategic aims of the business and build the capabilities to keep the business running in the event of a disaster through a process of continual development. Key elements will include Business Impact Assessment, design of mitigation strategies, planning and implantation, testing, maintaining and developing.

Cloud Storage:

Storage provided in the cloud and accessible via the public internet. Examples include Microsoft Azure and Amazon Web Services.

Cloud Backup:

This general term can refers to systems whose management and operation is based in the cloud, through to the storage of off-site backup data in public cloud services, such as Microsoft Azure.

Disaster Recovery (DR):

Disaster recovery planning looks to identify IT system risks, develop potential mitigating actions and create a testable and repeatable plan for your system recovery. This is done by creating disaster recovery scenarios to identify risk and the processes required for recovery. At its core, plans are created that regularly test the full recovery of systems, such that recovery processes become known and can be refined and improved over time. All businesses should undertake this planning process, even small businesses, resulting in actions ranging from backup testing & review, test restores, through to full disaster recovery of key applications and systems.

Data Encryption:

The process by which your company data is ‘scrambled’  and can only be ‘unscrambled’ using an encryption key. The encryption key is the password to unlock the data and is also known as the ciphertext. Making the data unreadable, means that unauthorised persons cannot access the data. It is imperative that data backup on-site and off-site is encrypted both ‘in-transit’ and ‘at rest’. ‘In-transit’ refers to the data as it is moved and ‘at rest’ refers to its final place of storage.

Incident Response Plan:

An action plan that covers the immediate response and actions required for your organisation to respond to a major incident. This can cover issues such as a cyber-attack, closure of an office or other serious incident impacting your business, but can also include major operational issues such as server outages or a production line failure. For small & medium sized companies we recommend including this incident response plan within your overall business continuity or disaster recovery plan. Typically plans cover the initial responses, who needs to be involved, which stakeholders to be notified and the key actions required to respond to the issue at hand.

Inventory:

An IT asset inventory allows an organisation to understand what devices it owns, what software it runs, where company data is being stored and a range of other factors from finance, through to risk management. Maintaining an accurate IT inventory is essential in many aspects of disaster recovery and business continuity, enabling plans to be developed and maintained. Key to this is regular auditing or the use of on-going Remote Monitoring and Management (RMM) tools that provide a virtual ‘real-time’ inventory to be maintained.

IT Life Cycle:

IT Life Cycle covers introduction, adoption, growth, maturity and decline / obsolescence of your IT products, systems or services. All systems go through this process and your business needs to understand where your current systems sit within this cycle. This enables effective use and planning to be done and Charlton Networks recommend our IT Roadmap process. This means that IT Risk planning is more effective and businesses can understand these risks and mitigate their potential impact.

IT Risk Management:

IT risk management assesses the business risk associated with using, owning, operating or adoption of IT systems, services or processes. IT risk management covers many aspects and processes, from initial Incident Response, through to scenario planning, disaster recovering and business continuity planning.

Managed Backup:

This refers to the management and monitoring of your company backups or ‘outsourcing’ of this process. Managed Service Providers will ensure backups and restores are monitored, regularly tested and that your DR plans can be implemented if called upon. More details here https://www.charltonnetworks.co.uk/altaro-backup-and-recovery/backup-and-recovery/#managed-backup

Off-site Backup:

Refers to establishing a copy of your backups away from the main site where the data exists. This can be a secondary company location or a cloud based backup solution.

On-site Backup:

Refers to establishing a copy of your data on the main site where the data exists. This tends to be the minimum and default position, with the potential to have secondary copies of backup stored in an off-site backup location.

Recovery point objective / RPO:

A recovery point objective (RPO) is the age of the file(s) to be recovered from a backup process / operation. This is required when a computer system or network goes down and live data is lost. RPO is important when planning backup and disaster recovery strategies and should be influenced by the  business need and the impact to customers. Understand the impact of data recovery also includes understanding the commercial value in terms of lost manhours, productivity of revenue.

Recovery time objective / RTO:

The recovery time objective (RTO) is the estimated time needed to restore an IT system or IT services following a disaster or disruption incident. The RTO defines the estimated to recover an entire system, rather than the RPO which defines the age of the files to be recovered. Understanding RTO determines the backup and recovery systems used and ensures that the business needs are match to the underlying IT systems. Disaster Recover (DR) testing helps confirm the RTO and actual recovery time, giving the opportunity for continual improvement and minimising business disruption.

Restore:

Refers to either a single file or a complete system being restored from a backup set.

Retention:

Refers to how long copies of backup data are held for. i.e. The longer backups are retained, the further back in time data can be recovered.

Risk Analysis:

A risk analysis systematically identifies critical system resources and threats, quantifying potential impacts / losses of productivity and recommends how to mitigate such risks via a range of countermeasures to eliminate or minimize exposure.

Uninterrupted power supply (UPS):

A UPS is a device that allows your computer system to keep running for at least a short time when the primary power source is lost. It provides protection from power surges and contains a charger/battery system that kicks in when the device senses a loss of power from the primary source.

Altaro Experts

Our team at Charlton Networks includes several experts in both Altaro and other backup and recovery systems. Eric Gore is one of these leading experts and a veteran of recommending automated backup solutions that do what they say on the tin. Eric is a Certified Altaro Engineer, who along with others helps Charlton Networks maintain the Altaro Gold Partner status.

After reading this article, perhaps you have more questions you’d like to ask? Or perhaps you’d like a free assessment of your current Business Continuity, Disaster Recovery capabilities or your existing backup & recovery. Why not drop Eric a line (eric.gore@charltonnetworks.co.uk) with your question?

Leave a Reply