Disaster recovery and data loss are closely intertwined into the IT landscape of most companies. You can have disaster recovery without data loss, but you’d better hope you never have data loss without disaster recovery.
In the context of breaches, human error is one of the most common causes of data loss. The 2022 Data Breach Investigations Report from Verizon states, “82% of breaches involved the human element, including social attacks, errors and misuse.” In other words, four breaches out of five could be traced back to something that a person did; they were not caused by a machine or by equipment failure.
In this post, we’ll examine the connection between disaster recovery and data loss. We’ll describe the causes of data loss, the importance of disaster recovery and the development of your own disaster recovery strategy.
Causes of downtime and data loss
Let’s evaluate the most common causes and events that often lead to data loss.
Malware
IT environments are constantly under attack, with hundreds of thousands of new malicious programs (malware) and potentially unwanted applications (PUA) discovered each day.
It’s unlikely you’ll be able to dodge this bullet forever. The odds are that you’ll need to bring your disaster recovery strategy into the real world to cope with data loss sooner or later.
Ransomware
According to Gartner, by 2025, ransomware attacks are expected to increase by 700% and at least 75% of IT organizations will face one or more attacks. Increasing costs to infected organizations further bolster the idea of improving disaster recovery strategies to better protect against data loss. A Forrester study found that only 25% of organizations were able to recover between 75% and 100% of their data after a ransomware attack. IBM calculated that the average cost of a ransomware attack has now reached $4.4 million (USD), not including the intangible costs of losing customers and losses to organizational reputation.
Double extortion ransomware attacks are of particular concern. Double extortion ransomware attacks encrypt all your data but also steal it and threaten to publish it. Your backup, being a copy of your entire corporate data set, is an appealing target for ransomware. That means your data backup strategy has to ensure that: 1) no attack leaves you without access to your backups; and 2) if your backups are exfiltrated, they are useless.
As you formulate your data backup strategy, you should heavily consider your strategy to address the increasing threat of ransomware.
Capacity limits
Predicting an organization’s computing and storage resources can be a particular challenge for IT managers. Not only do they have to balance priorities of budget and service levels, but the additional complexities of managing where data is stored. Whether using an on-premises data center, moving some or all workloads into the cloud, or taking a hybrid approach, capacity limits for operations and backups have to be considered as a threat to potential data loss.
Infrastructure teams are often involved in a more hardware-oriented approach to capacity planning and management.
On the other side of the line, database administrators don’t particularly care how many drives are in the physical infrastructure or how many nodes make up a cluster. Their main priority is making sure applications have the needed performance capacity.
No matter where these admins fall across these lines, the main focus across the board is making sure that there is an accurate assessment and plan for usage and resources of computing power, memory and storage to extract peak performance.
Faulty systems
Platform failures trim incidents down to a failure of one element inside your infrastructure. But they include a domino effect due to unseen relationships among your technology components. Platform failures constitute a real risk that can leave your business vulnerable. If different platforms are dependent on one another, one system that goes down can impact the access and data flowing to others.
Insufficient security and unauthorized access
Zero trust is a security model for IT environments that emphasizes the idea of “never trust, always verify” so those that want access to organizational applications and resources must authenticate user identities before being allowed access.
Consider the makeup and purpose of an IT ecosystem in the first place. An IT environment has many different components: user workstations, servers, applications, databases, network devices and more. Most importantly, it includes users. All that technology and data is no good to anyone if it’s completely walled off from the people who need it. So, one of the central challenges facing any IT team is ensuring that all users can see and use the data, applications and other resources they require to do their job, without allowing anyone more access than they need and without impeding productivity.
That leads invariably to applying the principle of least privilege to every access decision, allowing or denying access to resources based on a combination of multiple contextual factors.
User errors
As described at the outset, the human factor plays a big role in disaster recovery and data loss. User errors run the gamut from inadvertent deletion, disgruntled insiders, to the mischief of nation-state actors.
Natural disasters
Don’t forget that, even before ransomware, faulty computers and human error, there were natural disasters.
Natural disasters and catastrophic weather conditions can lead to serious outages and data loss. IT professionals tasked with keeping systems, applications and data protected and available must keep them in mind as a variable when devising a disaster recovery strategy.
Why is disaster recovery so important?
The problem is that, although disasters come in all shapes and sizes, they have one thing in common: they tend to catch you less prepared than you want to be. To be prepared, it’s important to be able to answer the following questions:
- Does your organization have a data backup strategy in place?
- Which risks does it cover?
- Which goals does it seek to accomplish?
- Have your business stakeholders weighed in on it?
- Have you documented it?
- Have you tested it?
Developing a disaster recovery strategy to reduce downtime and data loss
Smart IT managers and administrators include disaster recovery readiness as a hedge against data loss. They’ve got an eye out to ensure that their company’s disaster recovery strategy and plan are in place, well ahead of the emergencies that will inevitably arise. They know that outages, service interruptions and the potential for data loss are no longer an “if;” they’re now a “when.”
Being ready is a matter of asking the right questions and developing a plan that fits your business. Follow these nine steps to build a business-oriented disaster recovery plan:
1. Conduct an asset inventory
To effectively build a disaster recovery strategy, organizations should start with an inventory of their IT assets. Compile a list of all servers, storage devices, applications, data, network switches, points of access and network appliances along with their connections to the network, any dependencies and where each asset is located is an ideal place to start.
2. Perform a risk assessment
Once IT assets, networks and dependencies are mapped out, organizations need to take a careful look at potential threats for each asset. Evaluate the impact of what happens if each asset breaks or is affected by an adverse event. What are the weaknesses in your current IT infrastructure? How does one of these applications failing affect the business?
3. Define the criticality of applications and data
Work with business leaders and support to further classify how critical select IT assets are to the organization. Group assets based on their importance to the business, change frequency and retention policies. Consider what you are protecting and why, and work through scenarios of full destruction and damage, physical damage, partial damage or situations where the data is intact, applications are intact, but you can’t get to them. All of that comes into play when defining the criticality of what needs recovered and the various paths to recovery. By involving the business, they can guide the level of resiliency and recovery required and bolster the idea that data protection is an investment required to keep necessary operations functioning.
4. Define recovery objectives
Different sets of organizational data and applications will have different recovery time objectives. For example, an essential database may need fairly quick recovery objective due to business needs, while another application could have a longer recovery objective because it is not as necessary to keep the business up and running. Working in tandem with business line leaders is crucial to setting realistic recovery objectives. Determining and calculating your organization’s realistic recovery time objectives (RTO) and recovery point objectives (RPO) for your assets is essential for organizational alignment in the event of a disaster.
RTO asks, “What is the acceptable amount of time data and production systems can be unavailable?” The answer to that question can determine what type of backup method is used for organizational data. If you have more time, slower backups could be used. If that data is needed immediately, organizations will need to look at host-based replications or disk-based backup with continuous data protection.
RPO asks, “What is the amount of data can organization can afford to lose?” For example, if your organization can withstand to lose a day’s worth of changes to a website, your RPO can be high and span hours or even a few days. If you must maintain a continuously up-to-date record of transactions and can’t afford a lot of data loss, your RPO will be very low, spanning minutes to an hour at most. Overall, an RPO calculation will determine the frequency needed to back up data.
5. Determine the right tools and techniques
Half of the battle is determining the order and priority of what your organization needs to protect. The second part of the challenge is figuring out the balance of protection required. Over-protection can be costly, while under-protection makes organizations vulnerable to risk. For example, overnight data backups may be appropriate for lower-level data, but not enough for higher-priority applications and data. Continuous data protection (CDP) is a great solution for backing up top-priority applications and data, but can add additional storage costs and production servers.
Off-site protection should be used regardless of chosen backup methods, and align with recovery objectives. Best practices dictate that data should be sent at least 25 miles away to avoid potential geographic risks, such as natural disasters. Be sure to automate as much of the recovery process as possible. Automation reduces the risk of human error and can stand in if IT staff is unavailable or unable to assist.
6. Get stakeholder buy-in
Stakeholders from across the business should be included in the disaster recovery planning process. Their agreement on data and application priorities are essential for aligned expectations during any potential disaster. Beyond just including business stakeholders, be sure to have an executive sponsor to help advocate for and allocate resources for ongoing support.
Protect all your systems, applications and data.
7. Document and communicate the plan
Documentation offers a guide to restore normal operations in case of any disaster. While it’s crucial for a disaster recovery plan to be written down, it’s just as important to make sure it is communicated across an organization. Share the disaster recovery strategy with relevant departments and individuals, and make sure it is available in accessible locations.
8. Test and practice your disaster recovery plan
Regular practice of a recovery strategy can help organizations identify and resolve potential issues before disaster strikes. Exercises can include walk-throughs, tabletop exercises, testing out a single component of a disaster recovery strategy or a full-scale simulation.
9. Evaluate and update your plan
Business environments are constantly changing. Personnel changes, mergers or acquisitions, new hardware, applications and operating systems will keep a disaster recovery strategy in a constant state of motion. Regular reviews ensure in-place disaster recovery strategies and capabilities align with tolerance levels for downtime and data loss.
Disaster recovery strategies are crucial to have in place to prevent against data loss. The right disaster recovery strategy helps to shield your organization from data loss, can help minimize the impact of an adverse event and ensure critical systems and services can be quickly restored.
