The Seven Deadly Sins of BDR
The recent IT outage at British Airways has been blamed on a power supply failure at the company’s data center, causing hundreds of flights to be delayed or canceled and affecting as many as 75,000 customers.
The outage should have been mitigated by backup generators and fail-safe mechanisms, but these appear to have been interconnected with the failed power supply, causing a system-wide shutdown which could end up costing the company up to $100 million.
This incident highlights the need for businesses to maintain effective backup and disaster recovery (BDR) technologies and processes, as IT systems and data have become mission-critical assets in virtually every industry today.
Unfortunately, many businesses think they have a proper business continuity plan in place—but may be falling victim to one (or more) of seven deadly BDR sins that can cause significant problems when disaster strikes and data needs to be recovered.
The British Airways mishap highlights at least one of these sins or pitfalls which should be avoided at all costs, particularly for managed services providers (MSPs) who deliver BDR and business continuity services to their customers:
1. Not Isolating Your Backups from Your Primary Infrastructure
This is reportedly one of the reasons the British Airways fiasco became as large of a problem as it did—when building a business continuity strategy, it’s critical that an organization’s backups are isolated from its primary infrastructure and power supply.
This is particularly true in the SMB market, where there is often only one office or location where all business is conducted.
If a backup appliance is onsite, for instance, it’s wise to maintain additional redundancy in a cloud environment to ensure data can be accessed in the event of a significant power failure or disaster that takes an entire site offline.
2. Not Testing and Verifying Backups
Regular testing and verification of backups are critical to the success of any business continuity strategy.
If you can’t guarantee that data and applications can be recovered in the event of a disaster or unplanned downtime, then what’s the point in backing them up in the first place?
Backup verification is usually a software-driven exercise, relying on both technology and human resources to confirm that the tech and systems powering a backup and disaster recovery strategy will function properly when needed.
This includes verification of the actual boot or startup process for any virtual machines or recovered data, as well as confirmation that any redundant or failover systems will activate properly when needed.
3. Not Having a Recovery Plan and Process in Place
Complete disaster recovery testing takes the concept of backup verification a step further, and requires a careful examination of any internal processes, procedures and instructions that should be followed in a data loss scenario.
Think of it as a fire drill of sorts, where step-by-step documentation should be followed and all parties involved should understand exactly what they are accountable for following any downtime event; the exercise should be treated just the same as a real-world scenario would be.
These plans should be thought of as living, breathing documents that must be regularly re-evaluated and assessed to ensure processes are up-to-date and align with changing business practices, recovery time or point objectives, or other data storage requirements.
For IT service providers, these plans should be leveraged as a value-added offering and conducted alongside other check-ins and business reviews.
Businesses that aren’t regularly testing or updating these plans are greatly increasing the risk and potential damages associated with a disaster.
4. Thinking That File-Based Solutions Like Dropbox and Google Drive Are Sufficient
These services can be valuable for users who want to access individual files and folders on-the-go, or for highly collaborative teams where working out of shared folders and documents offers a clear advantage—but they should not be mistaken as full-fledged business continuity technologies.
File-based sync and share systems such as Dropbox and Google Drive are not suitable for disaster recovery scenarios; they offer very basic and rudimentary backup capabilities, and aren’t well suited for entire system restores or virtual machine creation in the way that modern BDR platforms are.
If an individual user has a computer that suddenly stops working one day, these services can provide a great Band-Aid for that user who can log on from a secondary machine and access their files and folders—but these services should not be relied on as a means of maintaining complete business continuity in the event of a disaster.
MSPs should be prepared to discuss this and properly explain this distinction when pitching to potential customers.
5. Thinking That Data Loss Doesn’t Pose a Serious Threat
As breaches and data loss incidents increasingly appear in mainstream media headlines, this is becoming less of an issue that it was in the past—but there are still many businesses today, particularly in the SMB market, that believe data loss doesn’t pose a serious threat or business risk.
For internal IT departments and managed services providers alike, it’s important to clearly and accurately express not only the financial risk associated with such events, but to also understand their impact on a businesses’ reputation, customer base and even employees (depending on the organization’s ability to recover and restore systems).
6. Not Integrating BDR Into Your Security Strategy
As cybersecurity and vulnerability management become critical functions in both the enterprise and the SMB, it’s important to understand how an effective business continuity strategy can play a role in a larger security ecosystem.
MSPs cannot be afraid to consider the scenario that prevention could fail, and need to have the cure ready.
If firewalls, anti-virus, anti-malware and other technologies are creating a defensive perimeter designed to detect and thwart any attack or malicious attempt to access data, then BDR can act as a last line of defense that’s capable of rolling back systems to a previous image should a successful infiltration take place.
MSPs should consider bundling or promoting BDR offerings alongside security solutions to provide true end-to-end data protection services to customers.
7. Adopting a One-Size-Fits-All Approach for All BDR Needs
When delivering business continuity services, no two customers are likely to have the same backup requirements—and trying to deliver the same exact offering to everyone can present a series of challenges.
To avoid these headaches, MSPs should look to leverage a platform that’s capable of meeting a diverse range of customer needs—keeping in mind dataset sizes, recovery time and point objectives, and compliance-driven or regulatory needs such as HIPAA or PCI which dictate how certain information must be stored or archived.
Providers should also consider offering a few different packages or service options to attract a wider audience and win business from customers with varying needs.
Avoiding These Sins & Building a Successful BDR Strategy
The need for businesses across all industries to maintain continuity following an outage or data loss incident is today more critical than ever before—and while the scale and scope of the British Airways outage is far greater than anything the average small business is facing, the lessons learned are equally valuable in both markets.
Small businesses—and the MSPs they rely on to deliver technology solutions and services—should be wary of these seven deadly BDR sins if they are to maintain true continuity following any downtime event.
The good news for service providers is that these issues present a tremendous opportunity to act as strategic advisors and technology partners, providing a combination of software and services that offer a level of peace of mind that the SMB should be more than willing to pay for.
Fielder Hiss is vice president of product at Continuum Managed Services.