By Nikhil Korgaonkar, Regional Director, Arcserve India.
India is not new to natural disasters. Every year, the country faces disruption in the day-to-day life due to floods, earthquakes, landslides, forest fires, and from many other natural mishaps. According to the Global Climate Risk Index report 2019, India is the 14th most vulnerable country in the world. In such a vulnerable landscape, the question arises how should an organization prepare to protect its assets from disasters and ensure business continuity?
In the advent of a disaster, enterprises risk damaging not only their physical assets, but their digital assets as well, which might be stored in data centers stationed in high-risk zones. Various economic factors such as introduction of the GST (goods and services tax) and technology-driven programs such as Digital India, the Smart Cities Mission have pushed organizations to increase their level of digitization. This has led to the level of cyber threat going up by several notches.
Enterprises also had to prepare for ensuring business continuity for a completely different kind of disruption enforced by COVID-19. A sudden transition to remote work caused enterprises to provide its employees with data access and connectivity to the corporate network within a very short span of time. In this hustle, organizations found themselves left with loose-ends in both their physical and digital data protection strategies.
In the last six to seven months, there has been a surge in ransomware attacks targeting remote workers. As most employees don’t have the same level of security infrastructure preparedness in the home environment as they had in the office, they are at a greater risk of being targeted with ransomware. Weak passwords, unpatched systems and use of unsecured devices are a few of the key reasons for home devices to be targeted by cyber criminals.
The most vital aspect of data protection, therefore, is for companies to have an effective Business Continuity and Disaster Recovery (BCDR) plan.
Important Aspects of a BCDR Plan
There are many aspects of a business continuity and disaster recovery plan and each is as important as the other. While designing an effective BCDR plan, here are a few things to take note of:
- Business Impact Analysis: Create a detailed business impact analysis plan that highlights the key components for your business to survive. This will help enterprises in identifying the most critical applications and the associated infrastructure required to run the business. This activity must involve all the key stakeholders and top management.
- Deployment Strategies: The BCDR plan must clearly specify the steps, processes and people who will be involved in the case of a disaster. This must also specify recovery objectives. For example, in the case of a stock exchange, any downtime, even if it occurs for a few seconds, can cause losses in millions. The BCDR plan must hence specify the maximum time frame required to deliver access to critical IT applications.
- RTO & RPO: In the case of a BCDR, Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are extremely important. RPO refers to the maximum acceptable data loss in terms of time, whereas RTO denotes the amount of time between an outage and the restoration of operations. Depending on the business requirements, enterprises can decide to choose the required RPO and RTO. A BCDR plan must also include a clear communication process, wherein each stakeholder – employees, customers, suppliers – is apprised of the impact of the disaster and key initiatives taken.
- Location-centric BCDR Plan: The consulting firm McKinsey suggests that companies need to classify disaster recovery roles into either fully remote, hybrid remote, hybrid remote by exception or onsite. This will allow firms to gauge how they can operate business in an environment where most resources are working from scattered remote locations. This will also help them plan and build for remote capabilities, such as for Tier II or Tier III locations in India, where reliable bandwidth can be an issue.
- DR Drills: For different scenarios and locations, organize data recovery (DR) drills at regular intervals. This will help enterprises in preparing a more realistic assessment of actual situations on the ground and close gaps progressively.
- Cloud-based BCDR: Today, the cloud is a pivotal point for any BCDR plan. A cloud-based BCDR will help the enterprise assured access to critical IT assets from anywhere. Cloud-based backup systems are also a must, as they can back up larger amounts of data in a far lesser timeframe than traditional backup systems. As cloud-based backups can be accessed from anywhere, they ensure access to backups in the event of a disaster.
- Integrated BCDR plan: Enterprises must choose vendors that have an integrated approach to data security and business continuity. This is specifically important as recent trends have shown that hackers are targeting backup systems to increase their chances of getting payment from installing ransomware. This is also important as working from home increases the number of remote endpoints.
- Employee Awareness: To ensure robust security, organizations must improve awareness and make employees aware of the dangers of phishing or using unofficial apps or websites for storing or transmitting data. As part of the security policy, employees must also be regularly encouraged to keep changing their passwords, as weak passwords are responsible for a majority of unauthorized access.
- Other security measures: Regular patching of systems must also be enforced. Secure access of information can be provided using VPNs. Similarly, virtual desktops can be provided to employees for ensuring secure access to data and applications. Another layer of security can be added by using two-factor or multi-factor authentication.
A BCDR plan can only work if right tools and applications are available and accessible to the people who run your business. By considering remote workforce as a vital part of your process, and using a cloud-based BCDR plan, enterprises can ensure business continuity in any disaster or pandemic situation.