For example, an earthquake, tsunami, severe rainstorm (anyone remember the wild weather in Sydney in early June?) or even a burst water pipe may cripple your data centre or server room. A disgruntled employee may damage a server or a virus may find its way onto the network and wreak havoc. As a result, you may lose sensitive corporate and customer data, or project work. At the very least, you may be on the receiving end of a few brusque phone calls. At worst, your customers may take their business elsewhere and loudly advise your prospects to do the same.
These events happen more often than you may think. In fact, a survey conducted by Telstra found one in three Australian businesses had experienced a major disruption, with man-made failures accounting for 86 per cent of all incidents and most failures lasting for six to 20 hours.So how can you implement a proper data back-up regime that operates within a broader business continuity plan and meets your broader business objectives? The best way is to look at the Why, Who, What, Where and When of data back-up.
Why back-up data?
First, you need to understand any regulations that govern how you back-up and manage data, and the risk that data loss presents to your business.
For example, if you operate a financial services business, you may well have to comply with strict Australian Prudential Regulation Authority rules governing data management and protection.
If you are involved in healthcare, you are bound by legislation and regulation to protect sensitive patient information. Whatever industry you are in, it is your responsibility to understand any obligations you have that affect how and when you back-up data.
However, you will also need to be able to quantify any damage to your productivity, reputation and brand. This requires conducting a full analysis of what a disaster can mean to your business (if you haven’t backed up data in a way that enables easy restoration). At Telstra, we’ve developed a series of questions that will give you a good idea about your business’ data back-up and disaster recovery status.
- What services do you provide to your customers and what would be the impacts if your IT systems fail?
- What IT systems and applications does your business need to support end users and customers?
- How long could your business function without IT systems?
- How long would it take before your customers went elsewhere?
- How would your business know what outstanding bills a customer needed to pay?
- How long would your suppliers wait to be paid?
- How long would it be before your suppliers stop providing their products and services?
- What alternative methods and procedures could employees/end users perform while your systems and applications were out of service?
- At what cost and for how long could your business cope if revenue wasn’t generated, if suppliers refused to work with you and/or you lost employee/end-user productivity?
2. Who are the stakeholders in business continuity and who do I involve in business continuity?
The European Union Agency for Network and Information Security (ENISA) points out the typical key stakeholders in a business and the perspectives they bring to the issue. These include employees with expectations regarding employment security and workplace safety; directors responsible for growth, revenue and profit protection, and reputation management; shareholders concerned about performance and governance; regulators concerned with compliance; and customers concerned about the availability and quality of goods and services.
Ultimately, your business needs to understand and protect the interests of all its stakeholders when delivering business continuity, including creating and executing a plan for data back-ups.
The ‘people’ side of business continuity and data back-ups extends to creating teams with the skills to respond to, manage and recover from an incident. Each team should incorporate people skilled in the technical aspects of recovery, and people responsible for service delivery and customer relationships. Team leaders should be senior and responsible enough to coordinate and balance the priorities of the functions affected. If your business or organisation uses external providers for activities such as infrastructure management, you should integrate these providers into relevant incident-management teams.
Team leaders should ultimately report to a member of the senior leadership with full accountability for business continuity – who, in turn, reports to the chief executive officer and/or board for the function. This ensures business continuity ultimately resides where it should – at an organisation’s highest level.
In addition, your business should regularly test its plan so team members can keep their skills and expertise up to date, and accommodate the emergence of new technologies and threats.
3. What data and workloads should my business back-up?
We recommend you review all data your business holds and the workloads you run in your IT environment, including any interdependencies between systems.
According to research undertaken by Telstra, 69 per cent of businesses back-up file-sharing workloads while 66 per cent back-up collaboration systems such as email and messaging systems. However, businesses typically appear to be less concerned with critical business management and revenue-generating systems. Only 31 per cent back-up e-commerce applications, 28 per cent back-up enterprise resource planning systems, and 23 per cent back-up online applications.
So should your business buck the trend to not back-up these apparently critical systems? The answer is to review the checklist of questions provided earlier in this article and determine the importance of these systems to your business based on your honest responses.
However, as e-commerce assumes ever-increasing importance in generating revenue and serving customers, and enterprise resource systems play an increasingly critical role in processing customer orders for increasingly personalised products and services, it is surprising more businesses are not backing these systems up.
4. Where should we locate our back-ups?
The response depends on the needs of each business, and potentially different functions within the same business. For these businesses and functions, the answer typically lies in the cloud.
Cloud services are now mature enough to support corporate security and sovereignty requirements while delivering the flexibility, agility and consumption-based models modern businesses demand. Businesses can now access fast and reliable back-up and restoration services to store and retrieve data, for reference, regulatory compliance or business continuity. These services may span email, servers, hybrid services encompassing multiple providers, and even ease the occasionally fraught migration process.
5. When do I need my systems and data restored?
The key is to identify the recovery point objective (RPO) and recovery time objective (RTO) that aligns with the answers to the previous questions. The RTO is the time for a system to be recovered and made ready for use by the business; the RPO is the time when the last back-up of data was made (reflecting how much data would be lost during a disaster).
The range of back-up options available to business has never been wider. You can adopt a solution that meets all your requirements while allowing you to focus on core business activities. So what are you waiting for? Make the time to review and modernise your back-up plans today.