Upwards of 60 to 70 percent of companies begin a disaster recovery plan, but don’t finish because the plans seem too complex, overwhelming, or get put on the back burner.
Upwards of 60 to 70 percent of companies begin a disaster recovery plan, but don’t finish because the plans seem too complex, overwhelming, or get put on the back burner. However, the business costs associated with network down time and data loss make secure backup and recovery an economic necessity. According to Strategic Research Institute, companies that aren’t able to resume operations within ten days of a disaster hit are not likely to survive and a recent study by Pepperdine University states that 40 percent of data loss stems from hardware failure and 29 percent from human error. IT professionals and their businesses have learned the hard way in recent years that disaster can strike at anytime and that they must be prepared. Specific procedures for creating backups and a plan of action for recovery are essential to any modern business in order to secure storage.
Regular Backups and Regular Performance Checks
Many factors can cause data loss, including: fire, power outages, employee theft, viruses and hackers, as well as modern tragedies that can leave companies without access to buildings and important documents. Those that are prepared have a much better chance of overcoming the loss with minimal damage and the first step is backing up the system regularly. This may seem obvious to most, but often times the problem is not so much that companies are not creating backups, but that they are not verifying their recoverability. This results in "false backups" where they think their data has been secured, only to find in an emergency that the backups failed and the data has been lost. This is especially true with tape backups, because tapes can be more easily corrupted, damaged, worn out, or employees can forget to change them.
In either case, it is too late and data is already lost. It can take weeks or even months for these systems to be restored, if they ever are. Therefore, it is extremely important for companies to follow best practices and create policies and procedures for creating regular backups and for testing their recovery environments. Among these policies should be regularly scheduled test recoveries in order to ensure that backup policies and procedures are working properly. It is suggested that these recovery events be conducted at least once per quarter to make sure backups are running as planned.
Combining Backups With Other Security Technologies
Companies should also use preventative measures to ensure that systems are safeguarded as much as possible. This includes the use of antivirus software, firewalls, and intrusion detection software.
Intrusion detection is important because it is much like an alarm system that will further protect vulnerable data from both internal and external threats because it monitors critical files for tampering and checks network traffic for "attack signatures." If it detects an anomaly, an alarm notifies the administrator for further investigation or action. With intrusion detection, if an attack should occur, companies will have early warning and can quarantine the threat and their current backup data, before damage can be done to critical systems and result in data loss or corruption. It is also important to consider using products and best practices for integration from the same vendor, so that continuity planning can result in a comprehensive solution that is easily managed.
Have a Recovery Plan in Place
Companies must also implement fast recovery plans in the event of data loss or systems interruption in conjunction with regular backups. The first step in planning for recovery is the assessment of your environment. When assessing what to include in a disaster recovery plan, companies should keep in mind the following:
What network resources are most important?
What is the value of those resources, monetary, or otherwise?
What possible threats do these resources face?
What is the likelihood of those threats being realized?
What would be the impact of those threats on the business, employees, or customers, if those threats were realized?
Which resources do you need to bring online first?
How long can each one of these resources can be down?
Set an allowable downtime for each resource.
Set decontamination process for viruses, worms, etc.
When determining the value of an asset, organizations must consider both its monetary value and its intrinsic value. Monetary value can be determined by considering what would happen if the asset was unavailable for any reason. Intrinsic value is the loss of data, privacy, legal liability, unwanted media exposure, loss of customer or investor confidence, and the costs associated with repairing security breaches. Once information assets are identified and valued, threats to those assets must be evaluated.
Although types of sensitive data can be quite broad and vary from organization to organization, there are a few key types of information that every business should plan to protect. These include all data related to strategic plans, business operations, and financial data. Damage to or loss of any of this information can result in decreased sales, reduced competitive advantage, and decreased profits for the victimized company.
Companies also need to make sure that their backup, retention and recovery policies comply with industry standards and government regulations when thinking about the security of their storage. Industry guides such as the International Standards Organization (ISO) 17799 and government regulations such as the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and the Sarbanes-Oxley Act help provide a framework for improved corporate governance and controls. Accurately written and enforced, information security policies enable organizations to not only demonstrate their adherence with these critical regulations and standards but also articulate their own.
Don’t Do Nothing
Strong backup and recovery plans are essential for survival in the modern business world. Companies can no longer sit back and wonder if something will happen, but rather must think about what to do when something does happen. Disaster recovery needs to be addressed immediately before disaster strikes. While disaster recovery is unique to each company and its environment, the guidelines mentioned above can serve as a solid foundation. The only way to make sure companies are protected as much as possible before an attack, is to integrate security policies with regular and effective backups of their systems and important data. Additionally, they must have a recovery plan in place. While putting together a plan can seem like an overwhelming process, trying to quickly recover from a disaster is near impossible without one?and that is something no company can afford.
Rocke is director, Professional & Education Services, for Symantec Enterprise Administration