Neglecting proper data recovery planning is increasing risk for organisations across Africa – particularly small and medium-sized businesses.
So says Mark Govender, Senior Systems Engineer at Veeam, who specialises in data recovery and disaster recovery planning and systems.
He emphasises that while physical and natural disasters were once considered the most significant risks to business continuity, the rapid rise of cyber crime has now taken the lead as the greatest threat. "Too many organisations are ill-prepared to recover from cyber attacks," he warns. For a deeper understanding of the evolving landscape, he recommends reviewing the latest insights in the 2024 Ransomware Trends Report, available here: Ransomware Trends Report 2024.
Govender points out that while large enterprises typically have robust data recovery and disaster recovery plans in place, they are not immune to risks. "Although large organisations often follow best practices, many fall short when it comes to regularly testing and updating their plans," he explains. "Without consistent testing, even the most well-designed recovery strategies can fail when put to the test during an actual disaster.”
He adds that small and medium-sized businesses are even more vulnerable, often lacking comprehensive plans altogether. "The consequences can be devastating – some companies never fully recover from such incidents," Govender warns.
Where organisations fall short
“The most common failings are outdated plans and a lack of testing,” Govender says.
“We often see organisations that create a comprehensive disaster recovery plan, but they don't test it enough. So when things go wrong, they aren't able to recover efficiently. It may take them longer than their recovery time objectives, or they may end up with corrupted data.”
Govender says recovery time objectives vary by industry and how critical a particular system is: a financial organisation may have a 24-hour RTO for some systems, while a healthcare organisation may need to recover all systems in under four hours, for example.
Govender says: “Auditors generally ask for testing two to three times a year; however, I would advise carrying out automated testing every two months.”
He believes a lack of skills, and possible misconceptions that testing could cause disruptions, can stand in the way of regular testing. “Many people believe testing is a tedious task, which takes time away from personnel who need to be managing the IT infrastructure. But it doesn’t have to be time consuming or disruptive – organisations can do it without impacting the production environment or impacting the business. When these processes are automated and orchestrated, organisations can test and recover much more efficiently.”
Govender notes it is also important to keep the recovery plan up to date: “The data recovery document is basically a living document. As the business evolves, there might be new applications and services that take priority over the applications and services prioritised in the plan; therefore, you need to make sure that you adapt your plans and recovery point objectives accordingly,” Govender notes.
Weighing up costs
Govender says costs to consider when preparing a data recovery plan include direct costs such as backup infrastructure, storage or storage appliances, cloud storage, software licences and partners who offer recovery services.
Organisations should also consider the indirect costs of inadequate planning, he says: “As part of your business impact analysis, the organisations must consider loss of revenue and productivity in the event of downtime. In addition, they need to factor in the cost of non-compliance, such as fines.”
Towards improved data recovery planning
Govender recommends carrying out a comprehensive risk assessment and business impact analysis before drafting a data recovery plan. “The next step would be to define your recovery objectives. So again, here we talk about the recovery time objective, which is how long it's going to take you to bring that service back. And then we also look at the recovery point objective – how much data you've lost in the time that the system's been down. This must be defined as part of your disaster recovery plan,” he says.
“And then the next step is designing your backup strategy, making sure that you're implementing industry standards. You also need to look at your disaster recovery procedures, documenting the processes to follow when you have any sort of disaster. This should include roles and responsibilities for recovery tasks.”
He adds that a disaster recovery team should include the IT infrastructure department and the data security department.
“With a proper data or disaster recovery plan in place, I have seen organisations take the time to recover from a week and a half to as little as four hours to get the entire infrastructure back online,” he says.
Govender notes that Veeam Data Platform aids customers with preparing proper recovery plans, and conducting regular testing to ensure that they are able to recover their data.
For more information on this topic and to access a white paper on Secure by Design and Data Protection, click here.
Share