For more than a year, the Covid-19 pandemic has forced organisations of all sizes to adapt to the “new normal”. Teams have had to adopt remote and home working at a scale and pace that no one could have predicted. In many ways, the pandemic has been a massive test of business continuity.
But even as countries roll out vaccines, IT teams need to revisit their disaster recovery plans. The last 12 months have forced significant changes in working practices, IT systems, security and even physical facilities.
Companies say they are unlikely to return to their pre-pandemic setups. Business advice firm PwC has found that half of companies plan to make remote working a permanent option for staff whose role allows it.
Some tech companies have gone further. Spotify, the music service, will allow its employees to work from anywhere, while others, including Twitter and Salesforce.com, have made remote working a permanent option.
Inevitably, these moves will change the way organisations approach disaster recovery (DR). How do you protect data, access to applications, and services such as telecommunications and power in a widely distributed workforce? CIOs and boards should be asking: what happens when Plan B becomes Plan A?
Covid-19 has changed our understanding of pandemics. It has also changed the threat landscape and created new risks to business continuity.
Many larger companies and government departments already had pandemics on their risk registers, although few, if any, will have anticipated the scale and scope of the coronavirus. The practical impact of an event of this scale is still being assessed.
Some of the risks are quite different from those posed by natural disasters, or even other health emergencies, such as an outbreak of flu. And some of the risks are a direct result of the way organisations have adapted to life with Covid-19. CIOs need to review these risks, and revisit their plans. These are five steps they should take:
1. Review threats and revisit strategy
Unlike a natural disaster or a technical outage, Covid-19 has not, for the most part, stopped companies from operating – but it has changed the way they operate.
“The biggest risk for most organisations is that people are now working on consumer-grade broadband, with consumer-grade security,” says Richard Blandford, CEO of IT services company Fordway.
This increases vulnerability to cyber crime, especially ransomware but also phishing, denial-of-service attacks, and attacks on infrastructure. According to research carried out last summer by backup and security supplier Acronis, 39% of firms reported video-conferencing attacks. Phishing attempts also increased. New working methods, with weaker security, increase the attack surface.
Cyber security firms warn that criminals are also exploiting Covid-related opportunities, including testing and vaccines, for phishing and fraud. Phishing attacks can lead to ransomware, data theft and disruption to IT systems through malware.
Pandemic control measures also pose a risk. Businesses will have plans to mitigate supply chain threats, but for many, illness or isolation of potentially large numbers of staff is uncharted territory. So, too, is the impact on staff caused by school closures, potentially at short notice.
2. Assess IT risks in the new normal
Conventional DR plans have allowed for the failure of central IT systems. Usually, remote working is one business continuity measure.
But virtual private networks (VPNs) and other remote working tools are vulnerable to attack. Companies need to allow for degradation of VPN services, as well as failures in domestic telecoms and broadband. With so many more workers at home, failures here are transformed from an operational to a strategic risk.
Organisations have adjusted to the pandemic by opening up core services to remote access, or moving them to the cloud. Both bring their own risks. Remote access is open to exploitation.
Cloud services should improve resilience, but cloud service providers and software-as-a-service (SaaS) suppliers are typically not responsible for customer data. Firms still need a backup plan. Centralised backup, to tape for example, might need replacing or supplementing with local hardware or cloud services.
Companies also need to manage employee-owned personal technology. It is harder to replace faulty equipment for remote staff – and that equipment needs to be secured, updated and backed up.
“Organisations need to implement a uniform management layer that offers visibility into data location and storage, which will significantly aid their ability to protect workloads in the long term,” says Gijsbert Janssen van Doorn, technical director at data protection service Zerto.
3. DR incident management: Communications in a distributed organisation
Next, how will the DR plan work in practice?
“One big challenge for DR in this pandemic and the various levels of lockdown is: how do you actually manage the incident and failover from primary to disaster recovery systems?” says Peter Groucutt, MD at Databarracks.
Good communications are essential, but this is harder if the response team is itself distributed. A robust command and control structure is invaluable.
Firms should test that their DR team can communicate with all stakeholders. Which systems will they monitor, and which users do they notify? Do outage notifications from cloud providers or from the security operations centre reach the right people, and who will invoke the recovery plan?
Incident management should include out-of-band communications, such as email or SMS, to alert staff if business systems stop working.
4. DR testing must adapt to a distributed environment
DR testing needs to change for lockdown conditions. With businesses already in “recovery mode” with staff working from home, organisations will need to update what they test, and how. Testing should cover key communications links, including VPNs and remote access to central applications, and failover plans for datacentres and cloud systems.
“You should run regular disaster recovery tests that are measured and approved – no compromises,” says Stephen Young, director at AssureStor. “Consider the use of cloud DRaaS [disaster recover as a service] platforms. These typically provide robust, regular testing, paired with seamless access that mimics normal day-to-day remote access.”
Firms should also test plans for field staff and those still working in the office. Can, for example, users work offline during a cellular network outage? And how will teams collaborate if they have to work in bubbles, or self-isolate?
Also, reviewing test data is still vital. “The basics of disaster recovery haven’t changed,” says Fordway’s Blandford. “You are still looking at the RTO and RPO [recovery time objective and recovery point objective].”
5. Update training
Lastly, firms should update their training plans. Are staff receiving training in security and data protection? Do they need DR training? Virtual training tools have developed rapidly in recent years, and can be a less disruptive alternative to full DR drills, even in normal conditions.
CISOs warn that preventing phishing and social engineering is harder when staff are away from the office. As Amar Singh, CEO of the Cyber Management Alliance points out, much security awareness relies on face-to-face advice and a “tap on the shoulder”. This is hard to replicate remotely, and businesses need to assess how training and support will work in a distributed environment.
CIOs also need to check that training content reflects pandemic working practices and risks. If it doesn’t, it will need updating. Also, have lessons been learnt from DR exercises, or the pandemic itself? Those lessons should be shared.