Disaster recovery planning is vital for smaller businesses. The rise of cyber attacks, especially ransomware, has increased the risk of disruption and data loss to smaller firms.
SMEs are also vulnerable to risks in their digital and software supply chains. At the same time, enterprises and public sector organisations are increasingly aware of the risks posed by a failure in a smaller supplier, and often require SMEs to have disaster recovery (DR) plans to ensure they can recover from an outage.
Governments, too, have put more emphasis on disaster recovery for SMEs. The UK’s NCSC and the EU’s digital security agency, ENISA, have published advice to help the sector boost its protection.
This applies to cyber attacks, but equally to other risks from natural disasters, power outages and technology failure.
For smaller firms, the risks – and the remedies – will often be similar to those for larger enterprises.
Small and medium-sized enterprises (SMEs) must know where their critical data is, and that it’s backed up. They need systems in place to recover key applications, locally or via the cloud, and need to establish how quickly they must recover.
SMEs also face specific challenges, around skills, resources, experience and access to the DR and data protection market.
Key DR requirements for SMEs
The key DR requirements for SMEs are similar to those for larger organisations. SMEs need to ensure they can restore their data from backups, and bring replacement systems online to run their applications. These could be locally, on-premise or in the cloud, and they will need to set recovery time (RTO) and recovery point objectives (RPO).
“Theoretically there are no differences in disaster recovery between SMEs and other organisations,” says Tony Lock of analyst Freeform Dynamics. “In terms of process and procedure, you have to do the same things for the same reasons. It comes down to knowing what systems you are running, how important they are, and how quickly you need to recover.”
The main differences are around resources: budgets, skills, and less tangibly, the ability of the business to cope with incidents. These includes managers’ ability to handle an incident and provide the “command and control” which is available to larger firms.
An enterprise might have a dedicated disaster recovery or incident management team.
But, a smaller organisation will have fewer layers of management, with responsibility likely to fall to the head of IT, the finance director, or even the MD or business owner. They are also less likely to have experience of operating under disaster recovery conditions.
Infrastructure and disaster recovery
Smaller firms are likely to have more limited physical resources than larger organisations. This includes servers, storage and networking, but also critical supporting infrastructure such as high-capacity internet connections, and even power and cooling.
Nor is the issue solely about IT. Smaller organisations are will have fewer physical sites. If they have a datacentre at all, they are less likely to have a secondary location they can fail over to.
Some of this can be mitigated by moving systems to the cloud, either for day-to-day operations or in the event of a disaster. But, smaller firms also need to consider where they will operate from. If a disaster is more than simply an IT issue, they will need premises to operate from where staff can access applications and data from the cloud.
The growth in home working as well as better mobile technology does provide smaller organisations with a viable way to operate during a disaster that affects their premises. However, firms still need to plan, to make sure that remote working actually works, that plans can be put in place in a timely way, and that data and application backups operate as they should.
This can only be ensured through testing, which is time consuming, expensive, and potentially disruptive to the business.
According to Paul Timson, a disaster recovery expert at Daisy Corporate Services, skills shortages often affect SME disaster recovery planning. “As long as you have a plan, and everyone knows the plan, you’re away,” he says. “But smaller enterprises struggle with people.”
Cloud DR
The cloud is an obvious tool for smaller firms that want to improve business continuity. In some cases, the cloud might be the only viable disaster recovery option for firms that cannot afford alternative on-site DR protection.
The cloud offers low or no up-front costs, and the ability to add capacity on demand. There is also an active market for cloud-based backup and disaster recovery tools.
Key considerations around the cloud are cost – it is usually cheap to send data to the cloud but much more expensive to store it there and retrieve it – knowledge of the market, and deciding whether to move workloads to the cloud permanently or bring applications and data back on premises after an incident.
If a firm moves workloads to the cloud, it needs to consider how data in the cloud will be protected. That could be to a different cloud provider, or a different region within the same firm. Either way, such cloud-to-cloud backup is often required because it is usually the case that basic cloud storage agreements limit the time data is recoverable after deletion etc.
If a company uses on-site infrastructure, then moving entirely to the cloud would mean writing off that investment. And if firms want to use the cloud temporarily, they will need to ensure that they have enough bandwidth and cloud capacity to recover to, or can “burst” to that capacity in an emergency.
Firms should also compare public cloud storage with cloud-based backup and DR-as-a-service (DRaaS), and consider all costs, says Freeform’s Lock. Data protection companies that provide “all in” pricing including recovery can be cost effective, he suggests.
In house DR?
Speed of recovery and cost mean that in-house DR still has its place.
Daisy Corporate Services’ Timson points out that some firms have opted for disaster recovery appliances because they are a simple and effective – though not necessarily cheap – way to protect data. Because they run locally, recovery is usually faster than from the cloud. Such systems are also an effective way to test backup and recovery.
Even when using an appliance SMEs should ideally copy backups to second datacentre, co-lo service or public cloud for redundancy. Most appliances can work hand-in-hand with a cloud storage or backup provider to provide additional protection.
Key DR providers
The market for disaster recovery services include the large public cloud providers that provide generic online storage and dedicated backup services.
Providers such as AWS, Azure and Google Cloud Platform offer DRaaS, although services are often aimed at larger customers. Long-standing backup providers such as Acronis, Arcserve and Veritas also provide cloud options.
And, among more recent market entrants, Datto and Carbonite are popular among smaller firms. Zerto and Veeam also have SME offerings. A number of storage hardware and appliance vendors, including NetApp, Dell EMC and HPE, also integrate third-party cloud backup tools with their hardware for SMEs that need off-site data protection.