Disaster Recovery: Product vs. Plan and Why Businesses Need Both
Complex cyberattacks, demanding cyber insurance policies, and new pressure on vendors to take responsibility for client data loss, put MSPs in the security hot seat. While many businesses continue to rely on disaster recovery products, it’s clear that a disaster recovery plan is crucial for survival.
Backup and disaster recovery (BDR) is the solution most businesses are familiar with; unfortunately, it’s no longer the catch-all for business continuity. Instead, business continuity and disaster recovery (BCDR) is a comprehensive solution that not only keeps businesses moving after a data incident occurs, but it provides options for how to restore data after deletion. Of course, these solutions are vital for disaster recovery (DR), but they’re only one component of DR planning.
In this article, we’re discussing…
- The difference between a DR product and a DR plan.
- Misconceptions that often keep SMBs from understanding the differences between backups, business continuity, and disaster recovery.
- How to educate clients on today’s BCDR requirements and encourage DR planning.
What’s a DR Product Without a DR Plan? (Not Enough)
Disaster recovery products provide the technology necessary to recover backups. However, a disaster recovery plan focuses on restoring business operations to a normal state. It’s a strategy for quickly restoring data and IT infrastructure after a catastrophic event has caused a widespread outage or severe damage. When put into practice, DR planning is a separate playbook from your business continuity plan – which maintains core business functions. A disaster recovery plan is a separate, all-encompassing playbook that outlines instructions and procedures for full data and IT infrastructure recovery, including complete restoration of all operations as they were before the disaster.
DR planning includes:
- Assessing the damage and determining whether tools need to be shut down – essentially, ‘stop the bleeding.’
- Tracking the incident
- Contacting the cybersecurity insurance provider and/or lawyer(s)
- Coordinating with an insurance-approved incident response provider
- Outreach to affected customers
- Compliance with breach notification regulations (i.e., HIPAA, GDPR, state laws, etc.)
And it doesn’t stop there. DR planning requires more than just documenting the steps necessary for a full recovery. It also includes tabletop exercises to assess the plan, practice drills to see it in action, regular updates based on internal changes and external threats, and ongoing adjustments to accommodate IT stack modifications. Failing to properly establish a working and complete DR plan jeopardizes not only the business that was breached but also the MSP. New vendor-specific notification laws punish MSPs when their clients lose data. While you may be able to recover from steep fines and penalties, public records of data breaches and ransomware attacks – even if no data is lost – can significantly damage an MSP’s reputation and ability to grow.
Talking Comprehensive Disaster Recovery with Clients
Ray Jackson, VP of Operations at Complete Technology, a longtime Axcient partner says, “Oftentimes in the MSP space, clients get confused and say, ‘we have a DR plan,’ but they’re referring to the disaster recovery solution. You don’t have a DR plan unless you have a plan and a runbook, and you’re doing tabletop exercises. What they understand is, ‘you said if I have a server crash, you can spin me up.’”
Yes, businesses can recover with a DR product, but without a DR plan, you don’t know your recovery time objective (RTO), recovery point objective (RPO), or the criticality of your resources. There’s no inventory of resources that need to have runbooks created, so they spin up instantly, and you don’t know what resources need to be spun up instantly for business continuity. Without a well-constructed, tried, and true plan, there are a million things that could go wrong.
MSPs have to educate clients during the sales cycle to bridge the gap between what MSPs know about BCDR and what clients want in terms of cost and availability. Ray says, “It’s less about the product and more about communication with the client. We try to put as much focus on the client and really understand the client’s business needs. Often, people focus on the technology and on the solution, and don’t really focus on what the client is trying to achieve, or what pitfalls they are trying to avoid.”
Complete Technology always leads with putting a BDR appliance on-premise to do image-level backups of all servers. The cost of the appliance is included in their monthly fee, and they own the appliance. But, of course, some clients push back due to cost, and this is where Complete Technology takes the opportunity to discuss the pros and cons of alternative solutions.
Do Your Clients Really Understand? They Will with DR Planning.
If a client would rather be backed up in the cloud with Axcient’s hardware-free BDR, x360Recover Direct-to-Cloud, they need to understand bandwidth limitations. For example, if there isn’t enough bandwidth during a file-level restore, restoring those files could take hours. Does the client understand the potential for hours of downtime?
What if a server dies on-prem, and you have to spin it up in the cloud? That works, but going back – because you can’t operate in the cloud on that DR forever – can be really expensive. The client will have to move to a cloud service provider like Azure or AWS, replace the hardware, perform another restore – which again brings bandwidth into question – or get a drive for on-site recovery, but that can get complicated. Does the client understand the potential costs, downtime, and complexity?
And then there are natural disasters. During power outages, clients may think they can power up services in the cloud – which they can – but there needs to be a conversation about how to come back from that. It’s not like flipping a switch. Does the client understand the inner workings and consequences of going from cloud to on-site? Discussions about the implications of the DR product clients choose should be part of the sales process. However, it won’t become real life until the table reads in DR planning. That’s when clients will truly understand their tolerance for downtime, costs, complexity, and the complications that come with BCDR. As MSPs, it’s your responsibility to educate, inform, and update clients about best practices, and that includes DR planning.
Building DR Planning Into Your BCDR Offering
Complete Technology is taking the criticality of DR planning an extra step. They are building it into their standard offering to overcome the obstacle of clients devaluing business continuity. As part of Complete Technology’s contract with clients, they perform a backup recovery test that executes a client’s DR plan. Ray explains, “For a true DR test, we need to power down the existing environment, power up the DR environment, and the client needs to operate on that DR environment for a period of time to make sure the business can continue to function in all the critical areas needed. It’s a test. It’s, can we do this? Does everything work? And that can be hard for clients to get their head around.”
Additionally, DR planning is built into Complete Technology’s business reviews every month or every quarter, depending on the size of the client. Ray says, “We talk about what it means for their business to be down and if they can continue to function. And really, what do they need to be able to function. A lot of clients go, ‘I have to have my data, I have to have my email, I have to have everything,’ but really, when you get down to the nitty-gritty, there are pieces and parts that if it isn’t there, they’re still able to function as a business.” He goes on to say, “Equally as important is helping clients understand what systems they don’t deem important, or we don’t need to back up. Things like historical data, archive data.” Until you’re having these conversations with clients, they can struggle to connect the dots between what is absolutely critical, and thus needs to be a focus of their DR plan, versus what’s secondary or tertiary, and may become a distraction during critical restore.
What’s Your Plan for DR Planning?
With 85% of MSPs reporting SMB ransomware attacks, the importance of DR planning needs to become a regular part of conversations with clients. Not only that, but MSPs need to set the right example by protecting their own businesses with DR planning. As Ray said, it starts with understanding your client’s needs, use cases, and goals, and it ends with education. Clients rely on their SMBs to provide the business continuity they need to keep business moving, no matter what. While DR products are central to delivering that availability, DR planning provides a smooth path to complete restore.
Download Axcient’s MSP Playbook for Best Practices in Disaster Recovery Planning and Testing. It’s a comprehensive and actionable playbook that includes key components of DR planning, a structured testing framework, common pitfalls to avoid, and DR testing tips and free tools.
More Great Stuff From Our Blog:
Check out some other interesting pieces from our blog: Highlights and a chance to download our white paper on Reference Architecture and its Impact on MSP Maturity, Efficiency, and Profitability, learn how you can ditch pricey on-site appliances with Local Cache for Direct-to-Cloud BCDR.
Author
How well could you sleep with reliable cloud-based backups and recovery?
Take a deep dive into Axcient’s proprietary, automated security features to see how we’re ensuring uninterrupted business continuity — no matter what:
