Five ways that disaster recovery changes in a pandemic

1. Review threats and revisit strategy

The first step in adapting DR planning to the pandemic is to review all relevant risks.

Unlike a natural disaster or a technical outage, Covid-19 has not, for the most part, stopped companies from operating – but it has changed the way they operate.

“The biggest risk for most organisations is that people are now working on consumer-grade broadband, with consumer-grade security,” says Richard Blandford, CEO of IT services company Fordway.

This increases vulnerability to cyber crime, especially ransomware but also phishing, denial-of-service attacks, and attacks on infrastructure. According to research carried out last summer by backup and security supplier Acronis, 39% of firms reported video-conferencing attacks. Phishing attempts also increased. New working methods, with weaker security, increase the attack surface.

Cyber security firms warn that criminals are also exploiting Covid-related opportunities, including testing and vaccines, for phishing and fraud. Phishing attacks can lead to ransomware, data theft and disruption to IT systems through malware.

Pandemic control measures also pose a risk. Businesses will have plans to mitigate supply chain threats, but for many, illness or isolation of potentially large numbers of staff is uncharted territory. So, too, is the impact on staff caused by school closures, potentially at short notice.

2. Assess IT risks in the new normal

Conventional DR plans have allowed for the failure of central IT systems. Usually, remote working is one business continuity measure.

But virtual private networks (VPNs) and other remote working tools are vulnerable to attack. Companies need to allow for degradation of VPN services, as well as failures in domestic telecoms and broadband. With so many more workers at home, failures here are transformed from an operational to a strategic risk.

Organisations have adjusted to the pandemic by opening up core services to remote access, or moving them to the cloud. Both bring their own risks. Remote access is open to exploitation.

Cloud services should improve resilience, but cloud service providers and software-as-a-service (SaaS) suppliers are typically not responsible for customer data. Firms still need a backup plan. Centralised backup, to tape for example, might need replacing or supplementing with local hardware or cloud services.

Companies also need to manage employee-owned personal technology. It is harder to replace faulty equipment for remote staff – and that equipment needs to be secured, updated and backed up.

“Organisations need to implement a uniform management layer that offers visibility into data location and storage, which will significantly aid their ability to protect workloads in the long term,” says Gijsbert Janssen van Doorn, technical director at data protection service Zerto.

3. DR incident management: Communications in a distributed organisation

Next, how will the DR plan work in practice?

“One big challenge for DR in this pandemic and the various levels of lockdown is: how do you actually manage the incident and failover from primary to disaster recovery systems?” says Peter Groucutt, MD at Databarracks.

Good communications are essential, but this is harder if the response team is itself distributed. A robust command and control structure is invaluable.

Firms should test that their DR team can communicate with all stakeholders. Which systems will they monitor, and which users do they notify? Do outage notifications from cloud providers or from the security operations centre reach the right people, and who will invoke the recovery plan?

Incident management should include out-of-band communications, such as email or SMS, to alert staff if business systems stop working.

4. DR testing must adapt to a distributed environment

DR testing needs to change for lockdown conditions. With businesses already in “recovery mode” with staff working from home, organisations will need to update what they test, and how. Testing should cover key communications links, including VPNs and remote access to central applications, and failover plans for datacentres and cloud systems.

“You should run regular disaster recovery tests that are measured and approved – no compromises,” says Stephen Young, director at AssureStor. “Consider the use of cloud DRaaS [disaster recover as a service] platforms. These typically provide robust, regular testing, paired with seamless access that mimics normal day-to-day remote access.”

Firms should also test plans for field staff and those still working in the office. Can, for example, users work offline during a cellular network outage? And how will teams collaborate if they have to work in bubbles, or self-isolate?

Also, reviewing test data is still vital. “The basics of disaster recovery haven’t changed,” says Fordway’s Blandford. “You are still looking at the RTO and RPO [recovery time objective and recovery point objective].”

5. Update training

Lastly, firms should update their training plans. Are staff receiving training in security and data protection? Do they need DR training? Virtual training tools have developed rapidly in recent years, and can be a less disruptive alternative to full DR drills, even in normal conditions.

CISOs warn that preventing phishing and social engineering is harder when staff are away from the office. As Amar Singh, CEO of the Cyber Management Alliance points out, much security awareness relies on face-to-face advice and a “tap on the shoulder”. This is hard to replicate remotely, and businesses need to assess how training and support will work in a distributed environment.

CIOs also need to check that training content reflects pandemic working practices and risks. If it doesn’t, it will need updating. Also, have lessons been learnt from DR exercises, or the pandemic itself? Those lessons should be shared.