Disaster can strike at any time. None is more vulnerable than today’s technologically dependent businesses. Technology has created a boon for business. It has also created a weakness. Companies compensate for this weakness by creating disaster recovery plans that outline how the business is to react during a disaster. This includes technical and non-technical aspects of the business. The main intent of the plan is to make sure the business is at least functional at a basic level from which it can fully recover.
Disaster Recovery-As-A-Service is a way for businesses to recover at a cost much less than previously. This service relies on cloud resources to get the business functioning again. However, cloud resources are dependent on the Internet, making it susceptible to cyber breaches. Yet, for many small to mid-sized businesses Disaster Recovery-As-A-Service is a compelling option.
Disaster Recovery as a Service for Continuity
Disaster Recovery-As-A-Service (DRAAS) is a compelling idea, at least in theory. It’s especially compelling for small to medium sized businesses. These businesses usually do not have the resources for an in-house disaster recovery plan and implementation. DRAAS allows companies to have replication or hosting of virtual or physical servers to another location in the event of a disaster. It is usually paid on a contract or pay-per-use basis, thus reducing costs.
The downside is that the company must trust that the DRAAS provider will be able to provide the backup when needed. Another downside that is often neglected relates to security. Since DRAAS relies on cloud for the backup, internet security is a major concern. Cloud services are inherently susceptible to breaches. Thus the provider must be equipped to handle such attacks. (Timmons et. al, 2014)
Another downside relates to data privacy. The provider must be trustworthy in how it secures the privacy of companies.
If a provider is deemed trustworthy for privacy and security according to the company, it may be a viable recommendation for disaster recovery. For larger organizations with sensitive data, such as health care organizations and Government agencies, this service is not recommended due to security and privacy issues. Additionally, regulations may prevent the offsite storing of PII that is not under the organization’s control.
The real intent of DRAAS is to ensure business continuity. A disaster or even small interruption in business operations can cause havoc on a business. Client files as well a product delivery could be compromised leaving a company’s reputation and future in jeopardy.
If a disaster does occur, it’s best to get ahead of it to reassure and inform clients of the compromise before they hear about it elsewhere. This is where a good Crisis Management plan can be effective. Ideally, there would be a designated command center with viable communications for the crisis team to meet and coordinate. This plan could potentially buy the company time to get basic operations up and going so that basic functionality is achieved. A good crisis management plan could retain clients and foster confidence in the company’s stability in spite of the incident. (Virgona, 2011)
In order to implement a disaster recovery plan, training is essential for those employees who will be involved in the recovery. In addition, as part of the disaster recovery plan, the business must define what constitutes a disaster and who is to invoke the plan.
When devising a disaster recovery plan, a business impact analysis should be completed. A BIA will gauge the criticality of having a particular system down. The higher the impact the more critical the system is to business operations. This is a part of the risk assessment.
There are several potential risks to a business: technical, financial and legal, non-technical, human, reputational, dependency, natural, and political. (Thejendra, 2014)