Disaster recovery is increasing in importance but many SMBs don’t have an adequate plan in place. Resellers have a crucial role to play in ensuring that a good one is put in place – but what should go into it?
For businesses of all sizes, but especially small- to medium-sized businesses (SMBs) downtime is feared. Even just a couple of hours can cost a business dear, but a full-on disaster could prove fatal.
This is why disaster recovery should be front of business owners’ minds. Yet many SMBs don’t have a disaster recovery (DR) plan. “Reports show that 46% of businesses have no documented DR plan, which is particularly alarming given that it’s reported 90% of SMBs fail within a year if they can’t resume operations within five days after a disaster,” says Dave Joyce, CEO of Macrium.
“In our increasingly vulnerable business environment, this lack of preparedness is a significant risk. A comprehensive DR plan, backed by an effective backup solution, is crucial for business resilience and survival.
“By combining robust on-site and cloud infrastructure with a comprehensive strategy that covers all potential risks, businesses can ensure they are prepared for the unexpected. Resellers, in turn, must engage customers in meaningful conversations to help them build and maintain disaster recovery plans that not only protect their data but also ensure business continuity.”
Karl Wilkinson, technical director at Lucid Systems, agrees. “DR is often considered an afterthought and something that is typically brought in as a contingency once a company has already experienced a disaster and is learning from its mistakes,” he says. “This might be for one of many reasons – small businesses may be unaware that they need a DR plan, they could be unsure where to start or how to set one up, or they might be worried about the costs involved in setting up a plan.”
Quentin Simmons, eSentire senior digital forensic investigator, notes that even if a DR plan is in place, in some cases they are not correctly implemented. “Plans are not being tested and nor re-evaluated on a consistent basis to keep up with the evolution of risks,” he says. “The threat forecast doesn’t just always target SMBs, it may impact an upstream provider or even critical infrastructure. Organisations need to ensure their DR strategies include redundancy and multiple phases to maintain the integrity of their backups.”
Pushing plans
DR plans are increasing being pushed by vendors and regulators. “Customers’ DR plans are mostly driven by compliance,” says Quentin. “If a customer must have a DR plan to meet a compliance requirement, they typically do just enough to meet that requirement. Complex DR processes are typically pushed by vendors.”
John Murray, CTO, virtualDCS, adds that the insurance industry’s evolving requirements is driving a focus on cyber risks in plans. “Insurers now require businesses to have robust DR plans with safeguards against traditional disasters and cyberthreats,” he says. “This is reflected in insurance policies that include cyber risk coverage and protections against rogue employees.
“As a result, businesses are increasingly seeking DR solutions that provide comprehensive strategies for data recovery, early detection, rapid response and mitigation of external and internal threats. The push from insurance companies to meet these standards is a significant factor shaping the DR landscape.”
Countering cyberattacks
A key part of a DR plan involves how to recover from a cyberattack. “It’s a perfect example of where cybersecurity strategy extends past just the technology,” says Neil Langridge, marketing and alliances director at e92 plus.
“The implications on business continuity and IT service delivery are the first step. Ensuring backups are available, processes are planned for utilising trusted third suppliers for analysis and remediation and restoring systems once fully clean from any malware or attackers is essential.
“Then there are the next stages in wider business implications – encompassing legal obligations to notify regulatory bodies such as the ICO in the event of data breach, or communications with customers in the event of their information being impacted!”
Extending responsibilities
Neil notes that an organisation’s responsibilities now often extend beyond their own network, infrastructure and customer base. “Firstly, supply chain networks are rising in popularity with bad actors as the potential damage can be significantly extended from one breach – API connections, shared infrastructure and managed services massively increasing the potential exposure. All disaster recovery plans need to include the potential impact on the wider supply chain.
“Secondly, one of the biggest growth areas in cybersecurity is attack surface management. As with all DR plans, the hard work comes in planning for the event, and building in the right prevention to ensure the plans is never needed! The edge of the network is now every user and device – that extends to the social media profiles of senior executives that could be compromised in the event of targeted attack, to cloud services the marketing team are leveraging that could involve customer profiling information that uses PII, and so comes under the remit of GDPR. The definition of what IT are now responsible for – or can support – has radically changed. The castle walls of the network are no longer the perimeter.
“VARs and MSPs need to work with customers to ensure all business continuity and DR plans encompass all these factors, as responsibility now extends far beyond the traditional corporate network as businesses become digitally integrated with customers, partners and suppliers.”
Durgan Cooper, CETSAT chairman, notes that while recovering data after a cyberattack is a critical aspect of DR, it’s far from the whole picture. “Businesses must also prepare for physical damage to infrastructure, power outages and even human error, which can all lead to significant operational downtime,” he says. “The goal of DR is to restore not just data, but also critical business operations and services as quickly as possible. This involves a holistic approach that considers all potential threats.”
Trends
Durgan notes that a major trend is the shift towards hybrid DR solutions that leverage on-site and cloud infrastructure. “This hybrid approach offers the best of both worlds: the speed and control of local backups, combined with the scalability and redundancy of cloud-based solutions,” he says.
“Additionally, there’s a growing emphasis on automation and orchestration in disaster recovery. Businesses are increasingly adopting solutions that automate failover processes, making it easier and faster to switch to backup systems during an outage. This not only reduces downtime but also minimises the risk of human error during critical recovery operations.”
But Dave notes that while there’s a shift towards cloud-based solutions in DR, especially among SMBs, cloud isn’t always the best choice. “This is due to potential reliability issues, costs and challenges in achieving fast RTOs when recovering entire systems,” he says.
“Many businesses are reinforcing traditional server backup methods, aligning with the time-tested 3-2-1 backup strategy: three copies of data, on two different media, with one copy off-site. We’re seeing a shift from cybersecurity to cyber resilience, with businesses focusing on quick recovery alongside threat prevention. There’s also a trend towards on-premises and air-gapped environments, with organisations taking a more mature approach by evaluating protection needs device-by-device.”
DRaaS
Chris Shaw, UKI&SA country channel manager at AvePoint, says that customer demands are changing. “Customers demand faster recovery times, more reliable backup solutions, and comprehensive protection against a wide range of threats, including natural disasters, cyberattacks and human errors,” he says. “Solutions such as Disaster Recovery as a Service (DRaaS) are gaining popularity, offering businesses a scalable and cost-effective way to ensure business continuity.”
Stephen Young, director at AssureStor, agrees that DRaaS and Backup as a Service with protection of a business’s data outsourced to a specialist service provider are growing in popularity. “With many organisations reporting a lack of internal skills, resources and senior level buy-in, the outsourced option overcomes many of these limitations to delivering one element of a secure DR strategy,” he says.
Markus Rex, general manager at SYNAXON Services, agrees that one of the best and most affordable ways of countering disasters is to have a managed backup service in place. “So that it’s easy to restore data in the event that access is lost, or the data is damaged as a result of unforeseen events,” he says.
“Of course, having good malware protection in place is also essential and that way you can at least prevent the most obvious and immediate threat from cyberattacks.
“As well as backup and antivirus protection, other elements of an effective DR plan will include good policy management and ensuring you have an alternative way of getting online. That could be as simple as having a 4G or 5G router ready to switch to if the main connection is lost.”
Anton Shelepchuk, VP of worldwide sales at NAKIVO, adds that with a trend towards creating IT systems capable of withstanding disruptions, large or small, there is a shift towards DRaaS. “This is as it enables quick recovery of IT systems without huge upfront costs,” he says. “Artificial intelligence (AI) and machine learning are being used to predict potential vulnerabilities and respond to incidents. Given the rise in ransomware and other cyber threats, immutability, encryption, and zero-trust security models are becoming the standard.”
AI influence
Professor Andy Pardoe, an expert in AI, notes that AI is playing a growing role in DR strategies, particularly in combating cybercrime. “AI-driven tools are now being used to detect zero-day vulnerabilities – those previously unknown threats that can cause significant damage if not identified early,” he says. “These AI systems can analyse patterns, predict potential breaches, and respond faster than traditional methods, making them an essential part of a modern disaster recovery plan.
“Additionally, the advent of zero-trust security approaches is revolutionising how businesses protect their IT infrastructure. Unlike traditional security models that assume everything inside the network is safe, zero-trust requires continuous verification of all users and devices, whether inside or outside the network. This minimises risks and enhances the overall resilience of the IT environment.”
Components of effective disaster recovery plans
There are many elements that should be considered in a DR plan. “A good DR plan covers the risk of events, such as a major glitch in a key application or service, extreme weather and its consequences, loss of electric power, and unforeseen events such as a physical security incident or a breakdown of the transport network that prevents staff from getting to the workplace – anything and everything that could deny access to systems and data,” says Andy Brown, technical services director, UK & Ireland at TD SYNNEX.
Dave says that the core of an effective DR strategy revolves around two key components: Recovery Time Objective (RTO) and Recovery Point Objective (RPO). “These define how quickly you can recover and how much data you can afford to lose,” he says. “To meet these objectives, a reliable, comprehensive backup solution is essential. Backup software should offer strong encryption for data security and the ability to recover systems quickly and at scale.
“Every minute of downtime can mean lost revenue and damaged customer relationships. Therefore, backup software that can recover systems at scale and remotely is crucial. While the plan should include risk assessment, recovery procedures and regular testing, the foundation must be a backup solution that can deliver on your RTO and RPO goals, minimising data loss and operational disruption in any scenario.”
Chris says that an effective DR plan should comprise several key elements: a thorough risk assessment, a clear recovery strategy, detailed documentation, regular testing and updates and a communication plan. “It should address various scenarios, including data breaches, hardware failures and natural disasters, ensuring that the business can quickly resume operations with minimal disruption,” he says.
Karl adds that a DR plan also needs to heavily feature the Active Directory. “If that data is lost or corrupted, it may significantly disrupt your business operations,” he says. “Having a prepared backup and restore plan in place ensures that you can recover your Active Directory to a previously known good state. This is essential to minimise any potential downtime while also maintaining your business continuity.”
Importance of drills
The importance of DR drills, which can simulate a disaster happening and monitor how long it takes to get a business back up and running in full, should be emphasised, says Karl.
“From a drill, any strengths and weaknesses can be identified, and it can be ensured that everything is working as it should,” he adds. “If any issues are identified, they can be rectified before they become an issue.
“A DR drill gives businesses the confidence that they have the right plan in place that will work as it is intended if a disaster hits.
“Testing a DR plan shouldn’t be a one-time exercise, it should be routinely reviewed, tested and reassessed to ensure that the latest defences in place. Relying on an outdated or legacy plan could put a business at risk in the same way as businesses that haven’t prepared at all.
“Another element that is becoming increasingly important is the need for employee education. It’s not enough for internal teams to issue a series of IT policies and procedures with little follow-up. Most cyberattacks occur from human error, so it’s essential that small businesses take the time to educate their internal personnel on how to spot the signs of a potential issue, but also teach them who to report it to – stressing the need for urgency.”
Chris Groot, general manager at N-Able, agrees that DR plans need to be tested. “Businesses need to make sure that sufficient training is provided to their staff in the event of a disaster and that regular training sessions occur,” he says. “Everyone needs to be aware of their roles and responsibilities – and this goes beyond technical staff. Management and comms teams need to be part of disaster recovery planning and know what is required of them.”
Clear framework
John says a foundational element of a strong DR plan is using a clear framework, such as the NIST cybersecurity framework. “This helps businesses establish a robust cybersecurity model by focusing on key functions: identifying, protecting, detecting, responding and recovering from incidents,” he says. “These guidelines provide a structured approach that applies to businesses of all sizes and allows them to develop effective contingency planning strategies.
“A critical component of any DR plan is having a detailed, documented playbook that outlines all necessary steps and procedures during a disaster. This playbook, often referred to as a ‘Yellow Binder’, should be easily accessible, either in hard copy, third party cloud storage, or stored on an external device, ensuring that it remains available even if internal systems are compromised.
“Additionally, the plan must include a well-defined communication strategy. It is essential to outline how to communicate during a disaster, including alternative methods if primary communication systems are down. This strategy should also ensure that all relevant stakeholders, such as law enforcement, insurance companies and business partners are promptly notified in the event of an incident.
“Another important aspect is the immediate documentation of evidence following a cyberattack. Capturing evidence, such as ransomware messages, is crucial for making insurance claims and assisting law enforcement investigations. The plan should also detail containment procedures, emphasising the need to quickly identify and isolate infected systems to prevent the spread of an attack. This could involve shutting down networks or disconnecting affected devices, with each step carefully outlined to ensure swift and effective action.”
Power plays
Martin Ryder, channel sales director, Northern Europe at Vertiv, notes that a company’s infrastructure strategy is paramount in keeping operations running and businesses open. “Companies should protect their networks,” he says. “Processes, policies and plans must begin with protecting the critical infrastructure which keeps businesses up and running – not least in the data centre.
“Uninterruptable power supplies are a crucial component of any critical infrastructure environment. Without adequate power backup, it’s not just the risk associated with inconvenience or loss of goodwill. Businesses know that an effective provision for backup power and disaster recovery is vital to support continuity to short-, medium- and long-term productivity and customer satisfaction.”
Reseller conversations
Resellers play a crucial role in helping businesses develop and maintain effective DR plans. “Key conversations should include understanding the business’ needs,” says Durgan. “Discuss the specific risks faced by the customer’s industry and how these impact their disaster recovery needs.
“Resellers should also clearly explain the costs associated with different disaster recovery solutions and the potential financial impact of not having an effective plan in place.
“They should also emphasise the importance of compliance with regulations such as GDPR and how disaster recovery plans can help safeguard data privacy.”
Quentin notes that it helps for resellers to understand specific risks that an organisation has. “Understanding their threat forecast helps the reseller propose an effective strategy to implement within the organisation,” he says. “Pitching just any solution and process to an organisation may not assist the organisation with their recovery plans/procedures. It’s also helpful to understand the disaster history of the organisation, to help them advance their methods.”
Chris says the first step should be to move the conversation on from backup to disaster recovery. “While businesses often know the value of backup, they are less aware of the role of backup within wider disaster recovery planning,” he says. “Resellers should ask their customers if they have a plan, and – crucially – has it been tested? Backup with a recovery plan will be of little use when disaster strikes, and a business with an untested recovery plan may as well not have one at all. Resellers should make sure their customers understand these requirements and can offer additional services to help.
“By highlighting real-world examples and offering tailored solutions, resellers can help customers understand the value of investing in a robust disaster recovery strategy,” he says.
Dave adds that resellers should emphasise the importance of backup software that can support customer’s RTO and RPO targets and stress the importance of regular testing and updates.
“Additionally, they should be supporting customers with evolving data compliance requirements and supply chain considerations and, ultimately, explain how a comprehensive disaster recovery plan, centred on robust backup solutions, is crucial for overall cyber resilience and business continuity,” he says.
Steven says that resellers should steer customers to the most achievable solution within the scope of their resources. “The reseller should not be over-reaching on their own ability to deliver a robust solution as the skills shortage stretches to resellers as well as customers,” he says. “Amid delivering your scoped out disaster recovery solution to a customer at a time of need is an inconvenient time to establish any shortcomings.”
Understanding the business
Resellers also need to thoroughly understand the customer’s requirements when confronted with a scenario where all their systems are inaccessible.
“Key is how quickly do the systems need to be back online before it becomes an operational problem; less than 30 minutes, two hours or will downtime up to 24 hours have no great operational impact,” Steven says. “Additionally, once recovered how much data can the business afford to lose. Will the loss of the last hour’s data be impactful or not, or can the business operate based on the recovery of data from 24 hours before the disaster?
“The realistic recognition of these key points will steer the business into what type of technology or service they should be considering and make it clear the commitment required to be able to secure the business in the event of a catastrophic data disaster.”
