Why Backup is not Business Continuity

Why Backup is not Business ContinuityBusiness runs on data, but how many businesses have acted to actually protect their lifeblood if and when disaster strikes?

Only about 35% of businesses have data backup in place, and at the SMB end of the market, some 75% of SMBs have no disaster recovery plan at all.

This is playing with fire. According to this article, 58% of small businesses couldn’t withstand any amount of data loss whatsoever.

It’s a revealing statistic, because it hints that the challenge is not only in backing up the data somewhere safe, but also in reinstating it to enable the business to “withstand” the outage, and get the wheels turning again.

That, in a nutshell, is the difference between data backup and disaster recovery (often termed, somewhat loosely, business continuity, as I’ll explain later) – and here’s what SMBs should be focusing on to get their data disaster ducks in a row!

Speccing the Backup Process: Recovery Point Objective (RPO)

How much data can an SMB afford to lose before it starts to damage their business?

This is the critical question SMBs need to answer, because it is this RPO (Recovery Point Objective) calculation, explained in more detail here, that informs all elements of the data backup process.

How often do backups need to be performed? (Every hour? Every minute?) What volumes and formats of data need to be involved, and what kind of data backup system or service partner can achieve this?

Evidence suggests this is where smaller businesses really struggle, as 71% of UK SMBs, according to research from Onyx Group in this article, only manage to back up part of their data.

It seems that limited bandwidth, mixed IT environments (Windows/Unix/Linux) and disparate file formats conspire to reduce the scope of the RPO, and so dilute its effectiveness as a measure of true backup capability.

The value of the RPO is also diminished by the realities of where the data is being backed up to.

Locally? The fire that took out the core systems just took out the backups, too!

The cloud? Data backup is just as vulnerable to the potential limitations of the cloud as any other service is. How will the data centre be powered in the event of its own outage, and for how long? Is it covered by EU data regulations, and certified to industry-recognised standards like ISO 9001 and ISO 27001? And how secure are the data centres it “mirrors” to, to back up the backups?

Tape? Inherently RPO-unfriendly (you can’t very well create and send off a new tape every hour!), it is also cumbersome and expensive, often funded by an insurance policy and requiring a full-time employee just to manage it. (Read this article, written by one SMB owner, explaining how he improved his disaster recovery capability by getting away from tape!)

The process of deciding on the RPO can expose far greater backup shortfall than the SMB has thus far been forced to confront!

Getting back to business: Recovery Time Objective (RTO)

But the most demanding RPO in the world will only ever address one side of the business continuity equation – the need to back the data up.

The other, equally crucial side of the equation is being able to get to that backed-up data, reinstate it into the organisation, and rapidly rebuild any of the infrastructure that is needed to make it work.

The speed with which this can be achieved is called the Recovery Time Objective (RTO), and is usually set by working backwards from how much a data loss would cost the company (by adding up the average per-hour wage and overheads of the employees who need to work with the data, and the per-hour revenue).

Hardware, physical media and software issues can all mess with the RTO. Imagine you’re an SMB, and all your data is backed up to a physical tape at an offsite location somewhere, that has to be manually shipped back to you before you can reinstate it. #RTOfail

Or imagine you’ve successfully saved all your critical files to your backup service, but you haven’t saved any system images – so the accompanying settings and system data that you need to make the files quickly work again are missing. #RTOfail

Or imagine you’re doing all your backup locally and the hardware that does the backup breaks down, so you first have to repair or replace the machine(s) before you can get to the data – if indeed you then can at all! #RTOfail

What’s emerging here is that no one approach necessarily delivers maximally RTO-friendly use of backed-up data. Instead, a combined strategy can often work better, to minimise the risk in each component of the approach, and deliver:

  • Local, image-based backup that is complete and rapid to recover
  • Rapid replication to and from the cloud through bandwidth-efficient streaming that only transmits changes, not entire datasets
  • Instant local and cloud virtualisation, to vastly reduce the risk posed by fault-prone hardware and cumbersome, inaccessible physical media.

SMB backup and recovery budgets are often meagre. So when the chips are down, the data’s gone, and it’s time to pull business continuity out of thin air, the ability to recover, say, a 70Gb SQL server in a few seconds flat, in return for a modest monthly fee, is a big shout in favour of the cloud.

Summary: Disaster Recovery vs. Business Continuity

Of course, it’s not just using the right tools to meet the commitments of RPO and RTO that will help ensure business continuity. It takes a much longer-term view than that, embracing succession planning, recruitment, supply chain management, and a whole host of human skills to which technology is only peripheral, as this piece explains.

But the facts stand. Backing up data “somewhere safe” is useless unless it’s achieved at sufficient frequency, with sufficient comprehensiveness (system images and data formats), sufficient ease and speed of reinstatement, and with a high degree of freedom from the weaknesses of hardware and physical media dependencies.

There’s a marketable SMB cloud solution in there, somewhere…