Disaster Recovery Journal Winter 2023

Even school children have fire drills. Why would a company assume it cannot or should not prepare for a catastrophe? Organizations should be building similar data drills to their respective operations to ensure they don’t need to worry about data loss in the event of a catastrophe. Cadence will differ according to dif ferent organizational needs, but in gen eral, once every few months is a safe tempo to ensure your solution is working as it should. If your organization fails its drills, don’t be overly alarmed: that’s what they’re there for. Take the results to heart and correct the vulnerabilities before they cause damage. Speedy Recovery It’s also important to know how long the recovery process will take. Another advantage of testing your recovery system is that it will help give you a sense of how long there will be between when opera tions stall and when they can resume. This downtime comes with essential business implications. How long, for instance, could your business operate without its data? How long of a time window would shake the faith of your customers or investors? Comparing the answers to these questions with whatever average lag you’ve deter mined from your testing will help you develop your contingency plans for data loss. Can the lights be on and keep work ing until data is restored? If the recovery process is lagging due to human resources, would it be helpful to contract with some data specialists to help guide your team’s emergency response? Finally, with ransomware scenarios, time will be used against you as a weapon. Typically, these threats have a response deadline before the bad actors delete your data. Reasonably comparing your recov ery time with the extortion time window will help you better gauge your position in the unfortunate event of these negotia tions. Data Matching Verification Good recovery processes need to come with data matching verification. This

means ensuring the restored data is equiv alent to lost. Sometimes this is a straight forward process, but it usually is not. It often involves a prolonged but critical process of checking file sizes, formats, and content to ensure all your important work remains. Part of the issue with the “Toy Story 2” example is they initially thought their backup was working correctly. They could pull up their lost files and return to work with them. Only after some time and plagued by glitches did they realize their backups were corrupt. Taking the time to audit the data recov ery was comprehensive and saves you the unpleasant surprise which Pixar faced when they started working with corrupt files. By the way, this data-matching pro cess should also be a core part of testing to ensure you can count on your recovery solution bringing back everything you lost. End-User Feedback As the data-matching process sug gests, data recovery can be burdensome. It requires high-level and critical thinking and attention. As such, it can be easy to overlook specific details that may seem small but are critical. Regardless, the data loss you face will likely pertain to your clients. As such, a business practicing good data recovery will engage its end-users to ensure every thing has been restored. I’m not talking about trying to round up a bunch of disgruntled clients who just lost their data by trusting it with you. However, it can be helpful to remind clients regularly that, in the event of a data breach, their willingness and ability to report data loss or restoration will correlate positively with the effectiveness of your recovery process. Stay Current with Standards Leverage standards and regulations, even data backups. Under the General Data Protection Regulation, for instance, data subjects’ requests for deletion extend to backups. This liability requires active management of backups – it’s no longer sufficient to duplicate data and forget it.

The first step in complying with stan dards is knowing them. As cyber and data security continue to rise as concerns for organizations and the public, regulation will likely improve to close policy gaps and clarify accountability. Organizations which practice data recovery must stay on top of these policies, using them to shape and inform their approach and insulate them from liability. After all, backup plans protect your organization from loss and liability. However, data is sensitive and has to be handled sensitively. Implementing robust recovery processes which hinder your company through regulatory miscalcula tion would be a tough career move. Wrapping It Up It’s not enough to have a plan. Everybody has a plan. Pixar even had a plan. You must put your plan through its courses, ensure it’s timely and compre hensive, get your leadership and clients onboard as teammates, and stay aware of regulation. The enemy here lies in short cuts. With data recovery, they only lead to uncertainty and unknown validated recov ery. There’s a certain degree of gratification which comes with a half-baked plan. You can reap the emotional benefits of feel ing like you have something in place. The likelihood of massive data loss is small enough that businesses can trick them selves into thinking that’s what they want – the feeling of security rather than secu rity itself. But the moment disaster strikes, and you’re sweating bullets trying to recover your data, it will become abundantly clear what you needed – a validated recovery plan that worked. v

Fletus Poston III is the senior manager of security operations at CrashPlan. He has worked in IT and cybersecurity since the mid-2000s He started his career as an IDS handler. Poston is now an experienced

cybersecurity professional with a demonstrated history of working in the financial, utilities, and software development industries. He has a cyber and information technology background with a master’s degree in information systems focused on information assurance holding CISSP, GISF, GSEC, GCED, GMON, and GSLC certifications.

34 DISASTER RECOVERY JOURNAL | WINTER 2023