Disaster Recovery Journal Winter 2024

more frequently, backup data as well (in an industry survey, 94% of respondents on average, indicated their backups were also attacked and 57% of those backup com promises were successful). To tackle a multi-faceted attack like this, and successfully bring systems back online, IT teams need to be fully conver sant with recovery systems and confident in their ability to recover their data. The fact that around half of respondents are not confident in their own recovery sys tems suggests a lack of exposure to the full gamut of a recovery situation and what their systems can deliver. fully stress-tested. Setting a standard that is recorded and reported ensures that technically the recovery can be delivered when needed. It also reassures stakeholders the organization is fully protected and raises the question about how senior technical staff report business readiness to recover from an attack or serious data disaster. “ Few organizations get a second chance for disaster recovery when there are serious flaws in the technology, planning and orchestration for recovery, which have not been

Each day that passes after a test has been conducted, the possibility of a corruption, error or something more malicious being silently introduced to the system and data increases. This could then go completely unidentified by the team responsible. If the tests are not thorough and frequent, the risk increases significantly. Perhaps, and by no means set in stone, a “gold standard” for disaster recovery test ing could be twice-yearly, non-invasive full failover tests. These would be sup ported by monthly system boot tests and data integrity checks. In addition to rigorous data validation, testing the ability of workloads (applica tions and data) for failover capabilities needs to be designed into your disaster recovery plan. It should also allow for network and connectivity testing, a criti cal and often overlooked component in the testing process, but an element that so much depends on. Importantly, these tests need to be thorough, frequent, profession ally executed and measured. Skilling up Organizational technical teams tasked with maintaining the IT infrastructure for business-as-usual services often have skillsets aligned to the daily demands of the business. But the skills and experience to bring systems and the business back online after a disaster vary from the day to-day, so it’s not uncommon for IT staff to be unaccustomed with the demands suddenly placed on them in an extremely stressful situation. This is highlighted in the survey where close to 40% of CIOs, CTOs, and IT man agers describe a lack of technical skills as a major concern. Around 40% also say that they are not entirely confident in the backup and recovery technologies deployed, a factor possibly attributed to the lack of skills and experience of evaluating and managing disaster recovery systems in a real-world business environment. When a disaster manifests as an aggres sive ransomware attack, a very different approach is required, demanding experi ence, confidence and an ability to adapt as the situation unfolds. An attack may have compromised production data, and,

You gain experience and confidence from testing and doing it frequently and thoroughly, leaving no opportunity for surprises or discovering weaknesses when they are least expected. Testing under stress conditions Few organizations get a second chance for disaster recovery when there are seri ous flaws in the technology, planning and orchestration for recovery, which have not been fully stress-tested. Setting a standard that is recorded and reported ensures that technically the recovery can be delivered when needed. It also reassures stakehold ers the organization is fully protected and raises the question about how senior technical staff report business readiness to recover from an attack or serious data disaster. Any testing “gold standard” adopted is not always achievable with the tech nology deployed. But what it does is to set a metric, which when accomplished, puts the business in a much better state of readiness to recover from a cyberattack or indeed any other disaster. If the ‘gold stan dard’ cannot be achieved, organizations should consider reviewing their recovery technologies, and planning, and establish why not. Data recovery and disaster recovery technologies are available today with many solutions allowing non-disruptive and frequent testing. Whether it’s the technology preventing non-disruptive testing, resources or the recovery plan not factoring in this crucial phase of the process, it must be accepted that a busi ness’s readiness for absolute recovery is a choice. You either choose it or you don’t. v

“

Stephen Young is the executive director of Assurestor. He is a seasoned business owner and entrepreneur, innovation in tech nology has been central to his career for more than 30 years. Across varying facets

of IT, Young’s experience covers infrastructure, software development, data centres, service and support, IT gover nance combined with management, finance and business development. With roots in software development and ser vice and support, Young’s commitment to detail, thorough ness and uncompromising customer support has been a continuous thread through his businesses and has been a major factor to their success.

18 DISASTER RECOVERY JOURNAL | WINTER 2024