Disaster Recovery: Two Questions Worth Asking

If you live in Massachusetts and own a car, one thing is certain:in order to operate it legally, it needs to be insured.

However, as all car owners know, there are many additional — optional— levels of coverage.

Consider the option known as “Substitute Transportation Coverage.” As the name suggests, STC provides (some) reimbursement if you have an accident and need to rent something else while your vehicle is being repaired.

Is STC worth paying for? It depends…

If you live alone and commute by car to work every day, it might be worth buying. On the other hand, if you work remotely and have a spouse who also has a vehicle, maybe you can manage for a week or two while your car is in the shop.

What Are You Willing to Risk?

In many respects, managing operational risk is like buying insurance — there are a lot of options, most of which trade off coverage with cost. Here as well, the answer to what’s worth paying for is also, “it depends.” Every situation and business is different. 

Assessing the type and degree of coverage you need generally comes down to two critical questions:

#1. How long are you willing to be down? 

Seconds, minutes, hours, days … what’s your tolerance? In the IT world, we refer to this as “Business Continuity” (BC) — making sure you can continue to operate. The degree of urgency in getting back up and running will dictate how much you are willing to spend to protect against BC interruption.

For example, one of our clients, a restaurant, lost its internet connection and was down for several days, preventing them from processing credit card charges in real time. Fortunately, because their Point of Sale (POS) system stored transactions locally, they were able to batch them until things were back up. Plus, because the vast majority of credit card transactions are valid, there was little risk of fraud.

Compare that to another client in the financial industry. Their business involves active trading; they are entirely dependent on a functioning internet connection. Companies of this type will often provision two different connections from two different companies, sometimes even requiring that the lines enter the building from two different sides, in order to guard against an errant backhoe.

#2. How much data are you willing to lose?

Disaster Recovery (DR) focuses on the data itself — how much can you afford to lose and what would it take to recover it following some type of negative event, such as a building fire or malware attack.

One of our clients is a town police department. When one of their staff clicked on a harmful email link, all of the files on their shared network drive became encrypted and a ransomware demand was received (that’s right, the police department was being held for ransom).

Fortunately, they performed daily backups, so after shutting down the problem computer, we were able to restore all of their files within 30 minutes.

Everything is a Trade-Off

Of course, it would be nice to have total redundancy and real-time backups across your entire operation, ensuring that your business continues to function under all circumstances and no data is ever lost. But none of that comes free, which means a cost-benefit analysis needs to be made.

Some things to consider…

What business are you in?

The bank can’t afford to lose any data or be offline for long. They require multiple levels of redundancy, high-speed backup capabilities, and enough network capacity to handle all of this.

A college professor on a university network, by contrast, has much more modest requirements.

What aspects within your business are the highest priority?

In last month’s newsletter, we explained that different people and functions in your organization have different needs regarding computer type and performance. The same concept applies to BC and DR within your business.

For example, while our financial services client mentioned earlier needs bullet-proof internet access, they can manage just fine if the payroll system or even the air conditioning shuts down for a few hours.

In other words, not only do “one-size-fits-all” solutions not apply across businesses, they don’t apply within them either. Rather, it’s important to differentiate based on the two critical questions above.

What would you do if X happened?

At the end of the day, the question of how much “insurance” to buy comes down to making a clear-headed assessment of what could go wrong and thinking through how you would respond if it did.

This decision necessarily incorporates your risk tolerance, financial wherewithal, and assumptions about what might occur. As mentioned earlier, there’s no right answer and the particulars of every situation are different.

Whatever you do, the key is to avoid being taken by surprise or having these decisions made by default. Be as proactive as you can in evaluating where you stand, what you have to lose, and what you are prepared to do and spend to guard against it.

Feel free to get in touch if we can help think things through.

%d bloggers like this: