Posts

Inertia: The Science of Business Continuity

Newtons CradleTo paraphrase Newton’s Laws of Motion (with credit to Galileo) …

Absent an unbalanced force, an object in motion will stay in motion and an object at rest will stay at rest.

While this holds true for objects in a friction-less environment, it holds true for our businesses as well. Our businesses are in motion, working each day to service our customers with rhythms and cycles throughout each day, week, month, and year.

Our business cycles continue, until we meet an unbalanced force.

Some forces we expect, like changes in the economy that occur over a period of weeks or months.  Others forces are event-driven, such as storms, cyber attacks, and key employee departures. The sudden nature of event-driven forces can catch us by surprise, cripple our businesses in the short-term, and disrupt our normal cycles for the long-term.

A Case in Point

A company here in the northeast manufactures and distributes a customized product that customers generally replace or re-order every 2 to 3 years.  80% of the firm’s business is repeat, creating a strong and stable business. The company was hit by ransomware twice in a 3 month period.  The first attack, scrambled their files and their servers, but left their financial system in place.  They lost a day’s worth of data.  The immediate recovery took 3 days; the full recovery took nearly two weeks.  After three days of cleaning systems and restoring data, the company’s systems were up and running. They then had to enter the initial day lost data and all of the business activity for the 3 days their systems were down.  They allocated 1/3 of everybody’s time to recover the data, reducing productivity by 33% and impacting their responsiveness to customers. To enter the 4 days of missing data took over 10 days with the team working part time.

Inertia Takes Hold

This initial event changed the cycles and motions of the company. Whenever dealing with any business activity during the outage and recovery periods, they need to double check to make sure the information entered was complete and correct. And since some activities, like shipping and invoices related to prior activities, they need to double-check these connections.  Long after the two week recovery period, productivity is still down as the company’s daily motion now includes double-checking information that they are not sure they can trust.

Lesson NOT Learned

With so much focus on getting the business back into its normal rhythm, and the additional cost involved, the company did not act on recommendations that could help prevent a future attack and better ensure their ability to recover should a future attack occur. Whether the second attack was a different attack or they had failed to fully clean their systems does not matter.  The second attack was not caught until after the company’s backup server was hit, rendering their backups useless.  The company lost three years of data.

Inertia Creates a New Cycle

To recover from this attack took more than balancing data entry and on-going business. It was not feasible to manually recreate three years of data. While entering about 6 months of data for the fiscal year, they settled for a solution that created new methods and rhythms with long-term effects. They recalled all of their paper records from storage into an expanded warehouse space.  When a customer calls to re-order product they ordered 2 or 3 years ago, they search and retrieve the physical paperwork so they can create the new order. Every returning customer creates a scramble to find the paperwork in short order. Actions required in an emergency become part of the new normal. Inertia.

What You Can Do

You can be prepared with solutions that balance external forces beyond your control.

  • An educated and aware workforce balances the human manipulation that enables cyber attacks
  • Advanced threat, DNS, and web protections balance the forces of cyber attacks hitting us daily.
  • A robust backup/recovery and continuity system balances the forceful impact of disruptive events, giving you the ability to be up and running in hours not days.

If the company in our case study had implemented the recommended solutions after the first attack, they second attack would have disrupted the business for less than half a day — and may not have happened at all. The investment in communication, prevention, and recovery, while not trivial, was minor compared to the short term recovery and long term impact on the business.

If you are not ready or willing to have your business’ inertia redirected by forces beyond your control, now is the time to act.


Contact us for a free, no obligation, Cloud Advisor Session to discuss your business recovery and continuity needs and plans.


 

“Deja Vu?” or “Have We Learned Our Lesson?”

Hurricane Matthew as of 2pm on Oct 4th

Hurricane Matthew as of 2pm on Oct 4th

As of this blog post, Hurricane Matthew is churning through the western Caribbean with a projected path eerily similar to Superstorm Sandy in 2012. In its wake, Sandy left a path of destruction up the East Coast and deep into New England with many families and businesses still in the process of rebuilding. Small and mid-size businesses (SMBs) up and down the eastern seacoast were crippled by flooding, loss of infrastructure, and extended Internet and power outages; many were unable to recover.

Could this be a devastating Deja Vu, or did we learn our lesson?

Have you ensured that your information services and data will survive the next storm? Do you know how quickly your business can recover if (more like when) the next storm hits?

Path of Superstorm Sandy in 2012

Path of Hurricane Sandy in 2012

These questions feel more pressing as our next potential big storm churns towards Florida.

Good. Better. Best.

Your “Good” strategy is Backup. Ensure that you back up all of your critical data. Backups should be off site to a service that lets you restore to new systems quickly and efficiently.

Your “Better” strategy is Recovery. In addition to backups, ensure you have the ability to recovery quickly to new systems or to a temporary data center. When your  Return to Operations (RTO) time lets you continue running your business without significant impact to you or your customers, your recovery plan is sound.

Your “Best” strategy is ResilienceYour business is resilient when you can continue running your business with minimal disruption and with little or no inconvenience to your customers, regardless of the weather outside. By placing key applications and services in the cloud, your business can continue to run whether or not your office is open. With Internet access and a browser, your team can connect and work. And while you still may have some aspects of your IT running on premise, a solid cloud strategy keeps critical systems available and operating.

Resiliency Roadmap

For most SMBs, you should consider having the following services hosted or in the cloud. Depending on your applications and needs, you can use Software-as-a-Service (SaaS) solutions or host your applications on cloud/hosted servers with virtual/remote desktops.

  • Communications
    • Email / Calendar / Contacts
    • Telephony — cloud/hosted Voice over IP (VoIP)
    • Messaging / Voice & Video Conferencing
  • Collaboration
    • File Storage & Sharing
    • Productivity Tools (document, spreadsheet, presentation editors)
  • Key Business Apps
    • Customer Relationship Management (CRM)
    • Account / Finance
    • Service / Support
    • Others …

Creating a Resilient business requires strategic thinking, advanced planning, and solid execution. This is especially true when you have integrated applications and systems that you cannot change in isolation. At a high level, the roadmap is:

  1. Identify the applications and services
  2. Prioritize all applications and services based on the impact in the event of a service outage. Look outward and inward, remembering to consider customer impact.
  3. Starting with your highest priority applications and systems, evaluate if your level or protection: Backup, Recovery, or Resilient protection.
  4. Identify and implement solutions that take you from Backup to Recovery, from Recovery to Resilience, or from Backup all the way to Resilience.
  5. Repeat as you move through your prioritized list.

While you may not have time to make your business Resilient before Hurricane Matthew works its way up the coast, you have options to improve your backups and your ability to recover that can be implemented within hours rather than days and weeks. Think about the value of keeping your business running and ensuring its survival. Act now.


Contact us immediately if you want assistance with your backup, recovery, or resiliency services.


 

Calm Before the Storm: 3 Models for Protecting Your Business

Hurricane
What began as a mild tropical storm season has suddenly become quite active, with multiple significant storms expected to impact the southeast and Atlantic coast and the Hawaiian islands. And while every storm may not be a major hurricane, your business is at risk because our infrastructure is at risk.

Power outages, local or regional flooding, and disruption of communication services continue to increase in frequency as our infrastructure ages faster than our upgrades and as our economy rewards utilities for trimming staff and services rather than trimming trees and keeping current with maintenance.

Are you protecting your business from the damage and risk of disruption?

You have seemingly infinite choices on the types and cost of protection, each with benefits and limitations. Your challenge: pick the solution that is most cost-effective, meaning the time it takes to Return to Operations (RTO) is acceptable given the cost.

To simplify your search for a solution, we propose you consider one of three models:

  • Restoration
  • Recovery
  • Continuity

Restoration

Restoration is the least expensive option.  You backup all of your data and critical systems, including full system images, off-site.  In the event of a disaster, you restore your systems once you have fixed or replaced any damaged or lost equipment.

  • Cost Structure:
    • Scales with the size of your system images and the amount of data you keep in offsite backup
  • RTO:
    • 1 to 3 days once replacement equipment arrives
  • Admin:
    • Must ensure backups include all images and data needed to recovery, including Bare Metal Restore (BMR) for key servers and systems.
    • Must periodically test restore for data integrity and to ensure the recovery process is documented and understood.

Recovery

In addition to keeping an off-site or cloud backup covering all of your data and critical systems, you have the ability to access replicas of your network and servers in a remote data center.  In the event of a disaster, you “spin up” your latest system snapshots and restore any incremental data. You access your mirror network via remote desktop, VPN client, or LAN-to-LAN VPN.

  • Cost Structure:
    • Scales with the size of your system images and the amount of data you keep in offsite backup
  • RTO:
    • 1 to 18 hours, depending on your configuration and needs.
  • Admin:
    • Must ensure backups include all images and data needed to recovery, including Bare Metal Restore (BMR) for key servers and systems.
    • Must periodically test recovery for data integrity and to ensure the recovery process is documented and understood.
    • Once primary systems are repaired or replaced, snapshot backups and recovery move your data back for normal operations.

Continuity

Continuity means your IT infrastructure keeps running, even in the face of disaster or significant local events.  You have multiple options for continuity, including: mirrored networks and systems in remote data centers, remote desktops, virtual desktop infrastructure (VDI), and Desktop-as-a-Service (DaaS) models. In each scenario, your servers, applications, and data live in a redundant, remote cloud data center. You access your environment via remote connection, using a web browser or a small local app known as a receiver.  In the event of an emergency, you only need to provide a browser and Internet connection to be up and running.

  • Cost Structure:
    • Scales with the size of your systems and networks
    • Offsets day to day costs of owning and managing on-premise hardware and software
  • RTO:
    • Immediate, based on Internet availability
  • Admin:
    • Providers typically include standard server admin and management, reducing local need for IT resources
    • Application and data management are similar to on-premise systems
    • Backup/restore capabilities are still recommended to protect against application and/or human error.

Using these models as a guide, you can select a solution that balances cost, convenience, and complexity against the operational needs of your business.


Want to setup or improve your disaster recovery/business continuity capabilities? Contact us for a free, no-obligation consultation.