As a result of the Covid‐19 lockdown and the associated increased adoption of the working from home model, many companies have had to restructure their IT, leading to changes in working methods and processes and potentially creating new vulnerabilities in IT security. In addition, working from home workplaces open up new gateways for hackers. Thus, hacker attacks increased substantially in the course of the pandemic. However, not only during the pandemic, but also before, companies and public institutions became victims of hacker attacks, which led to the “lockdown” of IT and the inability of organizations to act. Especially when operations come to a standstill within seconds, there must be an appropriate recovery plan that allows organizations to restart in a timely manner.
When Justus Liebig University Gießen was forced into a shutdown at the beginning of December 2019 by a hacker attack using the Emotet malware, no one could have guessed its extent. Apparently, the existing emergency plan was not designed for such serious crises and the shutdown lasted several weeks. Also affected by Emotet in miday 2019 was the Heise Medien Gruppe, publisher of c’t magazine, where the IT infrastructure had to be completely rebuilt or partially sorted out.
But many small industrial companies and service providers are also affected on a daily basis by cybercrime and IT emergencies of various origins and types. A disaster recovery plan, set up and practiced specifically for the company, helps to reduce the extent of damage in an emergency.
What does Disaster Recovery stand for?
Disaster recovery stands for disaster recovery in a company’s IT. This involves the systematic restoration of IT operations following a malfunction or security incident. This refers not only to the data of a company, but also to its systems, facilities or networks.
Disaster recovery should not be confused with business continuity management (BCM). Although applied risk management through a comprehensive disaster recovery plan (DRP) is part of a business continuity strategy, this strategy extends beyond the IT infrastructure to the maintenance of a company’s business operations in general.
The goal of the disaster recovery plan is to continue business despite difficult circumstances to minimize the loss of resources and data. To properly design a disaster recovery plan, there are some important points to consider:
| inventory and set goals
| define priorities
| define backup and disaster recovery strategy
| organize the emergency
Identification of critical systems
Which processes are carried out on which IT systems and how important are they in the customer’s day‐to‐day business?
Definition of possible downtimes
How long can you actually work productively without access to a system and after what periods of time does the issue need to be escalated further?
This information is highly dependent on the company’s mode of operation and activity. Here it is possible to determine exactly when which actions are necessary to restore the ability to work. The following can be derived from this:
RPO (Recovery Point Objective) defines a maximum acceptable amount of data loss, measured in minutes and hours, that you can represent as a company. How much time is allowed between backups? What data loss is acceptable?
RTO (Recovery Time Objective) defines the maximum reasonable total time from the point of disaster to the point of full system recovery for the organization. How long can a system be down?
WRT (Working Recovery Time) defines the time until the company can resume normal business operations with all systems and data.
MTD (Maximum Tolerable Downtime) defines the acceptable time for the company after a disaster until all IT services are fully up and running again and normal business can be resumed.
Creation of a data backup concept
It must be precisely defined which data and systems are backed up. It is also recommended that detailed documentation of the data backup operation (the configuration of the backup including details of backup plans, data sources, exclusions, etc.) is created and delivered separately. This can be done on the basis of a standardized template, which is filled in by the service technician during or after the installation. Within the data backup concept the following items should be defined centrally:
| which systems are to be secured
| how often backup processes are performed
| how long data backups are kept
| where the data backups remain
| who has and receives access to the backup
Creation of redundancies
Depending on the previous definition of critical systems and downtimes, an alternative plan should be documented via which productive work can continue at least until the final resolution of the security incident. The restrictions to be expected and the basis on which the redundancy of the productive system can be provided are defined. It is conceivable here to mirror the server system with the last data backup to a loaner server or to a corresponding hyper‐visor, which does not necessarily have to be located in the customer environment (software as a service).
Creation of a disaster recovery plan
The implementation of the aforementioned points sometimes poses particular challenges for IT service providers because the resulting requirements are technically demanding. To make the processes as comprehensible as possible, solutions that consolidate many of the requirements defined in the disaster recovery plan are a good choice. Common challenges are as follows:
| offsite ‐ Backup data is exposed to the same risks as a live system when kept within the organization.
| verification ‐ Backups must be verified regularly to maintain recoverable data & systems in the event of a disaster.
| verification ‐ recoverability must be ensured and regularly
| automation ‐ Recurring processes must be able to take place without intervention by the service provider.
| compliance ‐ The solutions used must comply with DSGVO (the German Data Protection Regulation), GOBD (the German principles for the proper keeping and storage of books, records and documents in electronic form and for data access) and other legal standards:
- automated and regular backups
- password protected and fully encrypted backups
- keep backup copies off‐site
- verify backup content and backup recovery tests
- limit backup access to administrative personnel
- all backup activities must be monitored
- the ability and knowledge to restore backups quickly
| scalability ‐ backups need to expand progressively as systems grow without incurring additional effort/cost for service
Disaster recovery plan as a must‐have
A disaster recovery plan should contain all the necessary information for the company to know all the necessary steps and procedures in case of an emergency:
| The entire disaster recovery plan should be stored and available in printed form. In addition, several digital copies should be available at various secure storage locations and should also be available in printed form. Affected persons must be informed about where they can find the disaster recovery plan or its
| Important system credentials and backup passwords must be included in the disaster recovery plan or easily found. Again, there should be a written version of the credentials and backup passwords.
| Contact information with details of the internal contact data of all persons involved in the recovery process must be included in the disaster recovery plan. Also, all external contact information of all involved persons for the recovery process must be included in the plan (e.g. IT service provider). Due to the current threat posed by cybercrime, it is essential for both companies and IT system houses to address the issue of disaster recovery.
SMEs in particular are usually overwhelmed at this point and need the assistance of an IT service provider. For system houses, the opportunity arises to support their customers and offer them optimal backup services in the long term through standardized processes and templates. A good “Disaster Recovery‐as‐a‐Service” is therefore the logical extension of any managed services concept.
Last but not least
Once the disaster recovery plan has been successfully completed, there are always basic rules to follow when a disaster strikes:
| Keep calm, review documentation from the disaster recovery plan and contact the appropriate people.
| Follow the plan step by step and make sure that the external providers are available when you need them.
| A log should be kept throughout the disaster recovery session until business is completed.