The firewall -- has the "magic" box lost its mojo?
May 3, 2016
Disaster Recovery for the SMB
December 30, 2014
I recently conducted a short survey involving people I know with small and medium organizations, and those I have previously done work for, all of them in the range of 2 to 200 employees. One of my questions involved the areas of risk management that were keeping them up at night. Given all of the recent high profile security breaches, I expected that information security would be at the top of the list. I was surprised however to find that the top vote getter was disaster recovery/business continuity. In a seeming contradiction, most respondents indicated that they had an existing service provider capable of helping them with it. Thus, my attempt to get answer via a survey left me with more questions than I had before, one of which was why people who understood the importance of disaster recovery planning, knew who to call for help, yet were still very bothered by the subject.
In a recent study, Gartner reported that only 25% of SMBs have a formal DR plan in place. Based on my personal experience, that percentage sounds high. Yet, if the results of my survey are to be believed, most of those who don't have one understand their need and know who to call for help, and yet, most don't act. Curious.
In thinking through this conundrum, I reached the following conclusions about why there is not better adoption:
It can't happen to me - Many SMBs feel invulnerable. They can't imagine that they will be the next fire or floor victim.
I have more important things worrying me - SMBs often struggle to compete, even in a good economy. That makes it easy to get so focused on day to day business, that long term issues get lost in the shuffle.
It's too hard - My gut tells me this reason tops the list. DR is a seemingly big and complex topic which is very hard for people to get their arms around. Large companies with big budgets struggle with this topic, so it is not surprising that SMBs would.
I could quote a myriad of statistics from the Internet about how likely an SMB is to go out of business after a disaster. I often hear numbers between 75 and 80% thrown around, although I can't find any sound analytics behind these. That being said, give some realistic thought to your situation - how hard do you think it would be for your organization to come back from the loss of your facility and many of your critical records?
The bottom line is that you need a DR plan, and one that works. Failure to have a plan will put your organization at risk in the event of a disaster. While people automatically think of a fire or flood when disaster is mentioned, they can take many forms, and as we must respond more and more quickly to customer demands in order to compete, a disaster does not have to be big or lengthy to have a major impact. Consider the following examples:
Snowstorms (for those in Atlanta, remember Snow Jam 2013?)
Significant information security failure (If you are not convinced, just ask Sony)
Sudden loss of a key staff member with much unique information in his/her head
Loss of an old, mission critical server (I had a customer a few years ago that had a motherboard failure in an old server. Because of their old RAID level, they could not remove the drives to access the data).
Lengthy data center air conditioning failure
Essentially, a disaster is anything that significantly disrupts you ability to respond to customer needs in the customer's timeframe. Many SMBs would find their customers moving to a different vendor very quickly.
Hopefully, the above has convinced anyone sitting on the fence about the importance of having a working plan. For those worried about the difficulty of developing a plan, I will in my next post seek to convince you that a DR plan for an SMB is much easier to do than most think, and will give you a seven step plan to do it. Stay tuned.