Answered by Hemant Harie, Managing Director at Gabsten Technologies

1.What is the difference between Disaster Recovery and Business continuity – aren’t they the same?

Business continuity is around the overall plan of how to ensure an organisation runs optimally, leveraging its people, processes and technology. Disaster recovery (DR) focuses purely on the technology and related processes an organisation needs in order to fulfil the IT function and ensure business continuity. The DR plan falls within the scope of the business continuity strategy.

Although many businesses tend to label both under the same practice, a business continuity strategy allows people within an organisation to access all business applications, plans and processes, whereas the DR plan ensures that those applications are made available. For example, if a business is affected by a flood, the business continuity strategy will take into account every facet of the business, from damage control, to ensuring IT functionality, to restoring a safe working environment; the DR strategy will purely focus on recovering the business’s technology, restoring data and ensuring the business can access all systems again.

2. With an increase in cybercrime globally and locally, what does the current landscape look like and are incidents occurring on a regular basis?

There is a lot of news about international cyber incidents, but few local incidents make it to the news. For this reason, it’s impossible to accurately determine the local threat landscape. Locally, organisations tend to avoid disclosing cyber incidents due to the reputation damage that a business can suffer as a result. Until legislation deems it a requirement, it will continue to be difficult to understand the local threat landscape.

However, South African businesses do need to consider the international threat landscape as relevant to local businesses and, rather than contemplating how to recover from an attack, should be looking at how to prevent them altogether.

3. How can businesses protect themselves from cybercrime?

Many organisations are putting preventative measures into place, however, they need to consider two, often overlooked, factors. The first is ensuring that the measures put in place are updated regularly to protect against the latest cyber threats. Organisations often invest in cyber security solutions, however these are only effective against protecting against current threats. As new threats emerge, businesses need to adapt and update their cyber security accordingly.

The second consideration is that businesses need to not only focus on threats entering their business, but also to look at what leaves their business. An emerging trend to circumvent cyber security measures is for syndicates to strategically place people within a business in order to access their data. That, coupled with the existing threat of disgruntled or uninformed employees intentionally or accidentally compromising a business’s data, means that businesses must be proactive in monitoring data activity within the business and checking what data leaves, too.

4. What does the foundation of a business continuity plan consist of?

The most important aspect of any business continuity plan is ensuring it remains current and is reviewed and updated on – at least – a quarterly basis. Risks and processes should be continually assessed against the backdrop of the current digital world, and any new systems, people or processes, and the plan should be updated accordingly.

The plan should also be regularly tested – something that many organisations don’t do frequently or thoroughly enough, except where it is legislated, such as in the financial industry. Often, businesses only discover the failure of a theoretical plan when disaster strikes, and then it is too late. It’s important to bear in mind that the entire plan does not have to be tested all the time, every time, as this can be a time and resource drain for larger enterprises. However, organisations should prioritise business critical systems according to risk, dependencies and core value to business, and ensure that the strategies in place for these are functional.

5. Do organisations need a disaster recovery team?

A DR team is critical to ensure that strategies and plans are carried out according to policy, taking into account every aspect of the business. It’s vital to ensure that the team comprises members from every business department as this team is responsible for disaster management across the entire business. This ensures no department, or interdepartmental dependency, is overlooked, and identifies which systems are business critical according to those departments.

An IT team may consider specific systems to be priority, however may not understand the dependencies of a department on another system or, in fact, how the department operates the system. Having members from each department engenders a holistic understanding of the end-to-end processes, while also giving key insight into system functionality.

6. What are some of the challenges organisations face today, when it comes to planning for disaster recovery and business continuity?

I’d say one of the biggest challenges organisations face with regards to business continuity and disaster recovery strategies is a lack of resources and funding from top-level management. Technologies and associated backup plans are still considered “grudge purchases” and aren’t often given enough budget until a disaster actually occurs. There are cost effective options that organisations can explore, with the increased accessibility to the cloud and associated managed services, this means that contingency plans don’t always require massive capital outlays anymore.

Another challenge is that the business continuity strategy and DR plan don’t always align. Too often, the former is driven by business, while the latter is assigned as an IT responsibility, resulting in a misalignment of the two. For example, while the DR strategy may be updated quarterly, the business continuity strategy may be updated annually, meaning that any changes made to the DR plan is not taken into account by the business continuity strategy. Businesses need to update both at the same time, and ensure they are always in alignment.