Cyber Security and your Business Impact Analysis, Understanding RPO and RTO in Disaster Recovery
Kathy Vogler, Communications Manager, Expedient Technology Solutions
While all businesses need to survive a disaster and the problems that follow, it’s nearly impossible to predict when a disaster will happen. Businesses will often push cyber and IT security out as an optional expense with an attitude of “if it ain’t broke don’t fix it.” When the disaster strikes (and odds are increasing at a fast pace for both natural disasters and cyber attacks), don’t leave your business unprepared. Planning will help you respond quickly.
An important aspect of your IT and Cyber Security plan is to work with your IT security provider to complete a business continuity plan that includes a complete business impact analysis (BIA). Often, this is the first step to identify critical system and components that are essential to your organizations success. Key questions during the BIA include:
Walking through these questions will help you identify key processes and dependencies as part of your overall disaster recovery and business continuity planning. Each step of this plan must satisfy two measurements: Recovery Point Objective (RPO) and Recovery Time Objective (RTO). RPO and RTO are measured in specific time intervals or number of hours relating to the loss of data and service time. It’s important to evaluate each system and application independently to ensure the best possible return on investment. You may need different arrangements for accounting data, your email access or files stored on a shared drive. The plan needs to be very specific and consider every detail of your business.
How long can your business be without the service before you incur substantial loss?
RTO (Recovery Time Objective) can be defined as the start of the interruption and time to establish recovery and end when you can successfully release the service back to your users. The goal is to calculate how quickly you need to recover and then to map out the people, processes and budget allotment you will need towards business continuity.
RPO (Recover Point Objective) often refers to the last available restore backup and the maximum time between backups being safely stored offsite. This focus is on your data and your company loss tolerance – how long can you afford to operate without your data before your business suffers.
Have you ever had a computer crash or lose power while you are in the middle of a huge spreadsheet with lots of data entry, calculations and detailed graphs? How much time and effort would it require for you to try to recover the spreadsheet from your last save, or what happens if you can’t recover and need to start over from scratch. It’s simply painful. Multiply that pain by every person, device and data point in your organization.
Both RTO and RPO influence the type of redundancy and backup infrastructure you need to have in place. Besides time and money, you will need to consider compliance and your trust reputation with your clients. At what point would you begin to lose customers? Another factor to consider is your RTA (Recovery Time Actual) or the actual performance of your disaster recovery / business continuity plan. After planning and implementation, your DR/BC requires continued testing to validate success. If there are significant gaps between your goal (RTO) and your actual results (RTA), you’ll want to rethink your strategy to improve the time it takes to restore and become operational again.
Business Impact Analysis
Key takeaways from the business impact analysis should detail a listing of your critical systems and processes ranked by priority. This list should include 3rd party vendor software, cloud software usage, on premise software, on premise hardware that affects day to day operations (phone systems, devices used by employees, fax machines), IT infrastructure and even access and security to your property. As you walk through each system, you will record these items:
Ranking all of your systems and infrastructure by priority will give you a clear map of what needs to be recovered first and what can possibly wait. Identify the manual process and the automated processes as well and include vendor contact information for assistance on each of these systems.
If you are subject to compliance regulations, protecting your data isn’t optional, it is a legal obligation. Disasters happen, cyber warfare is real, and the best resolution is to detail and plan, assign priority duties and communication paths, practice and budget accordingly.