It's a thorny problem: how much does a company need to spend on business continuity in order to feel ‘safe'?

On one hand, most businesses are reluctant to throw substantial sums at protecting IT systems from events that may never occur. On the other, they're even more reluctant to find out how long they could survive, if a mission-critical system was wiped out.  

Instead, the focus should be on appropriate spending, says Jan Zelezinski, strategic architect at Logicalis. "Businesses need to strike a balance between the level of business risk they can tolerate and the cost of perfect security," he says.

"If you spend enough money, the technology is available to ensure that you never lose any data and you never experience any downtime. But is that level of spending really necessary? Almost certainly not, given that some systems are much less mission-critical than others," he explains.

When smart companies formulate business continuity plans, Zelezinski says, "their first concern is how quickly they need to get their business running again; their second is how much data they can afford to lose."

That's where two vital metrics enter the discussion: recovery time objective (RTO) and recovery point objective (RPO).

The RTO is the maximum time between an event and the time at which a system must be returned to operation. The RPO, meanwhile, is the maximum allowable data loss, often thought of as the acceptable length of time between the last available back-up, and the time a disruption occurs.

With these metrics pinned down, it's possible to allocate business continuity budget appropriately. The systems with the lowest RTO and RPO windows need the highest levels of protection - they may need to be replicated in their entirety at a secure, offsite location, for example. At the other end of the scale, it may be sufficient simply to back-up some systems to tape, on a weekly basis. 

Without those metrics, however, companies face an unappetising choice: a business continuity strategy that is over-zealous and prohibitively expensive, or one that is achieved on a shoestring but leaves them highly vulnerable to a downtime disaster.

Your Comments and Questions

Janner N, about 1 year ago

thanks ian - i am sure it is human error in my case...the issue seems to be proving it was theirs!

Ian Hodgson, about 1 year ago

Unfortunately, the level of data security provided by a managed service provider will only be as good as the competence and capabilities of the service provider's ability to do the job properly and the appropriateness of the technologies deployed to secure such data. As we all know, there is always room for human error whether the data protection is supplied in-house or by an external service provider. Many organisations also rely on 'old' tape technologies for back-up and archiving data. This medium has always been prone to a certain degree of failure especially on media that is recycled and is damaged physically due to wear and tare. For this reason many organisations are now looking at more contemporary solutions to copy primary and secondary back-up of data to disc and only use tape as a third level back-up and archiving media alongside other low cost media such as worm drive and optical disc technologies for long term data retention. What this means commercially is the more resilience required, the greater the investment in a robust multi-layered data retention and back-up solution. Indeed, all this as part of a comprehensive Information Lifecycle Management (ILM) strategy. In Logicalis, we work with our customer's to define such an ILM based solution that is obviously influenced by their commercial criteria which will vary according to the criticality of the data to be protected. Such solutions are usually greatly automated so that the room for human error is reduced to a very minimum. Legislation and best business practice is now pushing many organisations to raise the levels of investment they need to make to comply with these industry benchmarks. Unfortunately, being very realistic, the less that is spent on protecting data then the higher the risk that there will be losses of some form. In some cases the impact of data loss can be extra-ordinarily injurious to an organisation so the costs of enhancing this provision must be borne against such potential.

Janner N, about 1 year ago

i have lost data through my server despite the outsourced provider (a mid tier ISP) providing data back up services. Whatever the SLA provided, it has come back to trust and service provision ...or lack of it..

Edward3 Charvet3, about 1 year ago

this can be done on an outsourced basis for companies that want to focus managing the cost and minimising the impact, but having lost data in the past through an oversite by a service provider it is clear that sla's need to be tight...but trust is the main element.

What's Your Question or Comment?

Name

Email Address

Your Website URL (please include http://)

Your Question or Comment

type the text from the image