A new age of disaster recovery planning for SMEs
Today’s data is generated and distributed across highly complex ecosystems–multicloud, hybrid cloud, edge, and internet of things. The risk exposure of enterprises has risen dramatically. Not only large corporations are at risk. Because they lack the resources and expertise, smaller, less skilled companies are more vulnerable.
According to Accenture, more than one-third of cyberattacks are aimed at small businesses, but only 14% of them are prepared to defend themselves.1 Cyberattacks could leave many small and midsize enterprises (SMEs) reeling from financial and productivity losses, operation disruptions, extortion payments, settlement costs, and regulatory fines. Experts say it’s important to plan for when, and not if. Every business must have a plan for disaster recovery and backup. These plans should be focused on IT infrastructure, data and applications. They will help to execute recovery processes after a disaster. This report explains what disaster recovery planning is and how SMEs can implement them in today’s rapidly-evolving cyber environment.
The following are the report’s key findings:
- Cyberattacks have grown more frequent and sophisticated, and SMEs are in the firing line. These data tell a disturbing story. The need for disaster recovery planning is more urgent than ever, due to the pandemic and other geopolitical factors that have impacted our lives and work.
According to one cross-industry study, midsize companies were almost 500% more likely to be targeted by the end of 2021 than two years ago.2 Experts say artificial intelligence-based attacks are rising. Ransomware-as-a-service and, in some cases, deepfakes are also increasing, although most SMEs become victims because of human error.
- A well-built disaster recovery plan can significantly minimize and even eliminate downtime. Business continuity plans include disaster recovery plans. Business continuity plans focus on the overall strategy and policies for recovery after an incident. Disaster recovery, however, focuses more on IT infrastructure, data and applications.
- A well-crafted disaster recovery plan includes clear definitions of recovery time objective (RTO) and recovery point objective (RPO).3,4 Having such a plan is crucial for protecting data and applications against malware and ransomware attacks and could significantly minimize or even eliminate downtime.
- Backups and replication of data are essential for disaster recovery. With cybercriminals spending over 200 days in companies’ systems before being noticed5 and corrupting backups, SMEs need to store their data in multiple formats on different systems or look toward a data replication solution to ensure near-instantaneous recovery. Cybersecurity experts endorse the 3-2-1 strategy6 but some organizations prefer the 3-3-2 approach7 which includes an additional disconnected and inaccessible copy (“air-gapped”) to increase security.
- An unexamined disaster recovery plan could bring enterprises back to square one. Without regular practice runs, disaster recovery plans are ineffective. The speed at which an organization grows or adopts new technologies will determine how often they should be reviewed. Experts recommend that such plans be tested at least once a quarter and updated annually.
This content was produced by Insights, the custom content arm of MIT Technology Review. It was not written by the editorial staff of MIT Technology Review.
I’m a journalist who specializes in investigative reporting and writing. I have written for the New York Times and other publications.
