Are You Prepared for a Data Disaster?

August 21, 2018
Tomas Honzak's picture
Chief Information Security Officer
Tomas Honzak serves as the Chief Information Security Officer at GoodData, where he built an Information Security Management System compliant with SOC 2 and HIPAA, enabling the company to help Fortune 500 companies distribute customized analytics to their business ecosystem. Tomas finds his passion in enabling synergies between agile methodologies and standards-based process approach and is a DevOpsSec enthusiast. Prior to his position at GoodData he led the Quality, Business Processes and Security department at Acision, a former Logica Mobile Networks division. He lives in Prague, Czech Republic and holds anMSc. from Charles University, the oldest university in Central Europe.

In the world of security, you spend every day in the realm of “what if.” What if there’s a breach? What if something goes very wrong, and data is lost?  How will we recover from unexpected setbacks?

I spoke about these challenges recently with TechTarget writer John Edwards, who was interested in finding out more about what steps you should take in the data recovery planning process to successfully protect your assets. Hopefully, the day never comes when disaster strikes, but taking the time to think about your response strategy now can keep a bad situation from becoming exponentially worse.

Develop a data recovery plan before you need to

Ideally, you would never need a data recovery plan, and developing one might be fairly low on your current priority list because you haven’t needed one in your professional life thus far. However, you certainly don’t want to find yourself in a situation where you need to immediately take action to recover data and find that you don’t have a plan in place. Even a huge disaster can be reasonably mitigated by having a plan in place. Likewise, a minor disaster could have far more sweeping repercussions if the appropriate steps weren’t taken ahead of time to define what measures are necessary to keep things from getting worse. More importantly, by putting the plan together, you are also conducting a reality check. Is the expected timeline for recovery acceptable to management, to your customers? Can you avoid losing data between the latest backup and the disaster? How will you store the data created between the disaster and the recovery? Creating a full-blown disaster recovery program with a proper business impact assessment upfront is critical to help you analyze potential risks and determine key objectives for your plan, but it’s also costly. If you can’t afford to do a full program, putting your best effort into creating a step-by-step disaster recovery plan can help you answer those questions I outlined earlier, as well as introduce some additional ones.  

Start your data recovery process as soon as a disaster is declared

In the case of a disaster, time is of the essence, so you need to react immediately. Since you’ve already developed a recovery plan before the disaster occurred, you can easily determine the next steps, which will typically include formal declaration of a disaster and activation of the your recovery team. Reach out to those key individuals who are authorized to make decisions in times of crisis. If these people haven’t already been designated, you need to contact  the executive team and obtain the authorization to move forward before the disaster escalates further. By doing so, you’ll not only ensure the recovery coordinator has the authority to make key decisions (which might be quite costly), but more importantly, you’ll maintain the integrity of your data recovery process, keep things in motion, and avoid doubling up on your recovery efforts or focusing on tasks that are less critical.

Accept that you will lose some data

I know this is hard to accept, but no data recovery plan can be 100% foolproof. Even if you design your infrastructure in a high-availability setup with hot standby, there might still be some transactions that fail. But apart from a few critical processes, it’s unlikely to be cost-effective to attempt to create a disaster recovery plan that ensures that all data is preserved and recoverable by automated means. In the end, there will be data that you can’t recover from backups, but that doesn’t necessarily mean that it’s gone for good.

In many cases, the data has been intentionally duplicated elsewhere. For example, maybe an invoice has been sent by e-mail, and after some manual effort, that e-mail can be used for data recovery as well. It actually makes sense to discuss these alternative sources with the business managers upfront and include them into the recovery plan to achieve a more cost-effective outcome. Such data might also come in handy if something in the planned recovery process fails. In that case, reach out to the business managers as well—there might have been an important file downloaded to their desktop for easy access which can be used to recreate the missing data manually. And if, unfortunately, there’s no way to recreate the missing data, then the appropriate business managers must be made aware of which records were affected.

Post-disaster data recovery planning can be a challenging and sobering process, but ensuring that you’ve developed a plan that has the right steps in place is crucial. By carefully considering your data recovery process, you can help ensure that the effects of a disaster are minimized.

Want to ask about something specific?

Contact us