Cast your mind back – way back – to the late-1990s and the memorable first instalment of The Matrix. The mind bender contains plenty of memorable lines, prominent among them Mr. Smith’s quiet menace as he intones ‘Do you hear that, Mr. Anderson? That’s the sound of inevitability’. And in a moment, I’ll get to exactly what inevitability has to do with backups and disaster recovery (and why it’s essential to know the difference between these disciplines).
Before that, note that while we haven’t yet pinned down the precise sound of inevitability, we have managed to identify the inevitable. And security incidents are it.
You never really need look long, hard or far to find examples of serious information security breaches. They make the news all the time. Or, more accurately, it is the big or truly egregious ones which make the news all the time. The greater majority happen right under our noses, all the time, every day. Mr. Smith would have a field day with it.
Probably the biggest question which must be asked when it comes to security breaches is also among the simplest ‘why’? Why are systems so prone to compromise? Why does software appear to be so poorly written that it has to be constantly updated? Why is security, despite the billions of dollars thrown at it, never ‘complete’?
But there is an answer, of sorts, and it has less to do with technology and software, and far more to do with people.
Technology and software are essentially neutral agents. They only do the bidding of the people in charge of them. If the people are all agents acting for a common interest, security just wouldn’t be an issue.
But it is owing to the nature of the actors that systems, software and information become suddenly and inevitably insecure. Because where there is opportunity for gain, the darker aspects of human nature will be inclined to exploit those opportunities. Most of us do that by fair means. Plenty of others do it by foul.
What this means in practice is that information (and systems and software) can never be made secure once and left in a secure state. When there is the enormous complexity which characterises even the most rudimentary of business technology systems, there are innumerable moving parts, each of which on its own presents potentially multiple opportunities for exploitation. And if all of that had a sound, it would sound a lot like inevitability.
The next question which arises then, is how to cope with the inevitable. There’s a whole industry dedicated to it, but among the most fundamental of tools is a backup and a disaster recovery plan.
But, do you know the difference between the two? It’s this simple (and profound):
- Backups take you back in time to access your data as it was then. Yes, it is Matrix-like.
- Disaster recovery is to allow you to bounce back when something major happens which interrupts the usual flow of business
Now, there is a lot of interaction between these disciplines, which is why they are often confused. For example, you are unlikely to be able to enjoy a sound DR capability in the absence of backups; backups are necessary, but not sufficient, for a DR capability.
It’s important to consider why you need each of them, understand what to expect, and when each one applies.
- Backups protect data, not systems.
- DR protects systems and data.
Data is just stuff stored somewhere. With the cloud, backups have become so simple that they really shouldn’t be overlooked by any organisation, ever (but people being people, they are constantly overlooked anyway).
Backups become crucial in many instances, ranging from the laptop that died, to accidentally deleting something important, and of the all-important use case of a malware attack – in many instances, a simple restore to an earlier state can remove all traces of the malware. Just please, make sure nobody opens that dodgy email again.
As implied, DR goes much further, and it also steps up with ‘special’ things happen. That could be an earthquake (and in New Zealand, it often is).
It could also be something not quite as earthmoving, but still devastating to business operations, like a server failing. DR can include everything from failover technology services, right through to failover desks, chairs and premises. All this will depend on the kind of business you operate.
Both backups and DR should be a core component of business governance.
Remember inevitability? With detailed plans documented and the right measures in place, when the inevitable happens and you’re hacked, or malware strikes, you should know what to do. Your business’ survival might depend on it.