“Let’s start with, ‘should SMBs adopt DRaaS?’ In our opinion, they absolutely should.”

That’s the view of StorageCraft senior director Sean Derrington and he is not alone in the industry as run of the mill cyber security hacks have become disasters for reputations, as well as revenues.

We are all aware of the ramifications under GDPR of a security breech and Derrington adds that there is nothing special about the companies who are now under siege.

“Malicious hacks and ransomware do not discriminate between the size of an organization. Enterprises and SMBs are equally vulnerable.

SMBs might perhaps be even more susceptible given they may not have access to the skills and IT budget of their larger counterparts and targeted verticals, such as healthcare, are often “SMBs” by industry definition of revenue or employee count.”

Such a trend is something that SMBs are aware of, according to Ross Warnock, director of EfficiencyIT, however the process of adopting a disaster recovery system is timely.

“Around 50-60% of small to medium size businesses that we engage with at EfficiencyIT (EiT) haven’t taken on Disaster Recovery as a Service (DRaaS) in any kind form.

However, the thing to remember is that there are many different versions of disaster recovery and any DRaaS strategy will always begin with a thorough audit of the business applications and processes already in place.”

Warnock emphasised that when it comes to breaches its more of a case of when instead of if, a fact that is well known in the industry, but drilled down into the tactics we can expect hackers to employ.

“What you can do with a true DR system is roll back to a specific point in time.

Hackers don’t just get a way in and then hack your system straight away, they’ve mined thousands of organisations until they’ve found somebody that’s left a little bit of a door open and they can get in.

What they’ll do after is expand once they’ve got that foot in, and look for things like administrative accounts, dormant accounts, or gaps in security.

They’ll take their time and then, when they’re prepared and have made all the subtle changes required, they’ll pull the trigger. By that time you could be a couple of days, a couple of hours, a couple of weeks into the hacker being inside your network, in which case you don’t really have any control of your environment. What real DRaaS environments allow you to do is to roll back to a point in time where you know that the environment was usable and was not compromised by the attackers.”

Dante Orsini, senior vice president of business development at iLand said disaster recovery systems have the added benefit of being able to diagnose where a shortfall in the security came but emphasised the importance of multiple backups in multiple locations.

“What we find often is that people typically will have backups. But if they're doing backups daily, weekly, monthly quarterly, that allows them to restore back to several different points in time the question is their ability to do the forensics to figure out what was the source of the compromise and how long has it been there?

So I think the other side of this to be able to restore operations, if you look at the reputation side of it, being able to restore that environment up and running while you're chasing down the forensics is also the other side of it as well.

That's exactly why you have to have both a local and cloud backup, because you need replication for disaster recovery purposes. If you play that out, the trick is understanding how long that threat has been sitting resident in your network.

Having backups can give you the opportunity to recover, however recovering from a backup is a slower process typically depending on the severity of the event.”

One of the barriers to the adoption of Disaster Recover systems is the cost of implementation. Orsini said that the cloud has helped mitigate that challenge.

“It's all relative to the size of the infrastructure footprint, but if you think of it this way, 10 years ago for someone to deliver disaster recovery, internally, you're really looking at probably three times the cost of their local footprint.

Why? Because they have to double that footprint, they have to pay for additional software additional network to connect the two, and then they have additional overhead of a team to manage that replication and test everything else.

Now, if you can reduce that down to simply paying for cloud storage, on a month to month basis, and pay on an hourly basis if or when you ever use CPU and RAM in the DR site, it's dramatically more cost efficient.”

Warnock agreed that cloud has allowed the price of disaster recover solutions to come down adding “With the evolution of cloud and hybrid IT applications it’s far simpler and more streamlined to implement. 

Depending on the application, the business needs and how long you value the physical equipment, cloud can offer a significant number of benefits when compared to historical methods of backup.

Here it’s very easy to make financial gains or improve operational efficiency from not having to operate that environment yourself, which is now delivered separately under a service-lead agreement. 

Rubrik director of market intelligence Rober Rahme picked up on the reputation angle adding that DR strategies can mitigate that risk to reputation.

“Whether from ransomware, a power outage, or a natural disaster, when data services are offline the cost to the business can be enormous. Disaster recovery strategies are defined to manage that risk.

At the heart of any disaster recovery strategy is data protection. It enables you to minimise the downtime of your most important asset: data. Of course, when disaster strikes, time and data integrity is of the essence. You need to be able to instantly recover your data, eliminating the wait that too often occurs between user requests and restoring applications, and enabling business continuity. 

This allows organisations to continue to do what’s important- serve users and customers, until the cause of the outage has been resolved and return to normal operations can be resumed. Every business needs a powerful data protection platform and an effective data recovery plan to enable the IT department to mitigate the consequences of any unexpected incidents.

Organisations are therefore increasingly looking for a data recovery solution that can take one or many workloads from on-premise or in the cloud and relocate it, easily and efficiently. This means that no matter where your data resides, it can be instantly recovered, providing business continuity when disaster strikes.”

“There is another side to the DRaaS cost, and that is the cost of downtime” added Derrington.

“Depending on the source, the cost of downtime is estimated between $5k-$10k per minute. The ease and speed with which a company can recover quickly ends up being the difference between staying in business or not. Our global research highlighted the dilemma SMBs face here.

Only 15 percent of respondents were able to recover from a severe data loss within an hour. Even worse, 40 percent of survey participants believe it would take up to an entire day to recover, while 25 percent estimate data recovery would take them days or weeks. This is why an investment in disaster recovery should be an executive priority for every SMB.”

As for the process of adoption, Derrington said that businesses need to be mindful of vendor lock in.

“Scale, completeness of solution, and service are critical. Can they scale their offerings effectively, at the right economics, and without any impact on their recovery time objectives, recovery point objectiveand service lead agreements?

Working with a single vendor across the entire business continuity solution portfolio can yield massive advantages because they can provide a single technology stack that creates simplicity, efficiency, all of which provide the MSP the ability to scale. However, standardization only makes sense if it is planned.

That’s in contrast to an MSP finding they are being consolidated into a technology platform because of vendor consolidation.

We continue to see this kind of consolidation happen, most recently with ConnectWise and Continuum. MSPs need to be wary of this accidental vendor lock-in and make sure they can opt for best of breed where it makes the most sense.”

Warnock also added that clarity around the subject of what they want from one of these systems is also important.

“There is a lot of Vendors and technologies out there that can offer DRaaS, so it’s important to identify a product and solution your happy with. One that’s going to meet your customers needs and that you know is going to ultimately perform.

As an example when we partnered with Mimecast, we went through a process where we looked at the solution, we looked at the technology and its value to customers, we evaluated the benefits of partnership and were 100 percent comfortable with going to our customers and recommending the product.

I think the danger is where people look from an individual issue or application point and then they start putting in technology in a piecemeal approach, rather than taking the time to fully understand the businesses requirements and making sure all the necessary areas are covered or ensuring there are no gaps or overlap in the solution.”

However, despite these concerns, the consensus is that disaster recovery systems are on the rise in the SMB market, albeit, not as high as it should be.

“We have definitely seen a big uptick in the SMB space in the last few years and I think it's just overall in general, and I think the cyber market is what's driving that” said Orsini.

“I think everybody knows that most organisations do not do a great job. Most IT teams are tax, they're being asked to do more with less and they are trying to keep the lights on.

Traditional disaster recovery is having two data centres, and every time you scale your production, you have to scale your DR site which is really cost prohibitive for an SMB. But in the last several years, it's become the economies of scales have tipped the other way. So now it becomes so cost effective to be able to do this with a cloud provider.

When you look at the risk on the other side, nobody wants to get the newspaper for being down and if you just look at our culture, in the last five years, the tolerance for downtime is nil. That's what the demands are on the business.

The other side of this too is a lot of organisations have got tonnes of pressure to innovate, to help support the business from an IT perspective, and they have less and less time for risk mitigation. So a lot of these organisations are looking at folks like iLand, or our partners that work with us and work with the end customer, as an extension of their team that can actually help drive all those risk mitigation programmes.”