Media, business, and IT leaders everywhere are now in the analysis phase of another major cyber-attack. Unsurprisingly, nothing’s new about the ransomware attack method that caused Colonial Pipeline to take its systems offline for about seven days — both its business systems as the target of the attack and its pipeline operations systems as a precaution. The cybersecurity defenses and absolute separation of systems that should be in place to answer this kind of attack scenario are also not new.
What is new is that this attack on critical infrastructure in the U.S. was both successful and had a major, if short-lived, impact on the average American in several southeastern states. To be sure, the run on gas stations was caused by panic, not a real and lasting supply shortage of gas, but it doesn’t matter. Perception became reality. The ransomware disrupted critical infrastructure; in desperation the company paid; the hoarding mentality we witnessed early in the COVID-19 pandemic took over as people emptied gas stations, depleting a basic resource. And it was all fueled (pun intended) by misinformation.
We don’t know much about Colonial’s backup and recovery systems — whether they are on premises-based or cloud-based, whether they were warm or hot site, or if backups (assuming they existed) were also compromised in the attack. We don’t know what Colonial’s Recovery Time Objective (RTO) was either, but it almost certainly wasn’t a week to get back up and running! We do know that Colonial’s experience is a sharp clarion call for businesses to come to terms right now with their disaster recovery “temperature”. Or in more accurate terms, their level of disaster readiness based on the nature and needs of their particular business and/or industry. Who requires a hot DR site vs. a warm DR site vs. a cold DR site, amid a permanent reality of escalated attacks?
What’s Hot in a Cloud-based World?
It’s clear that critical infrastructure like the Colonial Pipeline needs disaster recovery that defaults to a secure hot DR site. Few would argue otherwise. A hot site is ready immediately and allows a business to continue operations by providing a mirrored copy of the primary production environment. With energy and utilities infrastructure — fossil fuel, electrical grids, nuclear plants, water supplies — the fundamental stability of society is at stake.
With the best architectural patterns segregating recovery sites completely from compromised systems and free from backdoors, a hot DR site is set up to enable near immediate failover. In the traditional data center model, this means fully replicated, up-to-date data and applications on backup servers and storage, configured and ready to switch to production within seconds. With a hot DR site , service disruption may not even be noticeable, or it may be a matter of seconds until replicated systems take over in production.
Banks and fintech have the same need as the energy sector for hot DR sites, with the population’s working capital, income, savings, and investments all at stake. Transportation including air traffic, food supply chains and distribution, telecommunications, and healthcare systems also rank high among verticals that would benefit from hot failover in order to keep basic commerce and social stability intact.
Why wouldn’t every business maintain a hot DR site in the cloud? It comes down to costs. Replicating all the resources necessary to effectively run a business can be prohibitively expensive or can reduce margins to a level that’s hard for investors to swallow.
But those that operate in the verticals noted above have to ask themselves hard questions. If they can’t afford the level of protection that relentless digital acceleration and hostile cyber-attacks demand, is their business model safe and sustainable? During the pandemic, hospitals and healthcare systems have been in an unusually precarious state, as bad actors have specifically targeted them. Since November 2020, attacks against healthcare organizations have increased by 45% compared with a 22% increase in other industry sectors. For community stability, hospital failure simply isn’t an option.
Warm Can Be Comfortable If There’s a Cushion
Many kinds of businesses find a disaster recovery sweet spot with warm DR sites. More affordable than hot sites, warm sites in the data center model mean necessary hardware and software are backed up on servers in a secure location away from the primary data center, that data synchronization is performed frequently, and that network connectivity is set up. Cloud-based warm DR sites are even faster than traditional on-premises sites, enabling boot ready time in minutes and RTO within a matter of hours in an uncompromised backup scenario.
Warm DR sites work for many e-commerce businesses, educational institutions, the hospitality sector, municipalities, professional and legal services, and manufacturing depending on whom they service in their supply chain. Businesses in these verticals generally can tolerate several hours to several days, or even more, of downtime before they lose so much money that they are forced to go out of business.
And that’s the meaningful calculation:
What’s the average cost of downtime for a particular business in a particular vertical, and does the business have the cushion to withstand a major, but short-lived disruption?
COVID-19 demonstrated that different businesses in the same vertical may be impacted differently, depending upon how they’ve managed their resources for the proverbial rainy day and how complex their IT systems are.
Cold Sites Deliver Longer Return to Operations (RTO) Times
It would seem that very small businesses are unlikely to face cyber-attacks, but this isn’t the case. It’s well documented that hackers have gone after small businesses in general because so few are prepared to defend themselves — only about 14% in fact.
A local business with a dozen employees may be able to effectively utilize the site recovery services that its web service provider offers at an additional fee, but these often have significant limitations. Cloud backup for businesses with relatively small amounts of data is quite affordable, but many owners are absorbed by the act of running their business and don’t put the thought and time into basic IT hygiene.
Cold DR sites refers to simply having a physical space with power, but no hardware or software installed to bring systems back online. With cloud computing becoming the global norm, what constitutes “cold” is shifting, but it still means spinning up fresh services from scratch that were not already on standby or already operational. It remains the slowest option to RTO – i.e. longest recovery time. Only small businesses that do not rely heavily on digital transactions or data use can remain viable with a cold DR site.
The takeaway is that each business — whether mom-and-pop, startup, SMB, or enterprise — needs to carefully assess the vertical within which it operates and be prepared for a constantly changing digital landscape that makes attacks more ubiquitous. Commercial and social chaos is becoming easier to incite. Cyber insurance won’t solve that problem. Warm or hot DR sites are the digital necessity of 2021 and beyond.
As the U.S. federal government moves to aggressively ramp up cybersecurity for both the public and private sectors, it offers detailed resources including concrete disaster recovery advice, for free, to businesses of every size. See resources from the Cybersecurity and Infrastructure Security Agency (CISA) and from the National institute of Standards and Technology (NIST).
For help in customizing a DR plan to suit your data protection needs, connect with an Infrascale expert here.