Data backup for SMBs has come a long way from the Sisyphean task of pushing a boulder made of floppy copies, CD-ROM file dumps, and tape drives with a 50% failure rate uphill. Today, error-free remote backups to the cloud are common, but customers now need to think beyond backup and disaster recovery to the bigger picture of business continuity.
Mike Bloomfield, CEO of Tekie Geek in Staten Island, New York, describes a business continuity plan as, “going beyond responding to a disaster to ensuring smooth operations amidst disruptions.”
For Michael Goldstein, president and CEO of LAN InfoTech, an MSP in Fort Lauderdale, Fla. the difference between disaster recovery, incident response, and business continuity “comes down to your tolerance for downtime, and how much you can pay.” Clients who know how much each hour of downtime costs them are more receptive to business continuity. For instance, law firms lose billable hours if attorneys can’t work. “That softens the blow when I give them the ‘Ferrari’ or the ‘Beamer,’ pricing,” he adds.
Dawn Sizer, CEO of 3rd Element Consulting in Mechanicsburg, Pa, explains that a business continuity plan (BCP) identifies and considers “every risk a business has, not just data or cyber incidents,” including loss of a key employee or the entire building. The customer must accept, transfer, or mitigate each identified risk.
What Goes into a Business Continuity Plan?
Every client is different, of course, but Sizer recommends looking at the history of their organization and identifying known threats, then investigating other types of threats or risks. “Include reputational risks and managing public opinion, all legal and contractual risks, and if the organization has compliance requirements to consider,” she advises. “We do a lot of work in the local government realm,” Sizer continues, “and they’re required to have both [BCP and DR] plans, and an Emergency Operations Center.” She creates a documented plan for each situation that a business, or government office, could encounter and tests it regularly.
For Bloomfield, a comprehensive BCP includes all critical business functions and resources. “Disaster recovery is the process of restoring operations post-incident, and incident response is the immediate action upon facing a disruption,” he says. Each BCP must outline clear roles and responsibilities, establish communication plans for crisis management, and set a schedule for regular testing and reviews.
Business Continuity Is Business Planning
Communicating the features and necessity of business continuity to a businessperson can be tricky, says Bryan Herbstritt, president of FidelITech Solutions, an MSP in Salt Lake City. “I have an MBA, and that helps convince prospects I have a full understanding of their business needs.” This avoids explaining to business managers the details of recovery time objectives, recovery point objectives, hot and cold backup storage, and data backup and recovery versus replication, which lets him emphasize the business benefits. His firm works as a virtual CIO for multiple clients, and helps set the stage for policies, procedures, and compliance, as well as implement those procedures.
“Communicating a continuity plan takes practice,” adds Sizer. “A good plan isn’t just a handbook.” Scenario-based exercises must be run, and all employees, contractors, and partners involved in the plan should take part. “Knowing what to do in case of an incident makes communications in a time of crisis less stressful,” she adds. “Having a software package that can step you through the process and documents, reports, and sends notifications is extremely helpful as well.”
“Make the BCP creation a business discussion, not a technical one,” advises Goldstein. “It’s not an upsell, it’s business planning.” In hurricane season, 10 days before a storm is forecast to hit, his team drops everything to verify backups at all his clients. “It gives them the warm fuzzies.” Sometimes they must remind customers, “Replicating to Azure is not backup.”
Herbstritt, an Acronis partner, believes in “The Threes”: file level replication, full system backup both to the cloud and locally, and storing digital assets in at least three places. “We specify a two-server setup even for small businesses, using HyperV to run all the server modules and replicate them to each server. For performance, tasks are split between the two, but each can carry the load if the other one goes down.” Servers are backed up to Acronis as well, he adds, so they can be recovered to every type of virtual environment.
A former Marine, Herbstritt calls his system SemperSync. “Every mapped drive is duplicated live at the file level,” he says. This arrangement is also included in full system backups data recovery capabilities. He can boot physical servers to virtual servers in public clouds or the Acronis cloud. “Clients moved to the cloud for remote users, so we can recover to any other cloud,” adds Herbstritt. “If there’s a disaster on-prem, we can recover VMs in minutes unless the data storage jumps into the terabytes. Doesn’t matter if you’re talking HyperV or VMware replications, with Acronis we can recover quickly to other host machines to whatever is running on-prem.”
Monetizing Business Continuity Planning
Some MSPs charge for BCP planning while others include it in the service price. “For larger customers, we do a proof of concept,” Goldstein explains. “We replicate to Azure, fail over, then fail back. Most customers just want their applications up.” He includes planning as part of the service, partly because, “everyone offers air-gapped backup, most use cloud off-site storage, and do multiple backups for M365 separate from servers, etc., because insurance and regulations now require that.”
More of his clients upgrade to BCP because of cyberthreats rather than hurricanes, which Goldstein used to pitch as a motivator for Florida business. Now, however, “everyone knows someone who got hacked,” he says. “Cybersecurity and ransomware concerns are top of mind.”
Herbstritt puts plenty of attention on compliance and regulations like HIPAA to encourage business continuity planning. “Low cost is a huge influence in Salt Lake City, so we tell them how we do business, our minimum level of services, and let them know a good plan will help control cyber insurance costs,” he adds.
Sizer advises having someone on staff who can offer insight and intelligence to the business continuity planning process. “Everything can be monetized, but not everything can be done without expertise. The MSP takes on a lot of risk and liability to write a plan. If it’s poorly written, you risk your reputation and business.”
“Offering BCP as a service provides businesses with valuable expertise they might not have in-house,” Bloomfield says. However, he provides the service both standalone and as a part of a broader service package for businesses adding a higher level of protection. “That way we keep them ready for any disruption.”
Goldstein notes that every region has environmental concerns, whether hurricanes, tornadoes, wildfire, earthquakes, flooding, or another on the long list of disasters. “But we’re all fighting ransomware and other cyberattacks, and those drive today’s backup.” Take the next step and introduce the necessity of business continuity planning for your customers.