Research suggests that many midsized businesses are not prioritising disaster recovery planning until they experience a disaster or data loss themselves. According to a survey by global security company Symantec, the cost of not being prepared is high, and could potentially put a midsized business at risk of going out of business.

The “2011 SMB Disaster Preparedness Survey” found that half of the respondents did not have a plan in place. 41% said that it never occurred to them to put together a plan and 40% stated that disaster preparedness was not a priority.

According to IDC senior market analyst, Vern Hue, the reality in Australia and New Zealand is that many midsized businesses do not have a disaster recovery (DR) strategy, as they don’t understand the benefits of DR.

“Sadly, many organisations only realise this until after a scare, which shocks them into making DR decisions,” says Hue.

However, IDC is seeing an increased uptake of DR in local midsized businesses, as many are starting to appreciate that not having a DR plan could have grave implications on their business.

“The recent natural disasters in the region have given them a sobering wake-up call.”

There are even indications towards a steady growth of DR in the midsized business space, brought on by the improving economy.

”Another trend we are seeing is the availability of storage of data in virtual and cloud environments,” explains Hue. “This could be a more cost- and risk-effective DR strategy for most.”

Hue sees a number of advantages with outsourcing.

• Firstly, cloud-based solutions are safer, in the sense that the data is stored off-site, perhaps in another country, whereas local tape and disk backup could be destroyed if a natural disaster hit.
• Other benefits of outsourcing DR include lower operational cost and having an industry expert handling your DR functions, says Hue. This allows the organisation to concentrate on what is really important – growing the business.

On the other hand, business owners and IT managers need to understand that it is vital for them to play the lead role in ensuring the appropriate governance is in place, and not “blindly leave it in the hands of managed service providers,” warns Hue.

Smaller companies, that don’t have an IT department, could have a lot to gain by adopting an outsourced solution. But even if you have the skills and resources to manage DR in-house, you might want to prioritise those resources elsewhere. However you choose to do it, having a DR strategy in place will reduce the risk of losing customers, losing data – or worse – going out of business, in the event of a disaster.

Business continuity is crucial to the ongoing success of your organisation, as it protects your investment, your business, your IP, your brand and your ability to earn revenue.

Business insurance is often thought of as the answer to IT operational risk. But while business insurance is effective at providing financial compensation to recover costs and loss, it doesn’t directly address a business’ ability to continue servicing its clients thereby protecting brand and future revenue.

If you have a serious outage to the point you’re unable to operate the business, no level of business insurance is going to be enough. Midsized businesses need processes to protect them from risk and provide them with the shortest possible recovery time.

Cloud delivered services are fast becoming the cost-effective way of implementing resilient IT operations.

Can I trust a third party to recover my data?

It is safe to entrust resiliency to a third party as long as they are a reputable, mature provider who can deliver on performance SLAs and can demonstrate their data protection model is in place.

Isn’t business insurance enough to protect me?

Business insurance provides financial cost and loss recovery, not data recovery. This means it can’t protect your brand, your revenue, your clients or the continuity of your services if something were to happen to your valuable business data.

How do I know where to start?

Define the core business functions that support what you deliver to your clients. Then, prioritise when business processes are most important in keeping those functions operating. Where processes are IT enabled, focus on identifying risks to IT service availability and addressing any gaps.

Can I do this myself?

The process of establishing gaps and remediation options is not always easy for midsized businesses, so this is an area where consultants can certainly help by supplementing your workforce with specialised practitioners and accelerating the closure of business risks.

Is it cost-effective?

The process analysis functions can often be performed quickly and comprehensively when handled by a reputable third party. A good IT resiliency strategy will focus expenditure to only those areas that really need it. A ‘one-size-fits-all’ strategy can lead to risk exposures and inefficient allocation of IT investment funds.

Do I have to use a small operator if I’m a midsized organisation?

Large organisations like IBM are equipped to service companies of any size. Particularly helped with the availability of a suite of robust and proven cloud services, scale is no longer the issue it used to be. There is a variety of services designed to specifically address IT operational availability, data protection and recovery.

Is using the cloud expensive?

Cloud services have proven to be a very scalable and cost-effective way to procure these types of services from a third party.

Continuity is crucial to a business because it represents that organisation’s past, present and future. Making financial provisions cannot protect or recreate those parts of a business. Businesses need to seek help from reputable organisations with experience in protecting and recovering vital functions and information.

The question has never been more pressing. Today's organisations are constantly pushed to be operational 24/7. New technologies are emerging all the time. More people are using smart devices, and wanting to connect these devices to the corporate network. On top of that, threats are becoming increasingly sophisticated. Hacking, which was once the domain of 'script kids' out to have some fun, has become an industry in itself with businesses created solely to conduct cybercrime.

Midsize businesses traditionally suffer when it comes to risk management. While internal experts exist in larger organisations, the fundamentals of managing risk in a midsize business often fall with the 'IT guy' or, failing that, the general manager. As business resiliency expert Craig Coffey explains "A lot of organisations suffer specifically when they have a single point of failure or they have limited skill sets within their team. If you're relying upon one or two people to be there to save your neck, things can go badly very quickly."

This lack of dedicated resources can result in patchy security and poor resiliency, which is why the argument for using contracted services is gaining traction.

A service provider can help businesses manage risk in a number of areas. Firstly, by ensuring compliance with industry regulations, including the Payment Card Industry Data Security Standard (PCIDSS). Secondly, by conducting assessments to identify network vulnerabilities. And finally, they can provide ongoing security and resiliency services to help minimise the risk of a breach and ensure the right measures are in place in the instance that something does go wrong.

While some businesses may baulk at the idea of entrusting risk management to a third party, it isn't necessarily a matter of handing over the keys to the castle. Many organisations choose to pass off components of their risk profile, while keeping the overall management in house.

Disaster recovery, for example, is one area in which the benefits of working with a partner can be easily gauged. While specific requirements vary for each business, an alternate premises for operations is often needed – something organisations can struggle to secure on their own. As Craig explains "Disaster recovery is definitely the type of service that lends itself to out-tasking. A vendor can essentially have the site, the facilities, the equipment, the people on standby, which means the organisation can be up and running relatively quickly."

The key to working with a third party is finding the solution that meets your organisation's unique needs. A service provider may best assist you by handling a one-off task, such as providing an independent assessment of your overall security posture. Alternatively, your in-house security staff may be stretched and want to siphon off monitoring or management tasks to allow them to focus on looking after the network.

Effective risk management is essential for every business. "A lot of people approach it in terms of the dollars that are lost if they're not selling," says Craig. "Those tangible impacts are definitely important, but it also comes down to those intangibles such as your reputation and your ability to be seen as a reliable company in the market." Engaging a service provider can be a valuable step in ensuring your business gets risk management right.