Drawing on years of experience deploying technologies for some of the world’s leading finance companies, Creative ITC MD Keith Ali advises how a new approach to disaster recovery (DR) is required to protect banking and financial services organisations against the additional challenges of hybrid working.

Traditional DR plans exposed

An effective DR strategy forms the backbone of successful banking operations and always-on customer experience. Yet, the reality is that IT leaders are battling a rising tide of security threats, outdated systems, lack of investment, increasing infrastructure complexity and growing reliance on public cloud offerings.

Hybrid working models are exacerbating the challenge to manage ever-changing IT infrastructures and an evolving threat landscape. Over half of security leaders (52%) feel hard pressed to protect employees’ mobile devices from surging cybercrime. Others reported security back doors left open in seemingly innocent legacy network connections and end-user devices.

The pandemic has exposed cracks in many DR plans. Disturbingly, 71% of CIOs lack confidence in their ability to successfully recover from a DR incident. Lack of regular testing and increasing IT complexity are largely to blame. Almost half (46%) of finance companies haven’t tested their DR solutions for six months or more, while 87% are struggling to orchestrate alerts from multi-vendor security products.

There’s mounting concern that a service outage could seriously disrupt the country’s increasingly cloud-dependant banking system, leading to the UK’s Prudential Regulation Authority increasing its scrutiny of major public cloud providers AWS, Microsoft Azure and Google Cloud.

Traditional replication solutions weren’t designed to deal with current IT complexity, or to adapt to the scalability, mobility and flexibility demands of apps running on virtualised cloud infrastructures. With long term hybrid working, the demand for data availability and protection is greater than ever. In short, DR plans must evolve.

Why DRaaS is such a hot topic

Escaping the burden of managing business continuity across an ever-growing cloud infrastructure, finance organisations are increasingly moving to Disaster Recovery as a Service (DRaaS). Outsourcing DR to a specialist provider offers a headache-free, fully managed service tailored to organisational needs. A DRaaS provider typically does all the heavy lifting such as planning, design, implementation and optimisation. Premium protection and recovery speed can be applied only to the critical infrastructure and data services that actually need it, with a slower recovery SLA for elements where business impact would be less.

One of the most common reasons finance firms struggle to implement and test resilient DR plans is the cost and resources involved. Without significant Capex investment or the expense of keeping a secondary DR site running, DRaaS replaces in a stroke the cost of hardware, software and people with predictable monthly expense and burst capacity. DR is the outsourced provider’s sole focus, rather than an unwelcome add-on to already stretched internal IT teams. The provider has the time, skills and resources to dedicate to DR full-time.

Golden rules for DR

The classic (and still the best) way of measuring performance is to focus on reducing the impact of downtime by optimising two key metrics:

• Recovery Point Objective The last point in time IT systems and applications can be recovered to, RPO indicates the amount of data that will be lost. The cost of one hour of lost data can easily hit six figures so it’s worth reconsidering whether nightly backups (with an RPO of 24 hours) are still sufficient.
• Recovery Time Objective RTO measures the time it takes to recover apps and data and for business operations to return to normal. Downtime can result in significant loss in revenue and productivity.

Always aim for the lowest RPO possible and ensure your solution includes alerts to warn if you’re in danger of exceeding your defined SLA and enables the prioritisation of individual applications.

To benchmark RTO and tweak your DR plan to minimise downtime, regular testing is essential. That’s where a DRaaS provider adds particular value. As it’s imperative to get users back online quickly and maintain uninterrupted customer service, some DRaaS providers will offer a temporary VDI solution. By deploying a best-of-breed DR technology enabling no downtime in production nor break in the replication, they can also perform tests during working hours with no impact on business operations. The provider will repeat this multiple times to optimise your RTO so, you’ll know you’ll always be able to fully recover, as quickly as possible.

Choosing the right partner

McKinsey reports that operational resilience has become a key strategic issue across the banking and finance sector. It’s never been more important for business leaders to ensure that their organisations are robust and flexible enough to deal with a multitude of operational threats. The nature of disaster planning is changing. As cloud and virtualisation take hold, so too does the risk of downtime due to software problems, cybersecurity vulnerabilities and increasing infrastructure complexity. Add to that natural disasters, power outages, hardware failures and human error and it becomes clear finance organisations need more robust DR resources in place – and be absolutely certain they will work.

A DRaaS solution based on hypervisor-based replication and CDP provides a far higher, comprehensive level of protection and readiness than the traditional DR approaches still in place in many organisations. A scalable, fully managed DRaaS solution from a specialist provider offers banks and finance businesses the added benefit of time and cost savings, improved DR performance and peace of mind, bringing certainty of business continuity in an uncertain world.