While natural disasters and other threats to supply chains and business infrastructure remain very much on the experts' minds, the primary topic of conversation on the subject of business continuity in the last two years has been concerns about the increasing sophistication of deliberate cyber-attacks and the difficulty faced by disaster recovery (DR) teams in developing long-term strategies in an ever-changing field. Currently, businesses are trending towards using hybrid cloud strategies in conjunction with traditional data centers, Disaster Recovery as a Service (DRaaS) vendors, and shifting from a reactive stance to proactively protecting their data in the effort to maintain business continuity in the face of both man-made and natural threats.
Note that while most of the trends and challenges currently under wide discussion involve cyber-attacks, business security and continuity experts continue to warn about the dangers of natural disasters, data outages, disruptive technologies, and business interruptions due to "failures in the supply chain, worker strike, factory fires and explosions, and power failures."
MORE SOPHISTICATED CYBER-ATTACKS
- Law enforcement and intelligence communities (e.g., the FBI and DHS) have reported increasing collaboration between nation-states and "organized criminal cyber-attack groups worldwide, especially in China, Russia, Iran, and North Korea."
- Random attacks will become fewer, giving way to "far more pointed, larger attacks" on major organizations in order to gain access to a larger pool of data than smaller organizations have.
- Traditional ransomware and cyber-attacks will be joined by "cryptojacking," using "compromised websites to infect devices and mine cryptocurrencies" by actually bypassing the payment demand step.
- In 2018, there was a 350% increase in ransomware attacks worldwide, but particularly focused on the healthcare industry.
- Worldwide, regulators "are continually enacting new government regulations intended to protect consumers’" data, despite the fact that regulatory compliance has been shown not to ensure data security.
DISASTER RECOVERY TEAMS ARE OUT OF THE LOOP
- Due to the increasing number, type, and sophistication of threats, it has become increasingly difficult for businesses "to develop long-term strategies" that are viable.
- Consequently, disaster recovery (DR) teams in general "don't know enough about cyberattacks" or even what within their own organization might be affected and need recovery.
- DR teams are not sufficiently cognizant that data in the cloud may be stored by a third-party vendor, but that it still belongs to the client and is the client's ultimate responsibility.
HYBRID CLOUD STRATEGIES
- While Gartner, for example, has predicted that 80% of enterprises will migrate entirely to the cloud and shut down their data centers by 2025, others are skeptical.
- There are concerns that cloud computing may, in fact, create additional risks "such as data loss, outages and inappropriate data access because organizations only have limited visibility into cloud providers’ activities.
- Consequently, and due to the high costs of moving data in the cloud, more organizations will scale back on using the cloud for disaster recovery and instead "leverage hybrid cloud strategies and cloud service providers who offer private cloud solutions with predictable cost models."
- Likewise, virtualization is providing more recovery options and "lessening the need to use lengthy recovery protocols" even as it reduces the footprint of a given company's data center.
DISASTER RECOVERY AS A SERVICE (DRAAS)
- Due to the necessity of IT services and data in the modern business world, the kinds of manual workarounds that many businesses developed in prior years are no longer viable and Recovery Point Objectives and Recovery Time Objectives (RPO/RTO) have become shorter than ever before.
- Businesses, particularly established ones and those in very conservative industries (e.g., financial), have been slow to completely migrate their data and infrastructure to the cloud, but are adopting cloud services as a part of their disaster recovery plans.
- In particular, DRAAS is taking the place of the traditional solution of alternate co-locations for a company's data center.
- Even so, as Arcserve’s VP EMEA Mick Bradley notes, "We are still in the early adoption stage of DRaaS and it will continue to evolve over the coming years," arguing that even a technology as old as "tape is not going away."
- The fact that companies are already handing over non-critical business processes to third-party SaaS vendors is already reducing "internal disaster recovery needs" noticeably.
A SHIFT FROM REACTIVE TO PROACTIVE DEFENSES
- Business continuity is currently largely reactive, acting only after being hit by a threat.
- However, experts expect a shift to proactively identifying risks and moving data before those risks manifest.
- This will be driven in large part by organizations's desire to protect their reputation and branding to a public that is watching how they handle disasters and breaches.
- Bradley believes that the real future trend will be to use predictive analytics based on Big Data to take a proactive stance against potential disasters, noting that "the avoidance piece is what we don’t have at the moment and it’s got to be the next big step forward in business continuity."
- In fact, AI is expected to automate the DR process, "intelligently restoring the most frequently accessed, cross-functional or critical data first and proactively replicate it to the cloud before a downtime event occurs."
- A business that was able to predict a disaster in advance would be able to "automatically initiate the movement of data and services to data centers that aren’t at risk."
We began our research by looking for existing reports regarding business disaster recovery and continuity. While there were indeed several, they tended to group challenges into two main categories of potential threats, cyber-threats and natural disasters. They also provided mostly baseline business continuity advice that did not seem to change when we looked at earlier iterations of the reports. Indeed, most are completely in-line with the Small Business Administration's "Disaster Preparedness and Recovery Plan 2018." Thus, we could not use these to indicate “trends” per se, save perhaps a trend of an ever-increasing number of voices calling for businesses to be more proactive in planning their disaster recovery and business continuity.
Therefore, we broadened our strategy somewhat to include articles, white papers, and even blog posts by IT and security experts. This led us to the Disaster Recovery Journal which, though its last “Emerging Trends” article came out nearly two years ago, ultimately led us to several other sources which helped us to have a more complete picture and thus became the backbone of our research brief. We have, as a rule, cited trends attested in multiple sources.