SMEs must plan for recovery from cybersecurity attacks amid shifting threats, says MIT Technology Review Insights
November 2022 by MIT Technology
A new report by MIT Technology Review Insights explores why cybersecurity attacks pose an existential risk to small and midsize enterprises (SMEs) and how they can plan for disaster recovery in case of an attack.
The report, "A new age of disaster recovery planning for SMEs," is produced in association with OVHcloud and draws on in-depth interviews with cybersecurity experts from technology firms including VMware, Fortalice Solutions, and 451 Research. The findings are as follows:
Cyberattacks have grown more frequent and sophisticated, and SMEs are in the firing line. The data tells a worrying story. With the pandemic, along with geopolitical factors, causing shifts in how we live and work, the case for disaster recovery planning has never been more urgent. According to one cross-industry study, midsize companies were almost 500% more likely to be targeted by the end of 2021 than two years ago.
A well-built disaster recovery plan can significantly minimize and even eliminate downtime. Disaster recovery plans are a key component of business continuity plans. While business continuity focuses on overall strategy, including policies and procedures for recovery following an incident, disaster recovery focuses on IT infrastructure, data, and applications. A well-crafted disaster recovery plan includes clear definitions of recovery time objective (RTO) and recovery point objective (RPO).
Backups and replication of data are essential for disaster recovery. With cybercriminals spending over 200 days in companies’ systems before being noticed and corrupting backups, SMEs need to store their data in multiple formats on different systems or look toward a data replication solution to ensure near-instantaneous recovery.
An unexamined disaster recovery plan could bring enterprises back to square one. Disaster recovery plans are essentially pointless without regular practice runs—and how often this practice should be done depends on how fast an organization is growing or adopting new technologies. Experts say such plans should be updated and tested at least annually, and ideally every quarter.
"Today’s data is generated and distributed across highly complex ecosystems—multicloud, hybrid cloud, edge, and internet of things," says Kwee Chuan Yeo, editor of the report. "Enterprises’ surface exposure to risks has ballooned. It’s not just big corporations that are at risk. Smaller, less sophisticated companies are easier targets due to their lack of resources and expertise."
"While having the right disaster recovery plan for your business needs is critical to your business continuity, it’s just as important that sufficient measures are taken to ensure IT resilience can be achieved at both the software and infrastructure level," says Jeffrey Gregor, OVHcloud US General Manager. "Distributed data protection, as the name implies, is when your data is distributed across multiple geographical locations. Making your data available in more than one place helps achieve a more robust disaster recovery plan in the event one location is compromised."