January 2, 2024

As an IT leader, do you know if your Ransomware/DR solution is being tested on a regular schedule?

If you can’t answer this question or the following questions, you are at risk of financial loss or adversely impacting your company’s reputation should something happen. For many organizations, they expect the solution provider or a service provider to ensure their protection will meet their requirements should the unfortunate happen.

Don’t assume that others are providing adequate protection. Test! If something happens and you are not able to keep your business running or bring the business back up within the times spelled out in your DR plan, as an IT leader, you will be the one held responsible. While your provider may be a very reputable company, the only way you can ensure that it will be available when needed is to test and test regularly.

If you are not testing regularly, why?

1. Is it because there is a cost associated with testing?

2. Is it because other things are taking priority over regular testing?

3. Are you expecting your service provider to conduct testing and they are not?

4. Is it because you are being told by a service or cloud provider that the solution is solid, and you don’t need to worry?

If any of these apply, you are at risk!

1. If it's the cost associated with testing, you must ask why?

• Some vendors charge for testing; this may come in the form of professional services because the solution is complicated and requires special expertise to conduct the test.

• It may be that there are fees associated with moving the data; frequently found in a cloud solution.

• At Quorum, we believe you should be able to test your solution as often as you need so you are confident you are ready should something happen. We also provide resources should you need them to help complete your test.

2. Is it time limitations or competing priorities that prevent you from completing a regular testing schedule?

• There are always competing priorities, don’t let the safety of your businesses drop off the list.

• Work with your service or solution provider to establish a plan that ensures your safety but also respects your other activities.

• At Quorum, we will help you come up with a plan that recognizes you have other commitments but ensures your business is protected.

3. Are you expecting your service provider to be conducting tests?

• Know the schedule - when and how often.

• Consider having someone present to observe the testing and schedule an after action with your service provider or solution provider to review the results versus your requirements; applying the “zero trust” philosophy.

• You may want to consider having a user participate and perform a few real-world scenarios while running on the recovery node.

• If your solution is “backup-only”, can you recover within your time requirements? Sometimes we believe the recovery process is easy, but pushing large amounts of data across the internet or internal networks can be much slower and take much longer than expected.

• Also, with “backup-only”, if your hardware is damaged or out of commission, what will you do? Where will you mount your backups?

4. If you are in a public cloud like AWS, Azure, etc. or a private cloud hosted by your MSP or solution provider, don’t assume you are adequately protected. It is still your responsibility to test and verify your solution is sound.

• You need to see that your recovery requirements are being met.

• If you are being hosted in the cloud (public or private), make sure you are protected. Don’t assume you are protected because your cloud or service provider is providing assurances. Have them demonstrate the solution provided meets your requirements.

• Can you spin up your environment and operate your business should your primary environment goes down?

• If you are only backing up, how long does it actually take to move your data back to your production environment and is that acceptable?

• How is the connection between your cloud instance of your environment and your workplace where the employees need to access the information?

• As noted above, I would consider having a user(s) perform real-world scenarios to ensure the solution provides an acceptable experience to conduct business.

Bottom-line, no matter what anyone tells you about your preparedness, are you sure you’re ready. Don’t ever assume. Set up a regular testing schedule where you are actively involved and can guarantee that should something happen, you will be able to spin up your alternate environment and continue to run the business. In each of the scenarios listed above, not only will you need to spin up the environment, but you may need to continue to run on the environment for days, weeks, or possibly months.

At Quorum, we fully understand and appreciate the importance of regular testing. Whether in our cloud or on one of our appliances, there will never be a charge for you to test. You can test as often as you need to be comfortable your solution meets your needs. Additionally, if you need help, we have resources available to assist with anything you may need - again, at no charge. We want you to be safe and confident in your solution. Testing is the only way to guarantee that safety.