kantver - Fotolia

Need a BC/DR plan? MSPs provide one source of expertise

Smaller businesses may lack in-house expertise for developing a BC/DR strategy, but managed service providers may be able to lend a hand with the planning task.

Smaller businesses, like enterprise-class organizations, face the harsh realities of fire, flood and the pestilence of ransomware outbreaks.

SMBs must shield themselves from such business disruptors, whether outages stem from natural disasters, human error or the malice of cyberintruders. The path to protection starts with a solid business continuity/disaster recovery (BC/DR) plan. But, unlike their enterprise counterparts, SMBs lack large IT departments with skill sets in BC/DR planning.

An SMB, however, may be able to tap a nearby source of planning expertise. Indeed, smaller organizations frequently turn to managed service providers (MSPs) to help run their technology. MSPs remotely monitor and manage a customer's IT assets, from desktops to servers. They also act as virtual CIOs, advising organizations on technology strategy. In this consulting capacity, a service provider often becomes the go-to BC/DR planner for an SMB.

MSPs on point for BC/DR plan

"MSPs are pretty much responsible for DR planning in its entirety in that space," said Dan Timko, chief strategy officer at J2 Global, a cloud services and digital media company based in Los Angeles. "Most likely, either [SMBs] are turning to an MSP or not doing anything at all." Timko works within the company's data protection and cloud backup group, which includes J2 Global's OffsiteDataSync DR-as-a-service business.

Most MSPs include BC/DR in their service portfolios. Seventy-five percent of the more than 1,600 MSPs polled in Datto Inc.'s 2019 State of the MSP Report said they offer BC/DR services, according to Ryan Weeks, chief information security officer at Datto, a BC/DR technology provider based in Norwalk, Conn. The survey asked MSPs about BC/DR services, in general, but didn't distinguish between planning versus other services, such as BC/DR deployment, management and monitoring.

I can say that the majority of our [MSP] partners are active in their client's BC/DR planning processes -- if not entirely responsible for them.
Ryan WeeksChief information security officer, Datto

"Anecdotally, however, I can say that the majority of our [MSP] partners are active in their client's BC/DR planning processes -- if not entirely responsible for them," Weeks noted.

What to look for in an MSP

Companies looking to retain an MSP for BC/DR planning services should consider the following selection criteria.

Knowledge of the customer's business and core systems. This is where an incumbent MSP offers an advantage. BC/DR planning requires a comprehensive understanding of a customer's operations and supporting systems -- along with their criticality to the business. A service provider that already manages a company's IT systems should possess that knowledge and, therefore, be able to create a BC/DR plan.

"A lot of BC/DR planning comes from conversations with business owners," Weeks said. "What systems and services are absolutely critical to the business, and how much downtime can be tolerated if one were to fail? What systems are less critical but still need protection? With that information, an MSP can tailor a BC/DR plan to meet a business's recovery needs."

Criteria for selecting an MSP to develop a recovery plan

Scope of coverage. MSPs tend to be IT-oriented, which can prove a strength and, paradoxically, a weakness. A service provider, for example, may have intimate knowledge of a customer's compute, storage and networking devices but lack visibility into equally critical phone systems. Employee access to systems is another key aspect of a BC/DR plan that a service provider could overlook. It's one thing to be able to spin up servers in the cloud when disaster strikes, but how will employees access applications and data if they can't get to the office?

Timko said most MSPs will provide an IT-focused DR plan, but the more mature service providers will take that to the next level and complete the circle. That means thinking about telephony and accessibility issues, as well as IT systems.

Rigor of the approach. Does the MSP have a formal approach for assessing the customer and developing a BC/DR plan? A service provider may use a framework such as NIST's Special Publication 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems. An MSP may also use a BC/DR plan template to help guide the planning process. Formal BC/DR software tools, however, may not be in evidence.

"There actually aren't a whole lot of DR planning-specific tools, to be honest," Weeks said, noting options for planning range from simple Excel spreadsheets to templates.

Reference customers. Prospective clients should ask an MSP for reference customers. The key is to query those customers for which the MSP has tested -- as well as created -- a BC/DR plan. Interviews with customers that have gone through a testing exercise with an MSP will reveal the extent to which the service provider covered their needs and what gaps the MSP was able to close prior to subsequent testing.

Vendor alliances. On the technology side, a BC/DR plan often leads to the deployment of a backup and DR (BDR) system. A client may actually need more than one technical approach to cover both physical and virtual technology resources. Customers should make sure an MSP has relationships in place with BDR vendors that can account for varied IT estates. Bear in mind, however, that even a technically well-rounded MSP is unlikely to instantly cover every niche system or outdated piece of hardware within its core BC/DR offering. But an MSP that has 90% of a customer's environment nailed should have the flexibility to develop recovery approaches for one-off systems, Timko noted.

MSPs as trusted advisors

Such vendor alliances tend to be of a technical nature and may not extend to the BC/DR planning task. Weeks said Datto may work with MSPs to deploy its BDR devices but isn't typically involved in DR planning discussions. That's where MSPs' business acumen and ongoing customer relationships come to the fore.

"They are trusted, strategic advisors to their clients," Weeks said.

Next Steps

Tips for obtaining BC/DR plan and resilience funding

Tips for outsourcing business resilience services

How to build and train organizational resilience teams

A free business continuity plan template and guide

Preparing an annual schedule of business continuity activities

Dig Deeper on Disaster recovery planning and management

Data Backup