We’re all aware of how much we depend on cloud these days, whether it’s Microsoft 365, Google Workspace (GCP), or another provider. They’ve become so integrated into how we do things that it’s easy to assume they’re our safety net, I often hear we don’t need disaster recovery. “It’s in the cloud,” telling ourselves, “it’s safe.” But, truly, that’s rather like saying that because you have car insurance, you aren’t at risk of an accident. It’s a vital piece of the puzzle, but it’s not a get out of jail free card. 

This article is about why we can’t just rely on cloud subscription, whether M365 or GCP, it isn’t enough to protect your business from disruptions, and why a Business Impact Assessment (BIA) is such a crucial exercise. A BIA is foundation to Cyber/DR strategies – it lets you understand what’s critical and what could really hurt if it broke.

The Cloud Illusion: 
Why the likes of M365 and GCP are just like the Death Star, it only takes a rebel to infiltrate

Cloud platforms are great, (i wouldn’t go back to on prem for any amount of money). Cloud Service Providers (CSP’s) do their best to make their services reliable, with multi region redundancies and all the 9’s uptime. But realistically, anything can go wrong, below ive listed some points to think about. 

  • Regional Problems: Even the largest cloud providers aren’t immune to outages. A data centre power outage, a natural disaster, or even a cyberattack on a specific area could knock out your access, even if the provider’s main systems are fine. 
  • The Silent Threat: Infiltration and the ‘Lay and Wait’ Tactic: This is a particularly insidious threat. Hackers, once they’ve infiltrated your systems (often through phishing or exploiting vulnerabilities), may lie dormant for months – sometimes up to six months or even longer. During this “lay and wait” period, they’re not immediately making their presence known. Instead, they’re quietly infecting your data replications and, crucially, targeting your backups. By the time they finally decide to strike (ransomware, data exfiltration, etc.), your backups are compromised, and restoring your systems becomes incredibly difficult, if not impossible. This makes a robust, air-gapped or immutable recovery strategy absolutely essential. Account Problems: someone phishing your login or a disgruntled employee locking you out. Now your “secure” data is inaccessible, no matter what cloud you’re on. Not a position you want to be in.
  • Data Gremlins: Although cloud providers do have recovery options, they might not always be sufficient. Accidental deletions, corruption, or simply a syncing failure can cause headaches. Often i hear CRM’s and similar solutions are only backed up once a day. 
  • Beyond M365/GCP: Your business likely uses other crucial systems too, right? Your CRM, your accounting software, maybe something industry specific. If those go down, even with your chosen cloud platform running smoothly, you’re still in trouble.
  • Human Error: We’re all human. A misconfigured setting, a botched update, or just someone clicking the wrong button can cause chaos, despite the best tech in the world. This is independent of the cloud provider. Even a Tech Jedi has had some “oh sh….t” moments. 
  • Vendor Lock-in: Depending too heavily on a single cloud provider can make it difficult and expensive to switch if needed. Consider the implications of vendor lock-in when choosing your cloud strategy.

The BIA: Your Business Priority List

A BIA is like a deep dive into your business. It gets you to figure out what’s absolutely essential and what the impact would be if it wasn’t there. It’s a matter of asking some tough questions:

  • What’s Non-Negotiable? What are the most critical processes that keep the lights on? Which are the departments that are absolutely crucial?
  • How Long Can You Be Down? This is the “Maximum Tolerable Downtime” (MTD). How long can you do without a given function before it starts to seriously hurt your bottom line? A few hours? A day? It varies. Think about Recovery Point Objectives, is 1 backup a day enough, Recovery Time Objectives, how quickly can you get the systems back up.  
  • What’s the Real Cost? Consider the financial cost, of course, but also the damage to your reputation, the inconvenience for your customers, and the potential regulatory fines.
  • Where Do You Focus First? Once you know what’s most important and how long you can survive without it, you know where to focus your recovery efforts.

Building Your Safety Net (It’s More Than Just Cloud)

Once you’ve completed your BIA, you can build a proper BC/DR plan. This is your overall strategy for dealing with disruptions. It should include:

  • Step-by-Step Recovery: How exactly will you restore your critical systems and data? Backups? Failover systems? Workarounds? Given the threat of the “lay and wait” infiltration tactic, your backup strategy needs special attention. Consider implementing immutable backups, air-gapped solutions, or other advanced techniques to protect your data from compromise. Regularly test your recovery process, specifically focusing on how you would recover from a scenario.
  • Communication is Key: How will you keep everyone informed – your team, your customers, your suppliers? A solid communication plan is essential.
  • Practice Makes Perfect: Exercise your plan regularly. Don’t just write it down and then forget about it. Run drills, see if it’s effective, and make changes accordingly.
  • Keep it Fresh: Your business changes, technology changes, and threats change. Review your plan regularly to ensure it’s still relevant.

Cloud Platforms: A Piece of the Puzzle, Not Everything

Regardless of which cloud solution you are using, they’re great tools in your BC/DR toolkit, but they’re just one component. You need to think about everything that could go wrong, do your BIA, and develop a comprehensive plan that covers all your vulnerabilities.

The moral of the story? Don’t rely on your cloud subscription, whichever one you have, to rescue you from every possible disaster. Hopefully this article highlights how various issues, from regional outages to human error, can disrupt operations. But perhaps the most insidious threat is the ‘lay and wait’ tactic. Hackers are increasingly patient, infiltrating systems and quietly compromising backups over months before finally striking. This underscores the critical importance of a multi-layered approach to security and recovery. Invest in a proper BIA, a comprehensive BC/DR plan that includes robust, tested backup strategies, and regular reviews. It’s the a critical piece of the puzzle to protect your business. 

Get yourself some Cyber insurance also. We insure pretty much everything else, insure yourselves against one of the largest threats globally.  

Don’t get caught out, reach out if you have any questions. 

This is the Way – Your Friendly Tech Jedi! Dan