Estimated Reading Time: 5 minutes
By Katharine Nesslage
Resource Type: Articles
Topic: Business Continuity Planning, Data Privacy, Tech Risk, Cybersecurity
(download The Business Continuity Planning issue of Risk Management Essentials, here.)
Many nonprofits are routinely taking advantage of the “Cloud” to provide low-cost software and data solutions. Gone are the days when organizations were required to purchase and maintain expensive servers on-site to house their applications and data. The allure of being able to remotely access files and web applications from any computer makes the Cloud appear to be an easy remedy for business continuity issues. But is it?
Your nonprofit’s essential information includes the tools and data necessary to continue mission-critical functions during an interruption. When exploring cloud computing solutions, consider the following questions:
For this article, we use the term ‘the cloud’ to describe a subscription service that primarily delivers ‘software as a service’ (email, calendaring, office tools, etc.), but can also deliver ‘infrastructure as a service’ and ‘platform as a service.’
For a summary of the different types of cloud services visit: “SaaS vs PaaS vs IaaS: What’s The Difference and How To Choose,” BMC Blogs
Applications and infrastructure that are available remotely are examples of cloud computing. Traditional IT assets were housed on physical servers within your organization’s facilities—remember those server closets? Physical hardware has limitations on the amount of data that can be stored, and hardware can be damaged or rendered inaccessible during a power outage or other event affecting your facilities. Many sources state the best strategy for protecting your data and accessing it during an interruption is to put it in the cloud.
Cloud services are useful as they may be deployed rapidly, are scalable, and require minimal upfront investments. And because of the self-service nature of many of these services, they may save you money and time.
Unfortunately, the concept of “the cloud” leads to a false sense of security that your data will always be intact and available, as long as you can connect to the internet. Using cloud technology as a way of safeguarding your nonprofit’s information and protecting continuity of services requires a careful review of service level agreements (SLA) and your vendor’s BCP practices.
The cloud is “always on.” Because of its high reliability, cloud outages are rare. It’s easy to believe that the data stored remotely is continuously available and automatically protected for disaster recovery. However, nonprofit leaders exploring cloud solutions should ask the right questions of any potential vendors to determine if that particular cloud solution exercises salient business continuity practices.
For example, at any given moment, your data is being delivered to you from a single data center somewhere. Do you know if the owner of the cloud service is able to quickly move to a new data center? The answer may be no, and if so, you need to confirm your cloud provider’s established timelines and procedures for data relocation.
Keep in mind that not all cloud providers maintain their own physical storage. Some may lease space that may not be in the same geographical location as their offices. So, you could have a U.S. based cloud provider whose leased space is actually in another country. Ask your vendors for the physical location of the server where your data is stored.
Backups happen automatically. Frequently, routine backups are included with cloud services. However, it’s risky to assume that redundancy is automatic or conducted on a schedule that is best suited to your organization. Check with your cloud provider to find out if your service level agreement (SLA) includes backup and recovery of your data and what levels of protection are included with your SLA. Never assume that your data is being automatically backed up. Establish a frequency of backups; for essential data, you may want a backup daily or weekly, especially when this information is accessed and updated often.
Data can be recovered immediately. In the event your nonprofit needs to execute data recovery from cloud backups, you need to know how long backups are stored and how quickly information can be retrieved. Knowing how long backups are retained and if multiple versions of your data are stored will prepare your organization for data recovery plans if primary information becomes corrupt. Some backup storage options take advantage of infrequent access and may have longer restoration times, impacting your ability to come back online after a disruption.
Common terms vendors may use during these discussions include recovery time objective (RTO)—the length of time it takes to get your restored data and applications back up and running—and recovery point objective (RPO)—how frequently your nonprofit’s data needs to be backed up.
The cloud safely stores my data forever. Reliance on a third-party to store, administer, and safeguard your data can be risky. What happens to your data if your cloud provider suddenly shuts down? Will your data be gone forever, or does your SLA include a provision requiring a data dump prior to the vendor shutting down? How much notice will you receive to make preparations to move your data to a new service provider? Does the SLA have restrictions if our organization decides to switch to another provider?
Your provider contracts should include an exit strategy describing the steps (and cost, if applicable) to move the service back in-house or to transfer it to an alternative provider. The plan’s most important aspect is the retrieval and preservation of your nonprofit’s data so that data portability is achieved. Keep in mind that an exit strategy is helpful if you or the provider terminate the contract; that strategy may or may not govern how disruptive events like a service outage or bankruptcy will be handled.
Cloud services can provide an efficient, elegant solution for safeguarding your data and continuing critical operations. The key takeaway is to remember that having candid conversations with technology partners about the terms of their services will ensure that your cloud software and storage arrangements sync with your overall business continuity plan and BCP strategies.
“First let me congratulate you on a conference well done. I had a great time at the Nonprofit Employee Benefits Conference and walked away with some valuable tools and questions that we’ll need to be addressing in both the short and long term. Thanks to you and your staff for all you do to provide us with quality resources in support of our missions.”
“BBYO’s engagement of the Center to conduct a risk assessment was one of the most valuable processes undertaken over the past five years. Numerous programmatic and procedural changes were recommended and have since been implemented. Additionally, dozens (literally) of insurance coverage gaps were identified that would never have been without the work of the Center. This assessment led to a broker bidding process that resulted in BBYO’s selection of a new broker that we have been extremely satisfied with. I unconditionally recommend the Center for their consultative services.
“Melanie Herman has provided expert, insightful, timely and well resourced information to our Executive Team and Board of Directors. Our corporation recently experienced massive growth through merger and the Board has been working to better integrate their expanded set of roles and responsibilities. Melanie presented at our Annual Board of Director’s Retreat and captured the interest of our Board members. As a result of her excellent presentation the Board has engaged in focused review which is having immediate effects on governance.”
“The Nonprofit Risk Management Center has been an outstanding partner for us. They are attentive to our needs, and work hard to successfully meet our requests for information. Being an Affiliate member gave us access to so many time- and money-saving resources that it easily paid for itself! Nonprofit Risk Management Center is truly a valued partner of The Community Foundation of Elkhart County and we are continuously able to optimize staff time with the support given by their team.”
“The board and staff of the Prince George’s Child Resource Center are extremely pleased with the results of the risk assessment conducted by the Nonprofit Risk Management Center. A thorough scan revealed that while we are a well run organization, we had risks that we never imagined. We are grateful to know that we have now minimized our organizational risks and we recommend the Center to other nonprofits.”
Great American Insurance Group’s Specialty Human Services is committed to protecting those who improve your communities. The Center team has committed to delivering dynamic risk management solutions tailored to nonprofit organizations. These organizations have many and varied risk issues, hence the need for specialized coverage and expert knowledge for their protection. We’ve had Melanie speak on several occasions to employees and our agents. She is always on point and delivers such great value. Thank you for the terrific partnership and allowing our nonprofits to focus on their mission!