EDR / MDRIdentify, contain, respond, and stop malicious activity on endpoints
SIEMCentralize threat visibility and analysis, backed by cutting-edge threat intelligence
Risk Assessment & Dark Web MonitoringIdentify and quantify unknown cyber risks and vulnerabilities
Cloud App SecurityMonitor and manage security risk for SaaS apps
SOC ServicesProvide 24/7 threat monitoring and response backed by ConnectWise SOC experts
Policy ManagementCreate, deploy, and manage client security policies and profiles
Incident Response ServiceOn-tap cyber experts to address critical security incidents
Cybersecurity GlossaryGuide to the most common, important terms in the industry
Recovery time objective (RTO) meaning
Surviving a major disaster and maintaining business continuity and operations involves relying on a well-prepared team and IT infrastructure. MSPs should aim to be as prepared as possible to fully restore a business to normal operations well under each client’s Recovery Time Objective (RTO). Failure to adequately plan ahead can lead to major downtimes and revenue loss for both the business and its clients.
What is RTO?
Recovery time objective (RTO) is the amount of time a business has to restore its operations to an acceptable level after a disaster in order to avoid continued business interruptions and intolerable data loss.
The RTO is determined by the extent to which an interruption disrupts normal operations in an organization and how much (if any) revenue is lost per unit in time due to the disaster. A Recovery Time Objective is measured in units of time (seconds, minutes, hours, and/or potentially in days). Disaster Recovery Plans (DRPs) often heavily rely on the RTO value as a guide to their effectiveness.
An RTO indicates:
- The length of time it will take to run a full restoration from the time of a disaster
- How MSPs should prepare ahead of a disaster to ensure efficient and effective implementation of DRPs
- An organization’s maximum acceptable risk of data loss
Why is RTO essential for disaster recovery?
An RTO dictates the amount of time a business needs to recover back to ‘normal’ operations. RTOs are critical to disaster recovery plans because they give you a maximum benchmark to aim for, given the nature and state of your business. Your RTO should not extend beyond the time your business can afford to shoulder revenue or other losses without major business impact.
How can MSPs use RTO?
MSPs should use Recovery Time Objective as a first step in calculating the optimum backup and business continuity and disaster recovery plan (BCDR) in order to ensure business continuity and minimize overall operational disruptions and business risk.
RTOs give an organization guardrails and an objective to shoot for when attempting to safeguard a business against disasters. RTOs help to quantify what is needed in terms of time (and also resources) to get a business back to normal operations. Without this calculation and forward thinking, an organization wouldn’t be able to mobilize resources fast enough to recover fast enough or to meet industry expectations of disaster preparedness.
As a hypothetical example, imagine an MSP with a client that suffers a catastrophic disaster, such as a fire or a flood. As a result, the client was left with damaged hardware that held mission-critical data and backups.
Clients who took the time to share their RTO and disaster plan with their MSP would have already analyzed potential disaster scenarios and calculated the time and resources it would take to get back to an acceptable service level (normal business operations). In this disaster situation, the team would attempt to restore backups and enlist the help of hardware and data recovery engineers to recover any lost data due to the disaster.
An organization who decided not to invest in a full business continuity plan/disaster recovery plan wouldn’t be in a position to quickly recover from the disaster and may end up suffering long-term damage to their reputation and take weeks or months to recover back to normal business operations (if they are capable of doing this at all).
Be sure to visit the rest of our cybersecurity glossary to stay up to date on the latest cybersecurity terms and definitions, as well as our cybersecurity center for the latest news and insights. For more support to get your RTO up to speed, feel free to contact us as well.
How to calculate RTO
Due to differences between business types and how they operate, there is no one-size-fits-all Disaster Recovery Plan. Due to this fact, every business’ RTO will likely differ in one form or another.
In order to calculate maximum RTO, MSPs should focus on:
- Cost per hour of any outages and projected loss of revenue from those outages. Having a dedicated disaster recovery budget or understanding of the cost allows organizations to move faster towards normal business operations than competitors while saving valuable time and resources doing after the fact disaster recovery planning.
- How clients or customers may be affected. Clients and customers are the core evangelists of your organization, its products, and services. Failure to provide services can drastically damage the reputation and livelihood of an organization and its future.
- A disaster’s impact on wider infrastructure – do dependencies exist? A disaster may not just affect your business’ infrastructure. Partners and other applications used by outside organizations may also be dependent on your datasets and hosted applications.
- Organizational budget and any resources that may be needed during the disaster. Your organization’s preparedness and response to disasters needs to be financially feasible. This necessitates thinking ahead and planning to ensure that when a disaster strikes, financial resources would be available and waiting to be committed to getting your organization back to serving its clients and customers.
- The priority or level of importance an application or system has within the organization. Being able to prioritize and dedicate resources to mission-critical applications and data puts you ahead of the disaster recovery process. Mission-critical data and applications may have a much higher priority than data that is infrequently backed up or even used entirely.
Each business is different, and RTO times will likely vary quite largely, and it is important to remember that RTOs will also vary based on the type of disaster. A minor disaster may require a much shorter RTO than a more complex and widespread situation. Since RTO can vary by the end user’s industry, MSPs need to define it for each end user they work with.
- Customer Relationship Management system (3 hour RTO) - Due to its mission-critical nature, CSRM systems often have a shorter RTO than data that doesn’t have much bearing on the day-to-day operations of the business.
- Finance system (2 hour RTO) – Keeping financial systems functioning and banking transaction data backed up are two of the most critical components to many organizations’ business continuity/disaster recovery Plans. Financial data is also the most sensitive and private so, in turn, it must be safeguarded and protected via frequent backups.
- Email database (4 hour RTO) - While important to an organization’s operations, email data often can have a longer RTO due to the fact that many organizations can survive some time without an email server functioning while data is recovered.
- File server functionality (3 hour RTO) – An organization’s data and information is also one of the most important tools that it uses to conduct business. Many organizations may fail to function without access to their files for a certain period of time. Compared to email systems and Outlook databases, file servers are much more mission-critical to maintain business continuity in most businesses.
It’s important to keep in mind that many industries vary in how they conduct business so it is important for you and your team to establish a disaster recovery plan and RTO values that coincide with how your business operates.