What is Data Backup and Disaster Recovery?
Data loss is an omnipresent risk. Cyber criminals never let up: 83 percent of organisations experienced more than one data breach in 2022. Natural disasters and accidents can level offices without warning. Even Google’s data centres can’t evade lighting strikes.
Against threats both malicious and wrought by nature, preparedness will be key to resilience. Mitigating tactics are especially crucial for small to medium businesses who are hit harder by data loss. The cost of breaches for SMBs rose by 14 percent from 2022.
There’s a slew of strategies available. Two of them that SMBs should include in their approach to data security: backups and disaster recovery plans.
Data Backup vs Disaster Recovery
Data backups and disaster recovery plans are two solutions that serve different end goals. Data backups are concerned with preserving the integrity of data. Meanwhile, disaster recovery plans (DRP) revolve around business continuity. Backups are a cornerstone of DRPs–there can be no recovery if there’s no backup data to restore.
Ideally, companies will have both. Most businesses back up their data to some sort of storage device or the cloud. Yet only a little over half of companies have a company-wide disaster recovery plan in place.
What Makes A Good Data Backup Plan?
Nearly all businesses practise some sort of data backup procedure, whether that’s copying data to a physical drive or moving files to the cloud. But not all approaches are equal.
A good backup is redundant. The Cybersecurity and Infrastructure Agency (CISA) recommends the 3-2-1 strategy. One primary backup and two copies of data; saved to two types of storage device; and at least one copy kept offsite. This way, no unfortunate fire or flood can single-handedly erase your data.
Follow up redundancy with frequency. Backup data is no good outdated. The general rule of thumb is backing up once a week, but your mileage will vary based on a metric called the Recovery Point Objective (RPO).
The RPO is how much data your business can lose and still run, measured in hours. Institutions like banks that rely on critical information for minute-to-minute transactions will have a higher RPO and therefore need to backup files more frequently.
Which data sets you’ll need to backup will be subject to analysis. It’s neither feasible nor practical to duplicate all your files. Determining which information and applications are mission critical, and what deserves full or incremental backups, should be part of any cost-efficient plan.
Once you have a good backup system in place, you’ll want to test it, as you’re only as protected as the integrity of your last backup. Standard testing procedures involve stress testing against scenarios such as the system crashing in the middle of a backup, or protecting it against ransomware attacks. Almost all ransomware incidents target backups to hamstring companies.
What Should My Data Recovery Plan Cover?
A well-oiled data backup system is only a part of the equation. Here’s where preparedness diverges. While most have some sort of data backup in place, relatively fewer have mapped out how to restore it once things go sideways. Who do you call? Which applications need to be restored first? What are staff expected to do while your IT team contains the incident?
Uncertainty wastes time, and every minute of downtime can cost a business millions. Defining the following items will help the recovery process go as smoothly and as quickly as possible:
First, determine your RPO and Recovery time objective (RTO). RTO is the longest tolerable duration between a failure event and going back to normal. RPO, as discussed above, is how much data you can afford to lose.
Your RPO and RTO will dictate the specifics of your disaster recovery plan. If your RPO for a network is an hour, then you’ll need speedier configurations, like continuous data replication to an on-premise external drive. RTO gives you a time frame to work with, so you can form a response that aligns with business objectives.
Not all systems will share the same RTO and RPO. Sorting by criticality will help you develop the appropriate response and keep costs from spiralling. The Tiers of Disaster Recovery divides solutions into six levels, with level 6 mandating minimal to zero data loss, often with the use of advanced and expensive automated systems.
Ensure employees know their responsibilities in the event of an outage. Clear protocols help minimise confusion and reassure stressed employees in the aftermath of a disaster or ransomware attack. It also empowers key personnel to deploy recovery plans as quickly as possible.
In a big company, senior managers will typically be the ones coordinating activities. Smaller businesses with fewer personnel can answer the following questions to help figure out who does what:
- Who will document the incident?
- Who will procure alternative work setups and devices?
- Who’s in charge of liasing with affected customers and, potentially, the press?
Transparent communication helps build confidence in your company through the crisis. In the case of events like storms, these plans can even help keep employees safe. Communication plans are also crucial for compliance. Some regulations stipulate that businesses have to notify authorities of a data breach no later than 72 hours after detecting it.
Develop a strategy for sharing information with your employees, customers, affected third-parties, and the media. Keep a list of essential phone numbers and email addresses so you can contact stakeholders or establish communication lines with vendors or your internet service provider.
Effective plans include an itemised inventory of all your computing, power, and utility assets. Sort equipment into those you can’t work without, those you’ll need in a day, and those you won’t need for a while.
Knowing where everything is will help you direct retrieval efforts in case of a disaster. The list will also facilitate rebuilding efforts. After an incident, you’ll need to assess which computer equipment needs to be replaced or updated.
Recovery facilities can help you stay operational if your main site is inaccessible. Recovery sites are usually divided into three: hot, warm, and cold sites.
Hot sites contain all the necessary hardware and data you’ll need to resume work; it’s virtually a duplicate of your setup. Warm sites have mission critical equipment, but are backed up infrequently and therefore lack up-to-date data. Cold sites are essentially empty office spaces where you can move your equipment in.
In a time when data loss can sink small to medium sized companies within months, a comprehensive backup and data recovery plan is essential to doing business.
Looking for expert advice on data backups and recovery? Our team of disaster recovery for IT specialists can create bespoke plans that will cover all your bases. Book a free consultation with Evolvit today.