Ensuring the data for your small to medium business is backed up and secure is more than just good practice – the entirety of your business could be at risk if this is not done appropriately.
From the threat of ransom attacks to the ever changing regulations, it is important to know how to avoid falling foul of hackers and regulators by understanding the best practices for storing your data.
How much does one data loss incident cost a small business?
A ransomware attack on a SMB costs an average of $100,000 per incident due to the downtime alone. That’s excludes any costs recovering the data and potential client litigation fees.
How often do hackers attempt to get your data?
A University of Maryland study showed hackers make an attack every 39 seconds on Internet facing devices. That’s 2,244 attempts each day to get into your network.
How many companies successfully recover from a data breach?
Almost 60% of businesses close within six months of the data loss incident.
What do the other 40% have in common?
Robust and reliable data backups.
The message here should be clear. Your business won’t survive without an effective Disaster Recovery (DR)/Data Backup Strategy.
Here are some of the best practices for such a plan:
- Disk Image Backups: –
Backing up just files or directories can save backup space but if your server hardware dies then you’ll waste valuable time reinstalling the servers OS and applications on new hardware. A disk image backup of critical servers is a must. This image can be quickly and easily used to build and exact copy of your server and all your data on a virtual machine or new hardware. This can cut recovery time in half.
- Afterhours Automated Backups: –
Automated backups should be scheduled outside of normal hours so a) an admin does not have to be involved and b) the backups don’t need to be paused or stopped because they pull resources away from critical business day processes.
- Remote Management: –
Hackers tend to attack afterhours so make sure your IT team can remotely manage DR routines and backups from their residences or other remote locations. Having a centralized backup management portal can greatly speed up recovery times.
- Audits and Tests: –
A backup plan only has value if it works. Don’t wait for a breach to find this out. Schedule regular backup recovery tests to prove out your DR system. Vary these tests from individual file recovery, to disk full image recovery, to auditing the scope of the backup to make sure it includes everything you need it to.
- Vary Backup Destinations: –
Don’t just backup everything to the cloud. Make sure you have a local office backup too. If you lose Internet/Cloud access, this local backup will keep your business running. Combining Cloud backups with local hardware backups and potentially remote hardware backups, at a co-location for example, is ideal.
- Spend Time Planning: –
The first step in putting together an effective DR plan is assessing your risk. This involves understanding the unique risks associated with your business sector, the type of data you store, and how/when you access it. Once you identify what data needs to be protected you need to set your backup objectives in terms of recovery point objective (RPO) and recovery time objective (RTO).
RPO – How long should the period be between backup jobs? This essentially determines how often you backup up your data. It’s a balance between resources and how much and how quickly your data changes. Some data is changing all the time and may need to be backed up every hour. Other data changes more slowly and once a day or once a week is fine. You’ll probably have data that fits both these categories in your network. Below is an example guide of how RPO can be applied to different server types:
- Email Servers – hourly backups.
- Remote Access Terminal Servers – daily backups.
- Auxiliary Servers – weekly backups.
RTO – How fast do you want to be able to recover the data? This will influence potentially where you store backups, and the software/hardware you use to back them up. Some data needs to have a target RTO of no more than 60 mins. For other data, 4 hours might be a better target. Again, know which bucket each of your data types falls into.
- Encryption: –
Unencrypted data is a liability. Sensitive data needs to be encrypted. Now, here is an extremely important thing to keep in mind. A lot of companies already encrypt sensitive data on servers or laptop hard disks. If you back up a full image of that disk, that backup image will be encrypted. However, if you use your backup program to backup files and folders from that disk, then that data has already been decrypted in order for your backup program to read it. In this scenario, your backup program is taking sensitive encrypted data and storing it UNENCRYPTED. Make sure you use backup software that allows you to encrypt these file/folder backups.
- Compliance: –
The length of time to keep your backups can tie directly into compliance requirements. Make yourself aware of the data privacy laws that your company needs to comply with. Know which files you need to backup, and for how long, when it comes to regulations like HIPAA and CMMC. However, some standards like GDPR and CCPA have ‘right to erasure’ stipulations which require you to erase certain records upon a client delete request. This includes removing those files from old backups. Keep this in mind if these regulations apply to your company.
As you can see, creating and maintaining a successful DR Strategy can be quite involving. But it’s an essential part of your business’s future success. Weighing the benefits of hiring a skilled managed service provider (MSP) against the cost of expanding internal IT teams to take on this extra load is an important first step. InfoNetworks can help you make that decision. Schedule a free assessment today.