Data backup and recovery are blind spots for many CEOs and business leaders. A recent survey of IT decision-makers reported that only 8% of their CEOs track metrics to ensure a complete recovery plan. The same study found that 58% of CEOs just wanted to know that a data recovery plan was in place, ignoring the details. With the average cost of a data breach pegged at $4.24 million, that could be an expensive mistake. Hopefully, as a CEO, you are a member of the 58% cohort and have asked your IT team to confirm that your company’s data is at least being backed up. Typically, the answer is yes. But that still leaves plenty of unanswered questions. This post will help you understand what those questions should be and the responses you should expect. Let’s start with the basics.
What is data backup and recovery?
Data backup and recovery is the process used to create, store, and protect copies of your data so it can be restored if it is lost or destroyed. Referring back to the group of CEOs who have asked about backups, it’s important to note that backup and recovery are not separate concepts, even if the industry has, at times, made that seem to be the case. Data backups are crucial but worthless if they can’t be recovered. Recovery simply isn’t possible without backups. Here are some areas to work on with your IT team to help you get a clear picture of backup and recovery capabilities.
Create a data backup and recovery plan
As CEO, one of the best ways to ensure you’ve got sound backup and recovery practices in place is to have your IT team develop a plan. You may not need to know all of the details, but you should understand your situation and what your company will do if a data disaster strikes. Let’s start with the questions to ask your IT team regarding the backup side of the equation. The first one is the most obvious. Can we survive a cyberattack or other data loss? Here are a few other questions you should have answered:
- Where is our data being backed up?
- Do we have on-premises backups for fast recovery?
- What about offsite backups in case our on-premises backups are compromised?
- Are we taking advantage of cloud data backups?
- Have we looked at managed cloud backup and recovery services as an option?
One critical backup feature you should demand is immutable storage for your backups. That’s especially true in this age of ransomware attacks, where your data can be locked up by a single click on a malicious link by an employee. Immutability is when your data is converted to a write-once, read many times format that can’t be altered. Unlike data encryption, there is no key, so there isn’t any way to “read” or reverse the immutability and delete or change the file – not even by ransomware.
Establish your data loss limits
Two key elements of your company’s backup and recovery plan are your recovery time objective (RTO) and recovery point objective (RPO). RTO defines the amount of time between a disaster that takes your data and systems down and your ability to return to normal—or at least acceptable—business operations. With the hourly cost of server downtime running over $1 million for 44% of enterprises, you need to ask yourself how long can we survive without access to our data? RPO defines the amount of data you can afford to lose during a disaster. This metric determines the frequency of your data backups, with less time between backups limiting the amount of data that could be lost in the event of a disaster.
While establishing your RTO and RPO often falls to IT teams, the truth is that setting these metrics is ultimately a business decision. The financial impacts of a data disaster need to be weighed against the IT investments necessary to ensure these thresholds can be met. So work closely with your IT team to agree on requirements and sort through your options.
Test and review your recovery practices
As noted, a backup isn’t of much use if it can’t be recovered. So make sure your backup and disaster recovery plan includes regularly scheduled testing to ensure you can always get your data back. You may also want to consider bringing a third party in to help you create a plan—or evaluate your current plan—to ensure that it meets all of your recovery requirements. A Disaster Recovery Review can also identify technical and business process gaps, define stakeholders and recovery teams, and highlight critical processes and functions necessary to keep your business running. It can also help you stay in compliance with industry and regulatory standards.
Put prevention first
While proper backup and recovery plans and practices can help you recover from a data disaster, your priority should always be prevention. With that in mind, a Cybersecurity Discovery Session will help you identify and assess your security posture while Data Protection as a Service (DPaaS) simplifies security for your sensitive data and provides a complete, enterprise-class cloud disaster recovery service.
I hope you found this information helpful. As always, contact us anytime about your technology needs.
Until next time,