Data Backups – Are Yours Fit for Purpose?Cyber Scale18th Dec 2020
When devising the best backup strategy for your business there are several key things you should consider-
- What data is critical to your business?
- What do you need to protect that data against?
- How long can your business stand to be without that data?
In answering these questions, you can start to form a decent picture of what your backup strategy needs to be, including how often you need to take your backups, when you should take your backups, and where best to keep them.
Generally speaking, though, there are some ‘golden rules’ of backup that you should always look to work to when protecting your business data:
The 3-2-1 Rule
The 3-2-1 rule is a general guide to protecting your data against the most common scenarios, from accidental deletion of a file to full-on Disaster Recovery. According to the 3-2-1 rule, as a minimum you should have three copies of your data, on two different media with one off-site for Disaster Recovery.
The rationale behind this is that in keeping local copies on separate devices, you are protected if either of those devices fails or one copy of the data is deleted or corrupted and the data can be quickly recovered.
Keeping a copy off-site will also make sure your data is protected against any incidents that affects an entire location.
Offline or ‘Cold’ Backups
Whether your backups are local or off-site you should seek to ensure that at least one of these copies is offline or ‘cold’, meaning that it is not actively connected or accessible to your live environment. Doing this will make sure that you have copies of your data that will not be affected by anything that compromises or damages the data in your online systems. This is key when protecting against Ransomware for example, where it’s often the case that backups can also be affected (and in some cases, actively targeted) by an attack.
This is a critical consideration if you’re using online or ‘Cloud’ storage as a backup location- make sure these are only connected and accessed as required to limit the exposure.
Timely and Regular Backups
When you take your data backups and how often you take them is key to being able to minimize the risk and business impact of having to perform any sort of recovery. You need to consider your Recovery Point Objective (RPO) which is basically how much data can you stand to lose, and your Recovery Time Objective (RTO) which is how quickly you need to recover your data. For example, if you decide you can only stand to lose an hour’s worth of sales data (an RPO of 1 hour) then taking a single backup each night isn’t going to be good enough. Similarly, if you need to be able to recover your data within 2 hours (so your RTO is 2 hours) then keeping your backups in a secure location 3 hours’ drive away isn’t going to cut it either.
There is a balance to be struck here though, as typically the lower your RPO and RTO the more expensive it will be to ensure that you can meet them.
Probably most importantly of all, you need to regularly test restoring data from your backups to make sure that it works as expected. There’s nothing worse when facing a disaster recovery scenario than finding out that your backups are no good or the recovery process just doesn’t work. Test and test again until backup and recovery are routine.
While these general points should hold you in reasonable stead, there is plenty more you need to consider when defining the backup and recovery strategy that is right for your business. For further guidance seek help from free online sources such as the NCSC, or from a Cybersecurity partner who can help you understand your risks and how best to protect against them.