301.519.9237 exdirector@nesaus.org

How to Make a Backup and Recovery Plan for Your Business

Cyrly busy business woman suffering stress working at laptop while talking on mobile phone in overwork. Tired businesswoman using phone. Girl feeling sad.

8.12.22 – CI

You owe a duty of care to your employees, vendors, ownership and customers to protect your data to the greatest extent budgets will allow.

When you own a business, you rely on critical information to help you keep track of your operations. Your profits are important to your success, but your data is equally essential because, if the server goes down, you might not be able to provide your clients with products or services. Having the ability to serve customers, vendors, employees and others is why business owners must ensure they have backup and disaster-recovery options ready for their business. 

Most people know that backing up your data is one of the essential tasks to ensuring business continuity. How can you protect your essential data from nature, accidents, hackers, viruses and other threats? This article will present five steps to keep your data safe. 

So, what is business data backup? Well, businesses always have computers with business-critical data. Data backup is the practice of saving enough information that you can recover from a data loss within a reasonable period and for a reasonable amount of money. It’s about having the information that will allow you, at least to a reasonable extent, to continue operating. Perfect recovery in zero time is not the goal; instead, the goal is to think through and test a plan that will allow you to recover operations in a feasible amount of time, and at an affordable cost, for all reasonable data losses. 

Considering Business Disasters 

What are the leading causes of business disasters? Consider the following list: 

  • Natural disasters, such as fire, flood, hurricanes or tornadoes. 
  • Human-caused disasters
    • civil disruptions, such as vandalism, wars or riots 
    • ordinary crime, such as theft or arson 
    • cybercrime, such as ransomware, viruses and hijacked systems 
  • Software errors, such as a bug-filled release  
  • Hardware failure due to age or a bad environment 
  • Human error, such as inadvertently deleting files or discarding computers that have critical data 

You should think about when — not if — you should run through scenarios and plan for what to do in the event of the disaster. And you should do this before disaster occurs. Most companies not involved with loading hardware and software on a day-to-day basis will find it essential to have an outside expert, such as their IT person, develop this plan. 

Evaluation 

Step 1: Evaluate your data: Evaluate the company’s data as a whole. Most backup methods have a cost per byte; therefore, the more data you back up, the more costly the solution will be. But most company data can be grouped in the following four ways: 

  • Critical data without which you would fail. For this category, think about the least data you would have to reconstruct your business after a total loss. (For example, all your onsite computers and data-storage devices are stolen.) Some very small businesses could recover OK if the backup stored just the QuickBooks data somewhere else. Most companies have other records, such as employee files, contracts and other things, stored as data. All of these might be essential. 
  • Important data that would cause inefficiency, but not failure, if the data were not recovered from the backup. An example would be scanned copies of documents for which hard-copy paper backups exist. 
  • Nice-to-have data, such as records that do not have to be retained. Certain documents of a sufficient age do not have to be kept, per government requirements, so it is not critical to recover them. 
  • Unimportant data, such as files that are irrelevant to the business. Examples would be computer games and files that employees use during break times. 

Many companies back up everything because separating it out can be time-consuming. But you can reduce costs if you can identify the data you can live without. Once you choose a backup method, you can cost it out for all company data. If that cost is not affordable, cut back the tiers of data, working in reverse order, until you at least have the critical data stored and retrievable in a reasonable amount of time. 

Establishing Objectives 

Step 2: Define Your Key Recovery Objectives: Among the components of a data-recovery plan are two key parameters that define how long your business can afford to be offline and how much data loss it can tolerate. These are the Recovery Time Objective (RTO) and Recovery Point Objective (RPO). We’ll explore each in turn. 

  • The RTO is your organization’s goal for the maximum time it should take to restore normal operations following an outage or a data loss. The RTO goal must be considered carefully and used to evaluate the backup and restoration methods. 
  • The RPO is your goal for the maximum amount of data that the organization can tolerate losing. This parameter is measured in time — from when a failure occurs to your last valid data backup. For example, if you experience a failure now and your last full data backup was 24 hours ago, the RPO is 24 hours. In many cases, small companies can survive the loss of “today’s data” as long as they restore to the previous end of the day. The data restore is often augmented by manually reentering lost transactions from the partial day. 
  • Let’s turn to immutability strategies. Immutability means that nothing can change the backup dataset once it is made. The problem with ransomware is that it changes all files on locally attached devices. You often don’t know when this is happening, and, if a backup is only locally attached, it is vulnerable to ransomware. Therefore, immutability is critical. You don’t have immutability if you just have backup datasets attached to the computer network. If copies are stored offsite in the cloud or elsewhere, then you have an immutable strategy. But it’s important to bear in mind the impact on RTO if you have to retrieve them. 
  • How will you source any computer systems that might be missing or damaged? Sometimes, it can be difficult to obtain replacement computers, especially when supply-chain issues are common. The problem of sourcing replacements for damaged computers can be mitigated by having a duplicate computer already on hand or available to rent, or by using virtual machines on a different, more powerful computer. Additionally, many backup systems can run a restored complete computer image from a virtual machine set up in the cloud or a local appliance computer. 

Methodological Choices 

Step 3: Choose a Backup Methodology: Keeping in mind the data you want to back up, the RTO and RPO parameters, and immutability, the next step is to select a backup methodology that will fit your needs. Several outside experts recommend a 3-2-1 strategy, as well. This involves keeping (at least) three copies of the dataset on two different types of media, and one offsite. 

What follows are some potential methodologies you could choose: 

  • Backups of just your essential data. This would mean making a copy of your critical data on a device or in the cloud. It could be on a USB drive, a network drive or the cloud; however, at least one of these copies must be disconnected from the network. (If it is locally stored, put it in a fire safe.) Your RTO and RPO must allow for the reinstallation of the computer OS and software. 
  • Total and differential backups. A total backup is a complete copy of the data, including metadata such as the system registry, on a computer system. You can restore a total backup to a new computer of the same type with no software loaded. Restoring a differential backup dataset typically means restoring the total backup and all the differential backups in order. This technique reduces the RPO because you can take differential backups many times per day, but it comes at the expense of the RTO. 
  • Local backups (not recommended): If ransomware can get at the data, consider it to be local. So, OneDrive files are local from an immutability point of view. Commercial systems can redundantly store the backup sets in the cloud on two separate data centers. Some of them can scan for ransomware and viruses before committing the data, so you know everything that makes it to the cloud is OK. 

Test in Advance 

Step 4: Test the Restore Methodology: First, pick a scenario for which you wish to test. Selecting a more problematic scenario will assure you that you can recover from easier scenarios. 

  • Restore the environment 
  • Restore the software 
  • Restore the data 
  • Operate the critical programs to see if they work. 

In most cases, I prefer to pick a “bare metal restore” (BMR) scenario. BMR simply means that the device I am restoring to has no software loaded on it, or the drive can be formatted and reloaded. If you do a BMR, the backup software is responsible for the first three steps (including all the activation, configuration and metadata). Then, operate the critical programs (e.g., Quickbooks, Microsoft Office, quoting tools) to see if they work and have the correct data as of the date backed up. 

Step 5: Review the Preceding Steps to See if you can Make Improvements: Once the backup and restore cycle has been tested and performed, you will have an actual value for the RTO and RPO. You will also have a cost. You can and should tweak parts of the plan to improve the value-to-cost ratio. This is an iterative process because technology changes and improves. 

Don’t Lose Profits…or Customers 

Business owners should back up their data on a set schedule. This will help ensure they don’t lose profits — and customers — if a disaster occurs. They should carefully consider what data they need to back up and make 3-2-1 copies. At least one copy must be immutable. Businesses should also test these backups periodically to ensure that the backups work. Finally, they should regularly review the plan; after all, prices, technology, threats and companies change. 

You owe a duty of care to your employees, vendors, ownership and customers to protect your data as well as you can afford to. Data loss is a catastrophic event if it can’t be remedied, and it potentially can be very costly even if it can be. 

Peter H

Peter Heinicke is CEO of Precision Computer Methods Inc., a member of The ASCII Group since 2017.