Developing a solid backup plan requires an investment of time and money, but the cost is far less than the burdensome task of recreating data for which no backup exists.
With rising malware attacks and the escalating cost of a data breach – pegged at an average of $3.92 million – cybersecurity has emerged as a top business priority. However, even with tightened security measures, breaches have increased by 67% over the past 5 years. As a result, the need to have a solid backup strategy in place has become more important than ever. To be truly protected, organizations must form a well-defined plan that can aid in the quick and seamless recovery of lost data and guarantee business continuity when all preventive measures fail.
A comprehensive backup strategy is an essential part of an organization’s cyber safety net. Ensuring critical organizational data is backed up and available for restore in the case of a data loss event can be considered an administrator’s prime concern. A backup strategy, along with a disaster recovery plan, constitute the all-encompassing business continuity plan which is the blueprint for an organization to withstand a cyberattack and recover with zero-to-minimal damage to the business, reputation, and data.
What are the typical threats?
Typical data threatening situations are accidental deletions, hard disk failures, computer viruses, thefts, fire and flood accidents. Data storage equipment has become more reliable over time, but hard drive failure rate is still around 4.2-4.8% annually. The risk of a fire accident is about 0.32% annually. Expressed in percentages, they do not seem like huge risks taken individually, but to receive total risk level, you need to sum them up.
As technological risks, like hardware failure, may be quite well-defined constants, other risks may vary quite a lot by different factors. For example, the risk of flooding in your house is quite serious if you are living at the seaside or on the banks of a bigger river. What people often forget is that there can also be smaller man-made “flooding”, which may not be so dramatic but happen even more often. Some examples are accidents with water pipes, forgetting a laptop in the rain, spilling coffee all over the computer or dropping a laptop into a swimming pool. You might want to establish some common-sense rules for eliminating some of those risks, like not drinking coffee near your laptop, but some unforeseeable risks still remain.
If you add up all possible risks (and there are many of them), you may have as high as 25% probability of losing some of your data during the next year.
Here we’ll detail the steps to develop a dependable backup strategy:
1. Determine what data has to be backed up
“Everything” would probably be your answer. However, the level of data protection would vary based on how critical it is to restore that particular dataset. Your organization’s Recovery Time Objective (RTO), which is the maximum acceptable length of time required for an organization to recover lost data and get back up and running, would be a reliable benchmark when forming your backup strategy.
Assess and group your applications and data into the following:
• Existentially-critical for the business to survive
• Mission-critical for the organization to operate
• Optimal-for-performance for the organization to thrive
• Once all pertinent data is identified, layer the level of protection accordingly.
Of course, you should back up the data on all of the desktops, laptops, and servers in your office. But what about data stored on staff members’ home computers? Or on mobile devices? Is your website backed up? What kind of data is your organization storing in the cloud? How is your email backed up?
It’s not usually necessary to back up the complete contents of each individual computer’s hard drive — most of that space is taken up by the operating system and program files, which you can easily reload from a CD if necessary.
Also consider data you currently store only in hard copy, as this kind of data is not easily reproducible. For example: Financial information, HR information, Contracts, Leases, etc.
This type of information should be stored in a waterproof safe deposit box or file cabinet as well as backed up electronically (either scanned or computer-generated). Give highest priority to crucial data.
2. Determine how often data has to be backed up
The frequency with which you back up your data should be aligned with your organization’s Recovery Point Objective (RPO), which is defined as the maximum allowable period between the time of data loss and the last useful backup of a known good state. Thus, the more often your data is backed up, the more likely you are to comply with your stated RPO. As a good rule of thumb, backups should be performed at least once every 24 hours to meet acceptable standards of most organizations.
Each organization needs to decide how much work it is willing to risk losing and set its backup schedule accordingly. Database and accounting files are your most critical data assets. They should be backed up before and after any significant use. For most organizations, this means backing up these files daily. Nonprofits that do a lot of data entry should consider backing up their databases after each major data-entry session. Core files like documents (such as your Documents folders) and email files should be backed up at least once a week, or even once a day.
3. Identify and implement a suitable backup and recovery solution
Based on your organization’s requirements, you need to identify a suitable backup solution as part of your backup strategy.
Some aspects to consider
There are two broadly defined approaches to backup: on-premises backup and remote backup. Either route (or both) may be appropriate for your nonprofit.
In an on-premises setup, you can copy your data to a second hard drive, other media, or a shared drive, either manually or at specified intervals.
With this setup, all the data is within your reach — and therein lies both its value and its risk. You can always access your information when necessary, but that information is vulnerable to loss, whether through theft (someone breaking in and stealing equipment) or damage (such as a leaky water pipe or a natural disaster).
In remote backup, your computer automatically sends your data to a remote center at specified intervals. To perform a backup, you simply install the software on every computer containing data you want to back up, set up a backup schedule, and identify the files and folders to be copied. The software then takes care of backing up the data for you.
With remote backup solutions, you don’t incur the expense of purchasing backup equipment, and in the event of a disaster you can still recover critical data. This makes remote backup ideal for small nonprofits (say, 2 to 10 people) that need to back up critical information such as donor lists, fundraising campaign documents, and financial data, but lack the equipment, expertise, or inclination to set up dedicated on-site storage.
Automation is another key benefit to remote backup. A software program won’t forget to make an extra copy of a critical folder; a harried employee at the end of a busy week might. By taking the backup task out of your users’ hands you avoid the “I forgot” problem.
The main downside to remote backup solutions is that Internet access is required to fully restore your backed-up data. If your Internet connection goes down (as may happen in a disaster scenario), you won’t be able to restore from your backups until your Internet connection is restored.
Another potential downside is that you have to entrust critical data to a third party. So, make sure you choose a provider that is reliable, stable, and secure. You can also help secure your data by encrypting it before it is transmitted to the remote backup center.
A full backup is the most complete type of backup. It is more time-consuming and requires more storage space than other backup options.
An incremental backup only backs up files that have been changed or newly created since the last incremental backup. This is faster than a full backup and requires less storage space. However, in order to completely restore all your files, you’ll need to have all incremental backups available. And in order to find a specific file, you may need to search through several incremental backups.
A differential backup also backs up a subset of your data, like an incremental backup. But a differential backup only backs up the files that have been changed or newly created since the last full backup.
Features your organization requires
Below are several essential aspects of a comprehensive and dependable backup and restore solution to consider:
• Ease of Backup: Automated and/or on-demand options
• Restore Flexibility: Cross-user, search-based, point-in-time
• Scalability: License and user management
• Ease of Use: Intuitive user interface and self-service recovery
• Post-purchase Experience: Free support and unlimited storage
• Strong Credentials: Superior customer ratings, security & compliance certifications
All backup routines must balance expense and effort against risk. Few backup methods are 100-percent airtight — and those that are may be more trouble to implement than they’re worth. That said, here are some rules of thumb to guide you in developing a solid backup strategy:
Develop a written backup plan that tells you:
• What’s being backed up
• Where it’s being backed up
• How often backups will occur
• Who’s in charge of performing backups
• Who’s in charge of monitoring the success of these backups
• Think beyond just your office and its computers.
For on-premises backup solutions, we recommend rotating a set of backups off-site once a week. Ideally, you should store your backups in a secure location, such as a safe deposit box. Another method is to follow the “2x2x2” rule: two sets of backups held by two people at two different locations.
Especially if your area is susceptible to natural disasters, think about going a step further. You need to make sure your local and remote backup solutions won’t be hit by the same disaster that damages your office.
Although it may sound overly cautious, you will be glad to have a system like this in place should disaster strike.
Consider what data would be most essential to have at your fingertips in an unexpected scenario. If you lose Internet connectivity, online services will be unavailable. What information or files would be key as you wait to regain Internet connectivity (which will enable you to restore from an offsite backup)? Where will you store those files?
4. Test and Monitor your backup system
Once your backup system is in place, test it, both to check that the backup is successful and that the restore is smooth and accurate. Verify the backup and restore with regards to various types of artifacts – accounts, emails, documents, sites, etc. If the backup solution supports end-user backup – inform and educate your users about using it. Finally, remember to monitor your backup performance and regularly check the logs for data lapses.