We hear all sorts of horror stories of data backups going wrong or not happening at all, many of which are beyond the control of the user. For most businesses this can cause reputational damage, customer service issues, regulatory penalties, and an advantage to your competition. As well as the major operational impact, a loss of business data could cost millions. The Ponemon Institute’s ‘Cost of a Data Breach Report 2021’ puts the global average cost of a data breach at $4.24 million (£3.5million), and the average time taken to identify and contain a data breach a huge 287 days – over 9 months.
To avoid business damage and excessive costs, here are our top ten tips for ensuring your backups match your business needs and preferences, are fit for purpose, comply with regulations and work efficiently. Even if you think you’re in a good position when it comes to protecting data and being prepared if things go wrong, it’s a comprehensive checklist that will either put your mind at ease or encourage you to shore up your defences.
1. Know who is responsible for the backup
Depending on the size and nature of your business, and the types of backup you employ to safeguard your data, this could be just one or several people. It could be the employee who swaps USB drives daily (and knows where the other one is at all times), to the in-house team that looks after your physical and cloud-based backups, to the outsourced experts that advise on, implement and manage the security of your data. Whichever, they need to be ‘on it’, and on hand at a moment’s notice to deal with any issues.
2. Have a business data backup plan and process
Again, regardless of size, your business should have a data backup plan and process. Anyone whose information you hold can ask about (or ask to see) your data backup policy, and they might not be too impressed if you don’t have one – for example, as part of an audit. It is also becoming increasingly common for insurance providers to ask for proof that an offsite backup is in place for cyber insurance to be valid.
You should also have a clearly defined process for how that backup happens, how backed-up data can be accessed, and how to restore business-critical data from servers or the cloud if any hardware or software fails.
3. Test the data in your backup
Another shockingly common faux pas is to simply assume that backed-up data is ‘good’, but did you know that in 75% of incidents where backup solutions were in place, some data was still lost completely? So, take the time to make sure you know the answers to the following questions: are your external drives or off-site servers taking good care of your business-critical data? Is the cloud fully secure? When was the last time you checked these things with a dummy restore? You could be depending on a setup that’s not fit for purpose. A backup is only a backup if you can restore from it successfully.
4. Have space for contingency
It’s surprisingly common for businesses to be dangerously near capacity with their hardware backup space, especially if they are using disk-to-disk or tape backup. Check regularly or set up alerts to make sure you have the space to cope with periods when you might create more data, and as your business grows and diversifies. Or consider a data-retention policy that automatically deletes certain types of data after a set period.
If you choose a cloud backup provider, ensure they can scale and grow as your data does.
5. Check backup software for updates… regularly
The last thing you want is to have an all-singing, all-dancing backup system in place, only for it not to perform as expected because you haven’t installed the updates. Updates are crucial here, as they often include the latest protection from viruses, malware, and other threats that could compromise your data.
6. Have a Disaster Recovery Plan
Every business should have a Disaster Recovery Plan – a documented set of procedures for restoring all business-critical systems as well as the data they create, process and store. Disaster Recovery entails a full replication of the systems and software your business relies on to function normally, and therefore goes beyond backup. After all, restored data isn’t much use without software.
Two things you need to consider when devising your Disaster Recovery Plan are: Recovery Point Objective (RPO) and Recovery Time Objective (RTO). RPO refers to how often you back up your data, and therefore how much data you can afford to lose, while RTO refers to how long it will take to recover from a data loss.
Best practice: ensure that the Disaster Recovery Plan is documented, printed out and kept out of the office!
7. Optimise the regularity of business data backups
By this we mean set up backup intervals that best suit the data your business creates, uses and takes responsibility for. For example, if your business continuously creates, processes or updates data, consider a higher frequency of backups to protect continuity should anything go amiss. This should all be part of a comprehensive business data backup plan, which should evolve alongside any changes to your business.
8. Educate staff on the importance of backups and data security
Pretty much anyone who uses online IT creates and/or manages data in some shape or form – and 52% of all data breaches are caused by human error. So, it makes sense that everyone in your business should be aware of how crucial data security and backup are to business continuity. Simple, informed changes in behaviour can protect against potentially damaging data loss. A common example of this is a user unwittingly opening an infected email attachment, releasing ransomware onto a network.
Best practice: Introduce Security Awareness Training, where an external company will send phishing-style emails to ‘trick’ staff, then provide the training on how to spot and deal with those emails.
9. Know what data is part of the backup
With GDPR now in full swing, and eyes increasingly on data use and security, even the more basic business data backup plan needs to specify what kind of data is being backed up, where, and how securely. You should also check whether the data is encrypted – not just during the transfer process, but while at rest on your provider’s servers too. Check which data regulations apply to the data you create, how you back it up and how to remove data if required. Regulations vary by country, so make sure you’re acting within the laws of your location.
10. Have a data retention policy
This is your ‘protocol’ for retaining customer data that’s crucial to how you provide a product or service to them, and as such, it must comply with strict regulations. For UK and EU businesses, a data retention policy is a key part of GDPR compliance. The kind of data you hold – and how long for – depends on the kind of business you run, and the data it relies on to function normally. The default standard retention period for HMRC records is 6 years plus the current year. Many companies also legally need to keep hold of data for a number of years. for example, in the financial industry in the UK the retention period is 7 years and for Architects it’s 12 years.
So, there we have it – our top ten tips for effective data backup planning, to help you ensure your data, your business and your reputation remain intact.
If you need any further help and assistance in planning and implementing your backup strategy, Backup Vault provides fully automated, hassle-free, UK-based backup services to organisations all over the world – from small business to global brands, to public-sector clients and large corporate enterprises.