I didn’t want to admit my backup plan consisted of hoping we didn’t need one (Bryan Fields).
Hope is not a plan.
In today’s IT environment of ever-increasing threats backups and recovery are as important as the system itself. Moreover, it is critically important to consider backup and recovery together. Often businesses, particularly small business, are confident they have a backup but haven’t thought through how they would recover from a partial or complete loss of systems.
It is the recovery of the systems, not just data, that the business needs.
For example, consider a Windows server that has been configured to provide several functions (domain server, print server, DHCP server, file server as well as applications). After an adverse event the recovery starts with the replacement of the physical machine, then the installation of features and applications plus their configuration (which can take days) and only then the recovery of the data. If the system was backed up (applications, configurations and data) the recovery becomes far easier and quicker.
With the advent of cloud-based computing the configuration of servers is removed from the business and moved by the cloud vendor and so the recover process needs to be adjusted to suit. For example, recovery of an end point computer (Windows or Mac) could be as simple as re-installation of the operating system (or a new device) and connecting to the various cloud-based applications.
To confuse the subject, some software vendors may claim their applications are backups, e.g. file to cloud synchronisation applications. They are not. File sync applications are vulnerable to ransomware and file encryption malware and therefore do not serve as a robust backup.
It is critically important to have a backup and recovery process to suit the individual business and that can handle all threats from hardware failure to ransomware.
To design a backup and recovery process start with these steps:
- List what the IT systems are in the business, e.g. email, HR, CRM, financial, job management etc. and their location, i.e. on-premise or cloud.
- Score each system in terms of:
- impact to the business if that system was not operational, e.g. ranging from minor inconvenience and can use manual procedures to business cannot operate.
- do alternative or manual systems exist to replace the operations of the lost system
- how long the business can survive without that system
- estimate the costs to recover including down time and reputational damage
- Formulate a backup and recovery plan based on the above
- Seek professional help to assist in the design of the process.
There are a number of characteristics of a good backup and this is where professional help can greatly assist in making appropriate decisions for the specific business. A good backup should have the following:
- Immutable – the backup can not be modified
- Granularity – able to recover individual items, e.g. emails and files.
- Search capabilities
- Frequency – able to vary the timing of backups
- Automation – no humans required and with alerts of backup failure
- Duration of backup process to minimise the impact on end users. Ideally with cloud-based systems the backup process does not touch the local business network.
- Options to vary the time backups are kept
- Location of backup secure storage, i.e. in Australia
- Backup able to be tested
- Encryption of backup
Small businesses are just as vulnerable to threats as larger organisations and therefore must take appropriate steps to protect their IT systems. There are many actions that can be taken to reduce the IT security threat and Backup and Recovery is a fundamental consideration to minimise the risk of adverse operational impacts to any business.
Further reading: