Disaster recovery plan: Are you doing this correctly?
If you haven’t thought about your disaster recovery plan and don’t do backups, or tested any backups in recent times, or more specifically thought about disaster recovery, then you could be treading a fine line that could seriously put an end to your business in a flash. Now, this isn’t going to be a scare tactics type blog article, but hopefully an informative and getting you to think about the security and protection of your business type blog instead.
With working from home becoming the norm more than ever in these times, this is an area of the business you should be dedicated not just your time and effort but money. Yes, I did say the money word, but in reality, you aren’t going to be able to protect your business and service offering if you don’t spend some money on protecting your assets.
So what makes up a disaster recovery plan? Well, when you break it down, here are two main areas which you need to look into and address. The first one being, the backing up of your data and then the other part, which hopefully you will never need, is the recovery of that information. For a complete disaster recovery plan, there are more areas to look at, which we will cover in future videos, but for the basis of this video, we’ll be concentrating on these two areas.
So backups.. Backups are what you need to do when you need to recover any type of information, such as a deleted file, email, picture or anything else. However, it’s not just a simple case of copying some files to a USB drive and jobs done. You need to think about how much data you want to recover, where it’s going to be located and how long its going to take to recover. This is where Recovery Time Objective, or RTO, and Recovery Point Objective or RPO come into play for your business.
RTO is the amount of time you are willing to accept to recover from an incident, this is a metric that helps you identify how quickly you need to recover your systems following an incident. What this means is, basically how long can your business survive before it’s gone too far. For example, if your RTO is 24 hours, then you have identified that your business can survive without systems being fully available for 24 hours before it starts to impact normal business operations.
RPO is the point at which you are willing to recover, which basically means how much time can you tolerate between your last backup and the incident occurring. With RPO, most businesses will have a fixed time for backups, whether this is one hour, once a day hopefully not once a week or more. So for example, if you backed up your data every day at say 12pm, and you had an incident where your systems went down or someone deleted files at 9 am the following day, you’d lose all data between 12pm the previous day.
Now, the shorter the RTO and RPO the more expensive it’s going to get, so keep this in mind.
Now in a past life, I used to work as a system administrator, primarily building and looking after infrastructure of all shapes and sizes, and from my experience, backups are one of those areas that either people do really really well, or people do really really bad. As best practice and hygiene you should ensure that all your information is backed up frequently as well as checking to make sure that it’s being backed up correctly. Don’t just think about local files and systems, look into how your cloud vendors back up and recover their data as well.
If you don’t have an IT provider, you should ensure that any information which is stored locally within the office is backed up at least daily and ideally, onto a system that is in a physically different location and keep multiple versions of the backups. The worst thing would be that someone deletes an important file, and it was only picked up 2 months later, what would you do, could you manage without this file? Having multiple versions allows you to be able to recover this.
And by having the backups offsite, you can be safe in the knowledge that should the building burn down, flood or anything else, your data is safe and secure.
Now, explaining how you back up your data will be outside the scope of this video, but there are many different products available. Microsoft Windows and Apple Mac Operating Systems both have the capability to offer basic backup solutions. You should also ensure that you are alerted to any backup failures and that if you are alerted, that the issue is resolved and verified. Don’t just go oh it will fix it itself, look at the issue and get it working or bring someone in to look at it for you.
If you do rely upon an IT provider for your service, don’t be scared to ask for a copy of the backup logs and the last time a test restore was carried out. It’s frightening how many times I’ve gone into a business and three years down the line found that the client hasn’t had any backups, or the backups have been failing for months.
One area to look at or think about is the location of the backups once you’ve backed up your information, this is more important for companies in the UK, now that Brexit is looming. For example, if you store your data outside the UK, you need to know that the information is being stored securely, that you have performed data impact assessments and that, if you use a 3rd party provider, that data protection amendments have been signed/agreed.
This is one area that a lot of people forget about and simply save the data in the US, EU or somewhere else. Also by storing data in the same region (such as the UK), will usually aid in quicker backup and restorations.
As an example of cloud-based systems, did you know that Office 365 (or more recently known as Microsoft 365) doesn’t back up your data? You may have thought that as it’s an online cloud-based service, it would be backed up, however Microsoft state in their terms that no customer data is backed up.
So although it’s going to be highly unlikely that Microsoft will lose your data, you still don’t have the ability to recover any emails after a period of time, should someone accidentally delete some emails. Especially if they aren’t in your recently deleted folder, or in your archive’s you could be in trouble.
There are several options for you, however, a lot of the solutions are usually provided through Managed Service Providers, MSPs. Some Products are, however, SkyKick, Acronis, Solarwinds and lastly Veeam. There are plenty more out there, but these are some of the common ones.
A blog article about a disaster recovery plan wouldn’t be complete if we didn’t cover restorations. Restoration is an area that is often overlooked until it’s needed, and then it’s a gamble whether the data is there, it’s backed up and is actually recoverable.
Restorations are really simple though and should be carried out at least monthly to give you that reassurance things are going to work when you need them.
To get started, simply go into your backups select a file (or system) and recover it, is the file restored correctly? Does it contain information? If you’re recovering a system, did the system recovery fully?
If you identify any issues, get them fixed straight away and then retest to make sure everything works. To improve your Cyber Security knowledge why not take a look at a Cyber Essentials Certification.