Backing up business data consistently and securely is crucial to an organisation's success, but how and how often should businesses be backing up data?
To find out more, watch our webinar on data backup with our CTO Kit Barker. Plus, you can read on for Kit's thoughts below.
I love a good dictionary definition, so let’s start with one for backup. The Oxford Languages dictionary describes a backup as “a copy of a file or other item of data made in case the original is lost or damaged”.
A backup allows recovery from some level of failure and a good backup strategy should be part of a Business Continuity Plan or Disaster Recovery Plan, especially if you are hoping to be ISO 27001 certified.
Why should I backup my data?
Backup can seem complex and it can be expensive. Why should you bother?
Simply put, you will experience data loss. Your laptop may be lost or damaged, your hard drive might fail, or your dog might eat your USB drive. It happens to us all.
Sometimes that data might not be particularly valuable. For example, if I lost my Downloads folder, I would simply re-download the files. But what if I lost my email? Or SharePoint file? The consequences to me and our business would be huge.
But all my data is in the cloud, isn’t that safe?
That’s a very good question!
Cloud storage solutions offer a level of availability and durability that would be very difficult to achieve in-house. Google Cloud Storage has a durability of 99.999999999% - and that’s a lot of 9s. In English this means that if you store 10 million files, then you might expect to lose one file every 10,000 years!
So that means storing your data on the cloud means it’s secure, right? Well, not quite.
Durability and availability are not backup
This is a critical point that many people miss. Durability and availability are important, but they only concern themselves with making sure that version of your data is there when you need it. A highly available and durable system cannot help you recover from a ransomware attack or protect you against being locked out of your cloud storage account. For that you need a dedicated backup. The Backblaze blog has a good article on cloud storage durability vs availability. To cover as many scenarios as possible, however, your data should be highly available, durable, and backed up.
What should I backup?
It’s not practical to backup literally every item of data you process, so you need to decide what’s most important to your business.
You need to know what data you hold and how important it is to the continuation of your business. Perform a simple audit of your business data. Don’t get too detailed at this stage though, as you’ll likely find you have a lot more data than you thought!
Once you have a good idea of the data you process, imagine the impact of losing that data. For each item on your list, ask yourself:
- Where is the data kept?
- How critical is this to my business?
- What would happen if we lost this?
- How likely is this to happen?
Anything that would cause significant impact to your business if it were unavailable should be covered by your backup.
When auditing your data, you may notice that it’s widely dispersed: some people store their data on their PC, some use a mobile phone, then there’s the shared office drive, oh and Pete has that USB drive he uses… Ensuring all this data is covered by your backup strategy is difficult.
This is where a centralised, cloud-based storage solution can really help. Products such as Microsoft SharePoint and OneDrive, Google Drive and Dropbox, help by providing a single location for all your business data. Reducing the number of locations for your data makes backing it up much simpler.
What is a good backup strategy?
All backups and backup strategies are not created equal. There are many horror stories detailing where backups failed, with stomach churning consequences, such as Gitlab’s massive backup failure.
When it comes to how and how often you should be backing up your data, there is no one-size-fits-all approach, but all good backup strategies will be:
A term often used when talking about backup and recovery is Recovery Point Objective (RPO). This is the maximum amount of data, expressed in time, that you could lose in the event of a failure. For example, if you take a weekly backup, your RPO is one week. Should your systems fail just before the next backup is taken, you would lose a weeks’ worth of data.
Your RPO will vary depending on how often the data changes and its importance to your business. A daily backup is preferable, but a weekly backup is much better than nothing.
Taking a backup is only part of the story. You cannot assume that your backup is sufficient or even works unless you test it.
This should be done regularly too. Changes to systems and processes can go unnoticed; just because your backup was successfully taken last month, doesn’t means it’s still working as expected.
Your backups, and the media they’re stored on, are not immune to failure themselves. You need to ensure that you also backup your backup! There are many backup rule strategies, mostly with numbers that sound like team sport formations such as 3-2-1, 3-2-2 or 3-2-3. The best known, 3-2-1, states that you should have 3 copies of your data, on 2 different media or devices, with 1 off-site location.
This sounds difficult to achieve but many backup providers will follow these rules. Cloud storage providers make this process simple and affordable. Whatever you choose, it makes sense to ensure you do not have a single copy of your backup, and that all copies are not kept in the same place.
Your backups should also be encrypted. This is especially important for any backups passed to a third party for storage.
This might seem strange, but you need to think about when you should delete your backups, particularly when they contain personal data. The Storage Limitation of the GDPR states that you should only keep data for as long as you need it. This includes backups.
With a good backup strategy forming part of your business continuity plan, you can rest easy knowing that when disaster strikes your backup is ready and waiting.
Read more from our blog
Information security and HR: creating a security-conscious culture
Business crisis management: how to be a good employer during a crisis
Written by Kit Barker
Kit is myhrtoolkit's Chief Technology Officer and a company director for myhrtoolkit who leads the technical team in developing the system. On our blog he shares specialist knowledge and tips around data security and company culture.