March 31st is "World Backup Day" and everyone, both businesses and private individuals, are encouraged to review their backup position around the data they hold dear.
Businesses today generate a lot of data and it's easy to lose track of what is where, how important it is, and how it's being backed up (or if it's being backed up at all!). Today, we're going to take you through an exercise which every business owner or IT manager should be completing at least once a year, if not more frequently: the Data Backup Review.
The DBR
The Data Backup Review, or DBR for short, is a 2 phase exercise meant to help ensure your backup and continuity strategy is covering everything it needs to.
One of the biggest weaknesses we see in small businesses is: as time moves on and business needs change, new tech is adopted and data is often diverted, repurpose, moved and created in new locations. While some of this data isn't necessarily life or death, some of it does and up being business critical. As these things occur however, a businesses continuity plan doesn't end up evolving with it and instead gets overlooked.
In the enterprise space continuity strategies are constantly evaluated and very few things happen without security and continuity being taken into account. But, as a small business owner, time is a major constraint and there just isn't the staff to handle constant reviews. But it's still critical to ensure you have your bases covered so scheduling a review even annually will put you much further ahead of the curve.
Phase 1 - Data Review
The first phase of the DBR is to review what data your business generates and uses. You'll want to list everything possible, including things like emails, internal documents, forms, templates and boilerplates, client documents, design files and support tickets. Everything your business generates, even if it's on paper.
The goal create as complete a list as possible of any and all data your business generates. This is the longer of the two phases but it 100% pays to be thorough. Save this list as well because you can use it as a reference in future reviews and save yourself time. Once you're confident you have as complete a list as possible, it's time put each of those items in to a criticality category. Which items would you be comfortable losing? Which are mission critical? Use at least 3 categories but no more than 5. Be sure to thoroughly think this through and don't be afraid to consult with your employees over it. Losing a batch of template documents may not seem like a big deal until you realize it'll take 40 hours to recreate them all.
Once you've finished categorizing each item on your list you should have a good overview of what data your business generates and what the most important areas are. If you've been thorough then you'll probably find your list a bit surprising but that's a good thing! You're now ready to move on to phase 2.
Phase 2 - Backup Review
In phase 2 we take the list generated in phase 1 and match it up with your current backup strategy to see how it aligns. Critical/important items should always have some form of verifiable backup while unimportant data may not necessarily need anything. It's important when looking at your current backup strategy to keep a few key things in mind:
"In the cloud" is NOT the same as "backed up"
The most important misunderstanding we see from almost everyone we work with today is what "in the cloud" actually means as it pertains to the security and continuity of your data. Placing files in OneDrive or using QuickBooks Online both offer some nice feature sets and work-from-anywhere capability. But, while they do offer the redundancy we come to expect from a cloud service, they are not truly "backed up". It's entirely possible for you, an employee, or a bad actor to cause major damage to things with no way to recover other than manually rebuilding one brick at a time.
This isn't to say cloud services are bad or shouldn't be used. But it should be understood if you do use cloud-based solutions, you should inquire with the vendor about exactly what backup and recovery procedures are available and then weigh that against how important the data you keep on those solutions is. In some cases, like with OneDrive or SharePoint Online, third-party solutions exist which can offer a true backup so it's possible to look for other options, even if the vendor themselves don't offer anything.
A vulnerable backup is not a backup
The next most common issue we often see are backups which are vulnerable. The most classic scenario is: customer made backups to an external hard disk plugged into the machine/server and then said system gets hit with ransomware, which promptly deletes all of the backups.
A proper backup needs to be something which cannot be changed or touched by malware or destroyed in an event which destroys the live copy. Following the 3-2-1 rule can help prevent this from being an issue: Have 3 copies of data in at least 2 different locations with 1 of those locations being offsite and fully air-gapped (untouchable by anything which can harm the live copy). So before you check off something as "backed up", make sure your in-place solution is actually solid.
Backing up means nothing if you can't restore
Tailing off of the last point, the third thing we often see is corrupted backups which, when needed turn out to be no good. A backup is not something you can just set and forget. I needs to be regularly monitored to ensure it is both continuing to work as well as ensure it is restorable in the event it's needed. Ideally, backups should be regularly restore-tested to ensure they will work and everything that is supposed to be backed up, actually is.
Ensuring you have the right continuity setup for your business
Hopefully this exercise will help you track what data you have where and spot any potential weaknesses in your current continuity strategy. We usually recommend doing this exercise once a year to keep up on things. It also makes future reviews go much quicker as accounting for one or two changes is much easier than ten.
And as always, if you need assistance with performing a backup review or anything else. Help is just a click away.