Most businesses are not backing up their data appropriately. If they suffer a data-loss event, they risk losing the ability to run processes that rely on that data.
This is worse than just a slowdown or temporary roadblock – loss of core processes can quickly overwhelm a business’s ability to survive. Hence when we talk about backing up data, what we are really talking about is protecting the ability to continue in business. This is why it is extremely important to understand the term business continuity.
Having a business continuity solution means having a plan. Not just backing up data and hoping for the best, but actually knowing which data is essential to core business processes, storing it in ways that ensure redundancy, and having a system for restarting the processes that use it.
A business with a continuity plan can suffer unscheduled downtime or a data-loss event and recover within minutes, rather than the hours or days required with traditional backup and recovery methods, if recovery is possible at all.
Some essential terminology here is RPO and RTO. Put simply, these are parameters that determine how much data a business can lose and how long they can be out of operation before there are significant business impacts, or business survival is threatened.
Recovery Point Objective (RPO) – This determines the amount of data at risk and how much can be lost before business operations are impacted. A business continuity plan will use RPO to set the frequency and thoroughness of backups.
Recovery Time Objective (RTO) – This determines the length of downtime a business can withstand. A business continuity plan will use RTO to set system and application restoration time limits, in other words, how quickly business operations are restarted after a data disaster occurs.
Note: A business’s RPO and RTO settings will be impacted by industry-specific factors, like the sensitivity of their data and the demands of their regulatory compliance. Cost also plays a role, both in the cost of lost operations and the cost of implementing the business continuity plan, including storage solutions and outsourcing services. Additionally, the type of data that is being protected needs to be taken into account. Static, non-changing data does not need to be backed up as frequently as an operational database where transactional data is continually changing.
Why the risk?
The main reason people are not protecting their data, and by extension their business operations, is because of the misconception that it is already being done for them. Business leaders want to believe their IT people have something in place to ensure information cannot be lost.
Unfortunately, this is one of the most common laments after disaster strikes.
Another related mistaken belief is that Microsoft 365 – and specifically the OneDrive and SharePoint platforms – protect users’ data. In fact, where Microsoft’s responsibility for data protection ends and the user’s begins is difficult to determine.
Policies are different for each application in Microsoft 365, and in fact Microsoft itself recommends using third party backup solutions. For a very simple example of how unsecure data is within Microsoft 365, those ‘recycle bins’ store data for only 93 days. After that, it is impossible (or extremely difficult) to recover anything. We’ll look more closely at these kinds of issues with Microsoft 365 data security later.
Essentially, every business that uses cloud services should be concerned about data loss, because the service providers’ backup policies do not guarantee a complete restore of lost data. None of them are effectively backing up their users’ data securely, or ensuring that data is available for immediate retrieval in case of a data breach or disaster.
This means most businesses won’t be able to recover to their original state if they suffer a Software-as-a-Service (SaaS) data loss event.
In many cases, they may not recover at all. Similarly, if a business has chosen the local storage option, then on premises hardware failure, natural disaster, or ransomware lockout can also render their data impossible to restore.
Either way, with cybersecurity concerns on the rise, business leaders simply can’t afford to think a data disaster won’t happen to them.
Now let’s look at the business data typically most at risk and ways to make it safe.
What type of data is most at risk?
On premises data
This refers to the data stored on local hardware: servers, desktops, laptops, and other devices kept on site.
This data is not in the cloud. Depending on the design of the IT infrastructure, this could be a large or small portion of a business’s total data that needs protecting. Typical risk factors include those common to all physical assets: fires, floods, breakdowns and break-ins.
Making the situation worse is a lack of adequate backup and recovery options for on premises data, and the need for users to be trained how to save data properly. These risk factors make keeping on premises servers an increasingly unpopular approach, replaced by increasingly secure virtual servers.
Cloud virtual servers and SaaS platforms
Cloud virtual servers store business data off premises, in the cloud. While there are many security benefits to cloud storage solutions, they need to be protected just as much as on premises hardware.
Whether it is a company’s own virtual server or one from a SaaS provider, there is a common misconception that they are constantly backed up and therefore unable to fail. In fact, around a third of SaaS users report losing data in the cloud.
The big SaaS providers like Google G Suite, Dropbox, and Salesforce do have the very best security and recovery capabilities. However, they are concerned with recovering their own resources, and make vague/weak promises regarding their users’ data. It’s therefore impossible to rely on these companies to protect their users’ business continuity: Virtual servers and SaaS platform data must be backed up.
According to one data protection research group, there are four main risk factors for cloud/SaaS data:
- Cybercrime: Around half of all data loss is the result of hacking, specifically phishing/ransomware attacks which lock users out of their data until they pay a ransom.
- Malicious action: This is intentional deletion or theft of data by unhappy employees or industrial espionage.
- Synchronisation: Businesses today typically use different software services for their HR, accounting, CRM, and other daily processes. Keeping data updated and consistent across these SaaS platforms is a challenge, and synchronisation errors can result in data loss.
- Human error: Accidentally deleting messages, documents, files, or entire accounts is incredibly common and can permanently erase the data.
Microsoft 365 data
Microsoft is a SaaS provider, but due to the popularity and all-encompassing nature of Microsoft 365, it deserves its own category.
As mentioned earlier, Microsoft themselves recommend a third party backup provider within their environment. The infrastructure of Microsoft 365 (formerly called Office 365) is not unified, meaning each application’s backup capabilities and practices vary. As many unhappy users have discovered, restoring data from Microsoft usually does not work.
Earlier we saw the relatively simple issue of recycle bins only keeping data for 93 days. On the 94th day, or if those bins have been emptied at any time, the data is gone. The very serious implication is that this is true for the crucial SharePoint and OneDrive storage platforms which facilitate collaboration between Microsoft 365 applications. For dedicated applications like Excel, PowerPoint, and Word, and multi-function tools like Teams, most data is stored in SharePoint or OneDrive, so the above risk factors apply.
OneDrive does offer a ‘restore’ feature, promising to return the application to any point in the previous 30 days. However, this is not as promising as it seems, because the action will delete all changes made during this period, even those the user wishes to keep. And anything prior to 30 days is unreachable.
Regarding email in Microsoft 365, the Exchange Online server keeps deleted items for only 14 days by default, expandable to 30 days. A quick online search will return countless calls for help from people trying to retrieve accidentally deleted emails from beyond these time frames.
Note: In Microsoft’s defence, it should be noted that they are constantly working to upgrade the security and data protection capabilities of Microsoft 365, so by the time you read this some of these issues may be less severe.
Now we’re going to discuss how to protect your data and your business.
Protect, recover, and resume operations
The key takeaway from all of this is that for a business trying to protect its data, and by extension its survival, success requires vigilance and a serious time investment into understanding risk.
If they do not constantly monitor and backup their data across multiple servers, platforms, and applications, there is a significant risk of data loss. And if some or all of their backups are successfully recovered, they need to know how to use the data to restore their processes correctly, as quickly as possible.
For businesses attempting DIY business continuity, here are some best practices for data backup and recovery:
- Make multiple copies of data in different locations, combining offline, online in the cloud, and through external third-party applications.
- Develop the ability to have complete restoration of any data item, from a point in time appropriate to the changing nature and criticality of the data.
- Create clearly defined data management policies and train staff on where and how to store personal and business data.
Once backup and recovery practices are in place, the business can be confident its data is always protected and available.
Next, they need to know they can get back in operation after a data loss event or downtime. There needs to be a plan for resuming operations after an interruption – protocols for the order of restoring data, and the order of restarting processes.
This business continuity plan must be documented and meet the specific needs of the business, including the RPO and RTO recovery objectives explained above. There may also be parameters set by industry or regulatory bodies.
There are several ways to arrive at a solid business continuity solution. The DIY approach is for those willing and able to invest the resources in research and training. Business continuity services are available, but vary in quality and completeness. They are discussed in the following section.
For both approaches, let’s take a look at some typical strong and weak data management practices, relating to risk:
| High risk | Average risk | Low risk |
|---|---|---|
| On premises backup to consumer-grade hard drive | Network attached storage (NAS) device | Business class backup server |
| On premises backup only, no off site redundancy | Backups on premises and at an IT service provider’s facility | On premises and business class cloud backup data center |
| No backup archive, unable to go back in time for restoration | One backup conducted nightly | Backup frequency based on the amount of change in the data being backed up |
| No written data protection plan | Basic general backup and recovery process documented | Complete and customised documented business continuity plan, with maximum acceptable amount of data loss and maximum tolerable amount of time needed to bring all systems back online after a data failure (RPO and RTO) |
| On premises backup of raw data, file only backup | File restoration available, but no full server image restoration options | Full server image backups able to immediately recover systems onto a redundant backup server, new hardware or virtual cloud server |
| “Self-service” backup and recovery, no support availabl | Help desk ticket submission available, but no SLA recovery response plan times stated | Full active support desk adhering to critical SLA recover plan times |
| No person responsible for backup monitoring, reporting, and troubleshooting | Backup system installed by an IT service provider, but no proactive testing or ongoing management | Regularly scheduled engineer who reviews, tests, and documents backup and restoration capabilities |
| No active backup testing of files and systems | File and system restoration based on user requests | Regularly scheduled on premises and cloud backup restoration testing |
Business continuity services
A solid business continuity service will typically apply three core approaches.
The first is using hybrid data security – keeping multiple copies of data in different locations offline and in the cloud. Backup frequency is defined by the client’s RPO and RTO requirements, and includes complete server image backups. This gives the ability to restore any data item, from almost any point in time.
The second approach is to prioritise Microsoft 365 and other SaaS platform backups. Cloud computing services will only increase in popularity, given their ability to reduce or eliminate on premises maintenance costs and deliver enterprise-grade technologies to smaller businesses. Backing up data from SaaS platforms will give complete control to the user and ensure quick and complete return to operations if disaster strikes.
Finally, business continuity requires recovery planning, a defined process for bringing all systems back online. Roles and responsibilities will be defined and all stakeholders trained. It is essential that this plan is regularly tested.
Contact us for a data protection consultation
If you are new to business continuity, rest assured – Assembly is not.
We have been creating custom backup, recovery, and return-to-business solutions for over a decade.
We will start by taking a look at your current preparedness, then provide a customised plan for backing up and recovering each of your business-critical processes. This plan will include training for your staff and regular testing by our engineers. The results will ensure the resilience of your business.
Assembly’s business continuity covers all bases.
It entails a complete implementation of data security best practices and ongoing processes to backup ALL your business data, whether it be onsite, in the cloud, or as part of software. In the event of a disaster, it provides a step-by-step, turnkey recovery that brings everything back exactly how you left it.
How is your organisation prioritising business continuity in 2021?
Talk to one of our team today to learn more about our capabilities; how we’re bringing people, business and technology together; and what this means for you.
