I recently read a LinkedIN thread posted by an IT supplier in our region regarding a small business customer who had baulked at the cost quoted for an off-site back up.

Well, nothing new there, you might think, it is not necessarily uncommon for business owners to be surprised at the cost of IT solutions; it’s also sometimes difficult to visualise the cost/benefit of a product that doesn’t (on the face of it) generate any financial gain for the organisation.

What surprised me most was the next comment allegedly made by the client (paraphrased), “We’ve got a £40 version, although it doesn’t work very well if at all.”

A back up solution that either doesn’t work, or works intermittently is about as much use as an internet-connected chocolate teapot. It is also potentially very dangerous, as it engenders a false sense of security in the ability of the business to recover operations in the event of a disaster.

* – Not actual chocolate

I thought I’d jot down a few thoughts about back ups; why they are vital to your business, and what you need to consider when choosing your back up strategy.

What is a back up?

A back up is a copy of your critical data that can be used to restore functionality to your business following a critical incident. Note that is very different from saying “all” your data. You may decide that there are certain portions of your data that you can live without following recovery from a critical incident, and for reasons of cost and speed of recovery, you might choose to only back up certain core data. For similar reasons, you might choose to back up certain portions of your data more frequently than others.

Why do I need a back up?

Although I tend to talk about back ups from a cyber security perspective, for example as a mitigation against ransomware, when properly deployed they also protect against a number of other threats such as accidental modification/deletion (user error) or environmental (fire, flood). 

Consider your business. Imagine a critical incident in which you are no longer able to access any of your data. How long do you think your business can continue to function without that data? (This is a measure, known as “Maximum Tolerable Downtime” (MTD) – once you pass MTD, the business is at serious risk of total collapse). If you need even the smallest slice of that data to continue (be it customer information, accounts information), then you need a back up.

You will be looking to recover from an incident as best you can, as soon as possible and certainly before you reach the MTD. This goal is known as the “Recovery Time Objective” (RTO). It may be that your data is recoverable through other means – for example, data storage damaged by fire <might> be accessible through use of a specialist recovery agent (this is likely to be extremely expensive!) – but how long will it take? Having a properly deployed back up provides you with the most efficient and quickest means to get back on your feet, and allows you to strategize around known parameters – for example, you will likely know how long it will take to restore your data.

You’ll also be trying to get things back to normal having lost as little data as possible. This is known as the “Recovery Point Objective” (RPO) and is measured in time. Your RPO should be set according to how much data your organisation can recover from losing. (You’ll note that I earlier described back ups as a <mitigation> against ransomware – they are NOT a complete remedy. You are still going to lose whatever data has been added or modified since your last back up.) If your business could no longer function if it lost one days’ worth of processed data, then your RPO needs to be less than one day.

Imagine your business is a mountaineer making a treacherous climb. If you slip and fall, you need your support ropes to catch you before you hit the bottom. How far you’re prepared to fall before you stop is represented by the length of your support rope (your RPO) – and don’t forget you’ll have to start climbing again from this position to get back to where you were. Of course, if you don’t have support ropes…. well, I guess that brings a whole new meaning to Business Impact Analysis.

What are the main back up strategies?

As we just mentioned, setting your Recovery Point Objective (RPO) is a key part of your back up strategy – it can save you from a rough landing. You’ll need to identify what data needs to be backed up, and how much (in terms of hours of processed data) you can afford to lose. You’ll also need to have considered your Recovery Time Objective (RTO) – the time it takes to get your systems up and running again. Having considered these two factors, you’re in a position to choose from these basic back up strategies:

Full: You perform a complete back up of all critical data at a frequency to suit your RPO (hourly, daily, weekly). Because you always have a “full” back up, you only need to do one phase to restore the data. Therefore, this system provides you with the fastest RTO, but it also takes longer to perform each back up. Files/network resources might be inaccessible while the back up is being performed.

Differential: You perform a full back up less frequently (say weekly), and then a differential back up at a frequency to suit your RPO (for example daily). A differential back up is a copy of all data that has been added or modified since the last FULL back up. This system reduces the amount of time spent backing up the data considerably, but you now need to complete two phases to restore (last full back up plus last differential back up) so your RTO is longer.

Incremental: You perform a full back up less frequently (say weekly) and then an incremental back up at a frequency to suit your RPO (for example daily). An incremental back up is a copy of all data that has been added or modified since the last INCREMENTAL back up. This system reduces amount of time backing up data still further, but you may now need to complete several restore phases (last full back up plus all incremental backups made since) and therefore this system typically provides the longest RTO. For example, if you do weekly full backups on a Friday evening with daily evening incremental back ups and you have an incident on Tuesday morning, your restore phases will be – FRI (FULL) + SAT (INC) + SUN (INC) + MON (INC).

What type of back up media should I use?

The key factors to consider with back up systems are reliability and integrity. You need to be assured that your back up system will work, and also that the data held is what you expect. The other factor you need to consider is confidentiality – is the data on your back up as (or more) secure than it is on your network?

There are several different types of back up, and I will mention a few of the key considerations involved with each.

Removable media: You can perform your own back ups locally onto removable storage; this could be a USB stick, or the legacy magnetic tape systems which are starting to make a comeback. When using removable media, you’re going to need to think about where and how you’re going to store it. It needs to be stored securely both physically and digitally; you’ll need to secure the device to protect against theft (for example in a safe with audited access) and you’ll also need to secure the data (perhaps by encrypting the back up).

In a GDPR world, if you’re encrypting personal (PII) data at rest on your network, but don’t encrypt it on your back ups, you’ve created a vulnerability! You need to consider the geographical location also; if your back up is stored on site with your business and you suffer a fire, you’ve still lost all your data (or at least immediate access to it if you happen to have a fire proof safe). You should store your back ups at a separate location to your business. How far away might depend on where you operate – if for example your business is in a region prone to flooding, you might want to store your back ups outside the danger zone so that one incident cannot affect both your live data site and your back up data site.

You also need to consider the reliability and operating life of the media itself – consider replacing media after a certain number of back ups, and adhere to any storage or maintenance advice from the manufacturer (for example magnetic tape stored for some time might require occasional spooling from end to end to ensure the tape doesn’t stick together). Don’t use the same device/tape for all your back ups, even if it has excess storage to your back up requirement. By doing so you introduce a single point of failure, either through breakdown or by all data on the device being vulnerable to attack while back up is being performed. So, for example, if you are using the “Full” back up strategy on tape, you might have a total of seven (7) tapes, one for each day of the week, and then overwrite them (Monday tape gets overwritten every Monday and so on).

Network Attached Storage (NAS): The name suggests that it might be housed on-site in a small business, and for reasons we addressed above, that’s a bad idea. Even if not co-located, the suggestion remains that a permanent link exists – this provides a pathway for malware to spread, or an intruder to access and compromise your back up. If it is disconnected from the network (air gapped) when not performing the back up function, you’ll need to consider reliability (perhaps setting the disks in a suitable RAID configuration to introduce fault tolerance) and if it is a single system, how other back ups in your sequence are protected from compromise during a back up procedure. Again, don’t forget digital security of any personal (PII) data at rest.

Cloud: It is now possible to back up to the cloud, where the service may very well be delivered by a third party. This is possibly the most convenient once deployed, arguably the safest, but may be the most expensive. It’s also vital that you don’t make the age old mistake of thinking that by deploying a cloud solution, it’s “IT’s problem”. Whilst you may very well have paid good money for a service, you still “own” the data, which makes YOU responsible for it, and for ensuring that your service provider treats it with appropriate care. You’ll need to consider similar factors as above, but with significant additional details: for example, you need to know geographical location for environmental security but you’ll also need some assurance of the physical security of the data – <how> is it stored? What are the access controls? Is it encrypted? And then there’s the legislative aspect – in a GDPR world, you’ll need to not only consider whether your supplier is storing your personal (PII) data back up in a country that is not GDPR compliant, or indeed storing THEIR back up of your back up in such a place! Have you got the user consent required to hand PII data to a third party for back up purposes? If you cease using the service or the supplier stops trading, how is the data disposed of, and how can you access it in an emergency? How is the data transported to the Cloud? You’ve got to consider the security of the data in transit this time – it may have to cross the internet to reach the storage location – have you got all the correct protocols, services and resources in place at BOTH ends of the connection to ensure secure transmission? It is a combination of all these additional organisational factors that make Cloud perhaps a bit more daunting, maybe a bit more expensive, but nevertheless if deployed properly it is likely to be the most secure and convenient, and therefore worth the money.

And finally….

In terms of cost benefit, your back up can literally be the difference between your business staying afloat or folding. There is unlikely to be a single better investment for your organisation in terms of resilience. With cyber-attacks on business growing year on year, working on the assumption that “it’ll never happen to me” is becoming an increasingly improbable assertion. Over 50 % of small businesses fold within 6 months of a cyber attack.

Hopefully I’ve managed to convince you of the importance of having a back up, and some factors to consider when creating your strategy.

Most important of all though: once you’ve set up your back up system, test it regularly! An untested back up is a second disaster waiting to add itself to a first. Having invested in the system, you don’t want to find yourself in the middle of a critical incident for your business, only to find your back ups don’t work.