Accidents happen, you could get stung by a jellyfish while on holiday and miss out on some quality snorkelling time while you recover. But what if it was your business being stung by something, the kind of debilitating neurotoxin that chokes the business and threatens its very existence.
That sounds very dramatic I agree, but in reality it needs to. The prospect of a crippling event, by accident or by design (an attack), is something that should be taken very seriously.
The average business of today relies heavily on a multitude of information systems, from simple email services and documents stored on a desktop through to application servers running ERP systems and Accounting Software. If any one of these systems became compromised in some way, the impact on the business would be very real.
That all sounds very scary but what can you do? The risk is the risk right, we just accept it and hope it never happens to us.
Protecting your business does not have to be rocket science. But there is no silver bullet. Just like avoiding a jellyfish, you could stay out of the ocean but the parallel to that is staying out of business, not exactly viable. You need to take the steps that are right for your line of business, for the risks that are real to you and would have a material impact on your business. Let's look at a few different examples:
Loss of internet connection: Most businesses will find a way to cope with lost connectivity to some degree, a fibre cut it can be mitigated with an alternative route to the internet, wireless or such. But there still needs to be a plan, what happens to in-house systems that rely on out-of-house systems (email tends to be the first). What should staff do and what are the procedures to ensure chaos does not ensue, particularly if the phone system is also delivered via the data connection (VoIP/SIP).
You can always tether off your phone and keep working right? How well does that scale? Do all 120 of your staff have this capability? How does your ERP system 'tether' to the internet?
Loss of data: Either by accident, through negligence or a malicious act, the loss of data can be crippling to a business. Billing records, customer data, staff records, warehouse inventory data, formulas and other trade secrets that make up the intellectual property from which your business derives value. When this data no longer exists it can be difficult, even impossible, to continue trading. The obvious solution is to backup the data, this however opens a plethora of questions before the backups can be considered useful...
How often does the data change, so how often should the data be backed up?
Where do we store the backups? On-site means we can access them quickly so recovery can be relatively fast. But what if the loss included all on-site copies through some disaster like a fire or major electrical fault.
If the backups are off-site, how quickly can we get the data back? For example even if you have a 1Gbps connection, 5TB of data will still take more than 12 hours to transfer. Can your business go without the data for more than 12 hours?
The backup process itself poses several questions, for the most part solved by some simple maths that starts with two variables. RPO and RTO.
RPO - Recovery Point Objective. If we rewind the clock, how much data can you miss? E.g. If the business determines that the loss of 15 minutes of data is acceptable then your RPO is 15 minutes.
An RPO of 15 minutes means you need to protect your data every 15 minutes. If you have 10GB of new data generated in any given 15 minute period then you have 10GB of data to protect, this is the incremental - the change data that when added to your original (existing) backup will produce a point in time snapshot of all data.
RTO - Return To Operation. How long from failure to restoration of service. E.g. if the business determines that services must be restored within 2 hours then your RTO is 2 hours.
An RTO of 2 hours means you need to have the service operational within 2 hours and that could involve any number of tasks and processes. It could be simply restoring a single file that was corrupted, rebuilding a VM that crashed and failed to boot or it could mean ordering new hardware and renting a new building to put it in.
Now the maths... If you need to backup 10GB in 15 minutes but it takes 23 minutes to extract that data and transfer it to the backup storage, you cannot achieve the RPO. You must always be able to complete the backup before the next backup runs, therefore you must be able to complete a backup within the RPO in order to achieve the RPO. There are some edge-cases where this can be done in parallel processes but generally it is not possible.
The RPO and RTO equation is of specific relevance in the age of cryptolocker ransom attacks. If you can quickly and easily return to a point of normal operation then you have successfully mitigated the impact of having all your files encrypted and locked.
Scale and Cost
Then there is the scale and cost of all this backup data. Do you really need it all? Do you actually know what all your backup data is comprised of and how relevant it is six months or five years from now? Too many businesses simply elect to store everything, forever. Taking the approach of just keeping everything is why there is such a thing as a 100GB Office 365 mailbox now, a ludicrous amount of 'email' per person and an irrational approach to information archive.
What to do?
Your business not only needs a backup strategy and a disaster recovery plan, but also a rational data retention policy. All three of these need to be dynamic, as alive and adaptive as your business. Your data changes daily, your needs will change frequently too.
If you do not have in-house expertise to create and manage this, enlist the help of your IT support company or cloud services provider. They will help you determine what is best for your business and ideally present options for you to consider. Take the time and weigh up the cost of *not* doing something just as much as the cost of doing it.