With seemingly omnipresent cyber threats, data protection and recovery have never been more critical for every business. Here are seven things to consider when evaluating your data protection and recovery strategies and plans.
- Respect the threats:
Unlike traditional street crime, cybercrime is unseen and anonymous. As such, it’s psychologically tempting to dismiss the threat, to convince yourself that it won’t happen to your company. But data protection begins with a wide-eyed embrace of the fact that the danger is all too real—and no company is immune. The scale of the problem speaks for itself: Cybercrime is now a 10 trillion dollar business globally—and growing year over year.
Another mental state to be wary of is breach fatigue, which opinion writers at ComputerWeekly describe as “the desensitization caused by the relentless volume of cyber-attacks and data breaches. ” This fatigue “leads to stakeholder apathy, employee complacency, and reduced consumer trust, making it harder to prioritize critical threats and secure necessary funding.”
Of course, the other threat to your data is disaster-driven: fires, floods, tornadoes, and other disasters that can physically destroy your on-site data and systems. It’s easy to dismiss these threats as unlikely until your company must deal with the aftermath.
- Beware a false sense of security.
Some mistakenly assume that data in the cloud is automatically backed up. Not necessarily. Your data in the cloud may be sitting in a glorified locker that no one is checking or prepared to repair if it is compromised. (Refer to your service agreement for more details.)
Microsoft Office 365 data is also not fully protected. If a bad actor modifies or deletes your data, Microsoft doesn’t necessarily have a way to retrieve it.
Of course, no matter your data protections, there’s always some risk as cyber criminals grow smarter and craftier by the day. At Emerge, we’re fond of saying that some unwanted intrusion into your data isn’t so much a matter of if but when.
- Follow the 3-2-2 Rule
We are big proponents of the National Institute of Science & Technology’s Data Governance and Preservation Standards; we follow an interpretation of this standard called the 3-2-2 Rule:- Maintain at least 3 copies of your backed-up data to avoid a single point of failure.
- Store the copies on at least 2 different media (e.g., disk, tape, NAS, etc.) because hardware sometimes fails.
- Keep 2 copies offsite, one in the cloud and one in a different physical location from where your other backup(s) is stored. This redundancy provides extra protection and peace of mind.
The 3-2-2 Rule is a solid, fundamental practice we encourage all companies to embrace.
- Carefully consider how much and how often to back up.
You must craft data retention policies that align with your business model and its continuity needs. Retaining too much—or not enough—data in a logical format that you can access and use at the end of an event can be problematic.
Put another way, you probably don’t need to retain seven years of data; on the other hand, you likely need more than two weeks’ worth. (In some cases, regulatory requirements dictate how much data needs to be retained.)
As for frequency, do you need data backed up every 15 minutes, or is daily adequate? Again, the nature of your business and its reliance on data will determine what’s best.
The volume of data and the frequency at which it is backed up influence the cost of data protection. The more data and the greater frequency you back up, the higher the costs.
- Embrace immutability.
When data is immutable, it cannot be changed or deleted. While new information can be added, the older information can’t be written over. You can think of these as “read-only” files, and they provide an extra layer of protection since they make it more complicated for bad actors to delete or manipulate your data.
Something to keep in mind is that should you make, say, a year’s worth of data immutable, it will sit on your servers for a year as there will be no means to delete it before that year is up.
- Think through recovery details.
Sometimes, so much focus is placed on data backup that the post-breach recovery element—what’s referred to as the “right of boom”—gets short shrift. The critical questions are just how much data you need and how fast you need it, and the answers will vary from company to company. These details impact your IT budget because the more data you need and the faster you need it, the more it will cost.
There are two key considerations: Restore Point Objective (RPO) and Restore Time Objective (RTO).
RPO refers to the point in the past from which you need to restore your data to maintain business continuity. Do you need to restore data from 15 minutes ago? Six hours ago? A day ago? The lower your RPO, the more frequent the backups, which increases the cost.
RTO is the time it takes to restore your data if it is compromised. For some companies, every minute equates to unacceptable lost revenue and reputational damage. For others, waiting a day or two, while inconvenient, is acceptable. The faster the recovery time, the larger the required budget.
Near-production storage, like disk drives, is a pricier option. However, it can be ready to boot servers within minutes, and everyone can be connected, and issues can be worked out within an hour or two.
If your recovery point is more extended, you’re probably accepting of a longer recovery time and can rely on a lower price commercially available storage array. In these cases, you can typically access critical data within a few hours, but full recovery time runs about two to three days.
- Monitor, update, and test.
Monitoring for threats is critical to data protection because the sooner you realize something is amiss, the more likely a bad outcome can be avoided or minimized.
Regarding data back-ups and recovery, you can’t “set it and forget it.” You must regularly review your data retention policies, infrastructure, and security posture. For optimum protection, every relevant software and hardware update should be executed asap.
In addition, it’s good practice to imagine your data has been compromised and see how quickly you execute your Incident Response Plan. This exercise will clarify how speedily you can spin up new servers and access the necessary data and applications. Regular testing provides peace of mind, and your team has experience running through the essential drills efficiently and effectively in the event of an incident.
Following the above tips will help ensure that your data is adequately protected and recoverable should bad actors manage to infiltrate. Contact Emerge today for help crafting and implementing your data protection and recovery strategies. This is a significant focus of ours, and we’re eager to share our expertise and experience with you.