Today marks World Backup Day 2023, a chance for all organisations large and small to reflect and assess their levels of preparedness against data loss, be it accidental or through malicious intervention. As the business world becomes ever more digitised, having a data backup and business continuity protocol in place is no longer optional for organisations – its non-negotiable. In today’s article marking the occasion we explore and help define some of the common terminology you will frequently find when discussing the topic.

Firstly, before delving into the specifics we must define the basics.

What is Data Backup?

Data backup involves the implementation of procedures, processes and solutions which will systematically create a copy of data on your infrastructure that can be used to recover your data in the event that the original is lost, stolen or otherwise corrupted. Data backup is a key cornerstone for any organisation’s cybersecurity strategy, and should feature prominently in one’s Business Continuity and Disaster Recovery (BCDR) planning. As a part of the overall cybersecurity structure, data backup simply cannot be ignored. In Datapac, when we engage in strategic cybersecurity road mapping with our customers, we always strongly recommend the layered approach, which combines several security products including industry-leading firewalls, endpoint detection and response (EDR) services, web and email filtering solutions and more to offer the best defence. However, in the event, no matter how unlikely, that an attacker manages to bypass these stringent layers of defence and launch a ransomware attack, which renders business-critical files and data inaccessible, then having the capacity to quickly and effectively restore data and operations from a recent backup is the best recourse an organisation can have. Another, more likely scenario where organisations commonly may need to rely on their data backup is in the instance of core compute and storage hardware failure. Having a reliable data backup and recovery solution in place to tide an organisation over until the solution can be remedied or the hardware replaced offers tremendous peace of mind.

Data loss and theft is more common in an Irish context than many think. In a survey of small to medium sized business owners Datapac conducted in conjunction with our internationally leading data backup partner Datto it was found that 40% of organisations had permanently lost business-critical data.

The Golden Rule: 3-2-1

As you begin to learn more about data backup solutions, it will very quickly become evident that not all solutions are created equal. The golden 3-2-1 rule of data backup and recovery has long been held as an industry standard for data backup strategies and solutions. The rule, put simply, states that in order to be effective a data backup and recovery strategy needs to involve at least x3 copies of data created, on at least x2 forms of media with a minimum of x1 copy being held in a secure offsite location.

Its one thing to outline what the rule is, however it’s also important to explain the importance of implementing a data backup strategy that aligns with it. Adopting technology solutions and services that adhere to the golden rule greatly helps to ensure that there is no single point of failure. This means that an organisation can rest assured that even if one copy of the data becomes corrupted or otherwise inaccessible, they are still covered.

According to the results of our survey, 4 in 10 SMEs in Ireland don’t hold at least one data copy in a secure offsite location. By not adhering to the principle these organisations are not only compromising the integrity of their data backup and recovery strategy but also their cybersecurity position as a whole.

Recovery Time Objective (RTO) and Recovery Point Objective (RPO)

RTO and RPO are two terms that are vital to consider when selecting an appropriate data backup and recovery solution to integrate as part of your organisation’s BCDR approach.

Recovery Time Objective (RTO)

This refers to the duration of time it should take to restore applications and systems after an outage. This is typically measured from the time the outage actually occurs, rather than from the time the IT team starts working on resolving the issue; after all, it is when the outage happens that an organisation’s customers and employees will begin to be impacted.

When establishing RTO, organisations need to carefully consider how much downtime they can realistically afford, as well as the steps and operational groups that need to be involved in the restoration process. In looking at the results of the survey, just under half (48%) of Irish SMEs reported that they would lose an entire workday (a minimum of 8 hours) if they lost mission critical data, with almost 1 in 10 reporting it would take up to a week for them to recover.

Recovery Point Objective (RPO)

This refers to the maximum amount of data, which is measured in time, that can be lost after an outage, disaster or other comparable incident before that data loss exceeds acceptable limits to an organisation. It is very important for organisations to have a defined RPO in their BCDR planning and this metric will often impact the data backup and recovery solution or service which is implemented. RPO determines the maximum age of the data held in the backup solution required to be able to meet the objective specified should failure occur.

Its important for organisations to select a solution which allows them to achieve the lowest RPO possible, that is, minutes and hours rather than days or even weeks. This all comes down to the regularity and granularity with which backups can be created. For example, if an organisation performs a data backup of business-critical data once every 24 hours and a failure occurs on the 23^rd hour of that cycle, this amount to an entire day’s worth of critical data lost.

According to the results of our survey, 72% of Irish SMEs only backup their data on a frequency of once per week or longer, with a quarter only performing backups monthly. Depending when in the month a disaster strikes, these organisations risk losing up to an entire month of critical data.

Disaster Recovery (DR) testing

Its possible for an organisation to be doing everything right from a data backup and recovery perspective – on paper. However, the very worst time to find out that the selected data backup solution doesn’t meet the set requirements is during a live event when vital information and data are on the line. This is why is so important for organisations to perform regular disaster recovery tests to measure actual performance against set objective. Doing these tests once per quarter is a good benchmark, however as with everything related to data backup and recovery, the greater the frequency the better.

In examining the results of our survey, it was found that nearly 8 in 10 (77%) of Irish SMEs perform tests three times per year or less, with almost a fifth (18%) only testing once per year.

SaaS solutions and data backup misconceptions

SaaS, or Software-as-a-Service solutions, such as Microsoft 365, are now virtually ubiquitous. In Datapac we’ve witnessed a sharp rise in demand for these service over the past number of years. Initially this demand was driven in no small part through the imposition of remote working strategies resulting from the initial pandemic lockdowns. However, as many organisations got their first taste of the many benefits SaaS brings – enhanced flexibility, adaptability, and a predictable payment schedule to name but a few – they began expanding their SaaS usage further, leveraging the benefits as a key driver for digital transformation.

Very few will argue against the benefits of SaaS, however its important for organisations to realise that just because their data is held in the cloud doesn’t mean that it doesn’t need to be backed up by a third-party solution. The results of our survey revealed misconceptions about how long providers typically hold backups of data in their SaaS applications. While it can vary depending on the provider, 30 days is generally a good rule of thumb, however 95% of respondents believed that data was held for longer, while over a quarter (28%) believed that their data would be held for longer than a year.

Many SaaS application providers operate under what’s know as a shared responsibility model whereby the onus is on them to provide a stable, functional and secure platform while the responsibility of securing data backups lies with the individual users. Organisations typically see the value of backing up data created and held in their on-premise storage solutions, anything held in the cloud needs to be treated the same way.

The consequences of permanent loss of critical company data

The consequences of permanently losing critical company data are varied and can be highly detrimental for organisations. These can include but aren’t limited to:

Reduced business growth 

An organisation’s growth can become impacted, both directly through the loss of critical data itself and through lost opportunities as potential customers seek the services of a competitor while the organisation is experiencing downtime.

Reputational damage

­This can have long-lasting ramifications for an organisation. Customers may be less willing to trust their data to an organisation that has suffered a data-loss incident, be it through accidental deletion, hardware failure or malicious cybercriminal intrusion.

Regulatory consequences

Since 2018, organisations operating within the EU must comply with the General Data Protection Regulation (GDPR). Among other considerations, organisations acting in the capacity of data controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Any organisation which holds customer data electronically faces the potential risk of data loss and so is responsible for implementing a suitable data backup and recovery solution.

Business closure

Depending on the severity and duration of a data loss incident and the associated downtime, it is a very real concern that organisations could go out of business as a consequence of an event occurring. Referring to the results of our survey, over a quarter (26%) of respondents listed business closure as a likely impact to their organisation from permanently losing critical company data.

We hope you found this article to be a useful tool and reference point. Should you have any further questions, Datapac as a Datto Blue Diamond partner are positioned to provide the expert guidance your organisation needs on its data continuity journey.

Please feel free to leave your information below to get in touch with our team of experts for further information and support.

Follow us on LinkedIn and Twitter for more updates.