Backups are an essential part of any IT strategy. If you don’t have them, getting them needs to become your top priority. Right now!
Even if you do have backups in place, will they get you out of trouble if the worst happens? It’s easy to assume everything that is important is being backed up, is being kept for long enough, and can be restored quickly enough, but you know what they say about assumptions.
It used to be that everything of importance was stored on the server in the corner of the office, so backing that up was all that was necessary, but times have changed. As we use the cloud for more and more we need to ask who is responsible for looking after all that data. And it’s not who you think it is. Most of the time it is you.
If you use Microsoft 365 then all your email is in the cloud. Maybe you use OneDrive to store your files. What about teams for keeping documents and discussions together? Microsoft isn’t contractually responsible for protecting any of that data.
Any backup strategy should start by identifying all your information assets to ensure everything of value is being protected.
Most of the time you need the most recent version of any data, but what happens if you find an important document was deleted 6 weeks ago but you only keep backups for 30 days?
In an ideal world you would keep your backups forever, then nothing would be lost, but the space needed (and therefore the cost) to do that would quickly add up.
Determining the retention policy for your backups is a business decision, and should take into account many factors, including any regulations for your industry.
There are two key variables associated with backups which every business owner should be aware of: Recovery Point Objective and Recovery Time Objective. They may sound really technical but they are actually quite simple, and knowing what they are for your backups can help you decide if they are fit-for-purpose.
The RPO is a measure of how far you need to go back when you recover a backup. If your data is backed up every night then the worst-case scenario is that you lose an entire day of data. For some businesses that may be acceptable, others may need more frequent backups to ensure less data is lost.
The RTO tells you how long it would take to recover a backup. You might assume it only takes a few minutes to restore a backup, but depending on the amount of data and where it is stored, it could potentially take days to recover.
Ideally you would have a low RPO and RTO for all your backups, but reducing these values often involves increasing the cost of the backups so it is important to find the values which work for you.
The total of both RPO and RTO is a measure of the lost productivity (if you lose a day’s data, and it takes you a further day to get back up and running, you have lost 2 days work in total). In some cases you may be able to tolerate being unable to work as long as you don’t lose any data (i.e. a low RPO is most important). For other organisations getting back up and running quickly is the priority, even if data is lost (i.e. a low RTO is most important).
The reality is that you likely have different priorities for different systems across your organisation, which is why it is essential your backups are configured to meet your business needs.