Click to learn more about author Mat Hamlin.
13,443,149,623 and counting – that’s the number of data records that have been lost or stolen since 2013. We are living in a world where a new cybersecurity breach happens every day, attack vectors such as ransomware and malware only continue to become more sophisticated and internal threats resulting from both human error and malicious attackers are only adding more variables to this already complicated threat landscape. As a result, it’s crucial that enterprises take their data into their own hands and protect it.
Plan and Prepare
The first step to prepare is ensuring you have backups in place that you can trust. A crucial component to keep in mind here is that a backup is only as good as its ability to help you restore and recover from a data loss event. To prepare for the likelihood that such an event occurs, organizations need to periodically test their ability to recover from backups.
Not being prepared for data loss backup and restore poses a tangible, measurable risk to an organization’s ability to continue business operations. By following planning guidelines, asking the right questions and knowing what challenges lie ahead, the right plan for your company will take shape and help to prepare for, and protect against, the inevitability of data loss events.
Preparation takes foundation, and the core of knowing what backup and recovery looks like for your organization requires the following:
- Require results: You can’t test your ability to recover if you don’t know what success looks like. Talk to the technical, business and compliance constituents in your organization and ensure everyone is in agreement on the Recovery Point Objective (RPO) and Recovery Time Objective (RTO) for each classification of system or data type.
- Document recovery procedures: For each system, you must have a well-documented procedure and list of tasks that describe exactly what needs to be accomplished after a data loss event. This includes the physical recovery steps and also the responsibility chain, communications plan, and post-recovery impact analysis.
- Build a test plan: Once you understand what you need to accomplish and how to do it, it’s time to test. Build a test plan that includes scheduled and unscheduled verification of backups, procedures and your ability to recover. A great way to perform end to end testing is by pretending you’ve been hacked. Establish a red team/blue team exercise and have the red team describe and execute a data loss event of their choosing and then measure the blue team’s ability to recover within the parameters of the required results.
To strengthen the foundation of your backup and recovery testing plan, ask your team the following questions to prepare a testing schedule and to establish the required recovery expectations of your organization.
- What kind of data or system is being protected?
- How important is it to your business?
- What is the impact of not being able to access the system or data?
- How long is too long to be down?
- What’s the impact if the data is permanently lost?
The frequency of testing should align with the importance of system or data being protected, balanced against your level of confidence to meet the required results. Additionally, you must involve your compliance and legal teams and understand if there are documented internal or external governance controls that you must prove you comply with.
Remember also, as your organization moves systems and data from on-premises to Cloud services (IaaS, PaaS, SaaS), it’s your responsibility to meet the recovery requirements, as the compliance requirements of the business do not change. For example, if you have RTO and RPO requirements for CRM data and contracts, those do not change if you move from Siebel to Salesforce. The methods and people involved with recovery will be different, so adapt your test plans and execute them.
Focus on Your Ability to Recover
The biggest mistake organizations make when creating their backup testing plan is that they focus on verification of backups instead of their ability to recover in line with the requirements of the business. More often than not, companies focus on backups – what can be backed up, how often, how fast and to what granularity versus focusing on the recovery abilities that align with each data loss use case. That’s the wrong focus, as it’s not important to test backups, it’s important that you test restores.
Protecting critical data today is a top concern of IT leaders, especially as sophisticated attack vectors are only continuing to mature and introduce new threats to enterprises. Having backups in place to secure data is a great starting point, but beyond this, it’s crucial to test your organization’s ability to restore and recover. You can do this by identifying what the results should look like following a restore, documenting recovery procedures so that you know immediately what needs to be accomplished after a data loss event and by having a test plan in place which can help to run data loss “fire drills” within the organization. The number of data records that have been lost or stolen only continues to increase, so make it your priority that critical data from your organization not be added to this running count.