What is a good backup strategy for my business?

Backup is a vital part of any organisation’s IT strategy.

It is not always obvious how important it is. When all your data is available and there when you need it, backup is often overlooked.

This is a red flag – because when you need it you REALLY need it. When assessing the risks to your business from an IT perspective, I typically ask this question.

“Complete the sentence: working backwards from a disaster where all my company’s hardware has been lost/stolen or destroyed (a fire, for example), I can get all of my data back because…”

Having a strategy in place that has been agreed by stakeholders and decisionmakers, that has been assessed for the risk to the business, and that has been documented is the route to data assurance.

A word about the Cloud. Having your data stored in the cloud (via One Drive or Dropbox for example) can give a false sense of security. Certainly, having data in folders on a Mac or Pc which are synced to a cloud service means that the data is being stored in two places, but, to be clear, this is not backup. Because this is such an important point, I will say it again: the cloud is not a backup – just because you work with a cloud-synced data service, the data in the cloud-based service is NOT immune to deletion or worse still malicious encryption due to ransomware. For sure, some services such as Google Drive or One Drive which keep deleted files for a set time period (typically 30 days). However, after this time has elapsed, the data is gone Microsoft et al don’t provide backup for your data: this is your responsibility.

Step one: What data is there?

Before you can even begin to confidently backup all your key data, you need to know what the data is and where it resides now. It may just be on a server, on your computer or even in a cloud location such as SharePoint or Google Drive. When you are in a company setting, you need to identify and enumerate all the data in the business, not just the data that you are responsible for.

It may be worthwhile documenting the various data sources. For example, does everyone use the same data storage as you? Does one area of the business have their own data storage system? Do your accounts team store their backups in a different system than yours?

Step two: What is current practice?

Once you have identified all the various data “silos”, the next question is what is being backed up right now? What is the system? Typically, there may be some data which is regularly backed up on a schedule – perhaps a weekly backup to a USB disk. For each backup type, ask yourself this question: “If I needed to get something from backup for this system, what are the steps I would take?” Now is the time to tyre-kick or stress test this backup. Would my existing backup routine get me out of a jam in the event of a data loss? The idea is to identify the backup routine you have in place and ask whether the system is acceptable.

For example, if you only back up your data once per week, this means that you could potentially lose 6 days of work as the weekly backup routine does not back up again until the 7th day. At this point, we suggest that the organisation must assess the risk of this data loss. Some companies may accept this risk. Perhaps the data can be recreated without an enormous amount of effort. Others may realise that the lost data is irreplaceable or may take an unacceptably long time to recreate. The answers to these questions will allow you to begin to make more informed decisions about your backup strategy moving forward.

Step three:  What does a good backup strategy look like?

Now you know what you have and what is important you can start to identify how your data should be backed up.

The “3-2-1” rule. The 3-2-1 rule stipulates that a good backup strategy includes three copies of your data, in two media formats and one is offsite.

As a simple example, imagine that your business ran on Microsoft. Each user has a Microsoft 365 account to store their own work data and collaborated with the rest of the company on SharePoint.

A sensible approach could be the following.

  1. A local USB disk is plugged into the computer at the end of each day and a local backup is made. (Copy One).
  2. The data itself also lives online in One Drive and SharePoint. (Copy Two).
  3. The Microsoft data is, in turn, backed up to a third-party cloud backup system. (Copy Three).

The advantages here are that you have a local copy of the backup on a USB disk and a separate cloud backup outside Microsoft. This means that you have really stored your data in separate locations giving you a high probability of retrieving all data.