Data Protection

Tactical Advice for SMBs on Data Protection, Backups and Disaster Recovery

We live in a dangerous world. Cyberattacks such as ransomware, malware, and phishing threats put your mission-critical data and devices at risk. So do disasters, whether they be human-caused (both malevolent and unintentional) or natural. Data that is not properly protected, backed up and recoverable, is a serious – and sometimes existential – problem for businesses of all sizes, not just enterprises.

When many people think about data protection, they assume hackers are involved. But hackers are not the only looming threats of a human nature. According to a 2020 Verizon data breach investigation report, 34% of data breaches involved internal actors.

Then there’s Mother Nature. Extreme weather and natural events such as earthquakes can lead to floods, power failures, and other issues that can damage and destroy computing equipment and the data within them.

Small and Medium Size Businesses Need Data Protection as Much as Enterprises Do

Specific to SMBs, a recent study from cybersecurity company Bullguard showed that 43% of U.S. and U.K. SMB owners had no cybersecurity defense plan, and one in five use no endpoint security at all. One of the growing threats, ransomware, is wreaking havoc on SMBs. An Infrascale survey from April reported that ransomware attacks have hit 46% of SMBs, and 73% of those SMBs that have been the targets of ransomware attacks actually have paid a ransom.

The above statistics are sobering, to say the least. Effective cyber attacks can cause SMBs to go out of business. Beyond the financial implications, there is the threat of data loss (or theft, as the case may be). Any size business without its critical data (e.g., customer records, financial information) can’t function properly. That’s where data backup and disaster recovery (BDR) protection come into play.

Before we go too far, however, let’s first define the key terms.

Data protection is a broad topic that encompasses everything involved with safeguarding your data from threats internal and external. These threats include data corruption, hacker and other malevolent actor attacks and data corruption.

Technologies that protect data include: backup and data recovery (BDR), encryption, malware/antivirus detection, firewall, and data classification, among others.

Let’s tackle BDR by component. The Backup piece refers to the secondary copies of your data. Depending on the backup provider, these copies may exist in the cloud, as a hybrid cloud deployment, on local servers, disk drives, flash storage, or even magnetic tape for the old school crowd.

Disaster Recovery (DR) refers to the ability to get the data – and the processes that operate on the data – up and running, as to continue business operations. DR tools and processes are designed to mitigate the downtime and data loss caused by server crashes, human error, ransomware attacks, or natural disasters. DR is a continued thought from backup, as focusing on copies of data (backup) alone is sometimes insufficient. You must also have the operations of that data restored to resume normal business productivity. Disasters of any variety – and the data loss resulting from them – are a looming threat for your business. Having the right data protection solution is imperative.

Data protection tips

Data, as the now-clichéd statement goes, is the new oil. And just think about how well a physical oil supply is protected! You should be just as diligent with protecting your data, no matter your company’s size or data volume. Here are some tips:

  • Educating your end users how to identify, avoid and report data threats is the most important opportunity an organization has to protect its data. By teaching them to identify and avoid threats – in addition to patching and updating your software applications – you are depriving malevolent actors from the opportunity to compromise your data. And you should be doing all three to give yourself the best chance of preventing threats.
  • Assess your data landscape. The first rule of data protection is to know all about the ecosystem of the data you are protecting. This involves knowing what data you have; where it is; and how it’s used, with what frequency, and by whom in your organization.
  • Take into account the fact that your data exists both inside and outside the walls of your physical business. Specifically, this means in one or more clouds and on the endpoints in use by employees – who are increasingly dispersed in light of the COVID-19 work-from-home environment. Appropriately identifying data location will enable you to understand how best to institute the appropriate protections – such as encryption, multi-factor authentication (MFA), and endpoint detection and response (EDR) – to safeguard it.
  • Enact Preventative Measures. In the case of ransomware and malware – installed via end-user actions such as clicking malicious links in spam or phishing emails or on compromised websites – this means staying ahead of the game with standard antivirus tools, firewalls, application updates, and education!
  • Reinforce with Endpoint Detection and Response. EDR is a way to supplement antivirus software (see above), which bad actors can circumvent with complex attacks. EDR solutions are purpose-built to look for behavior that is known to lead to cyberattacks and alert administrators and/or end users. This approach requires continuous monitoring and immediate responses to detected threats.

Backup and Disaster Recovery tips

Data loss IS a disaster. It leads to frustrated customers, client churn, loss of productivity, and lost sales. In fact, 40% of enterprises say that just one hour of downtime costs their business at least $1 million and as much as $5 million. And research from IBM and the Ponemon Institute’s The Cost of Insider Threats Global Report 2020 found that companies with less than 500 employees spend an average of just under $8 million per incident. SMBs are only different in the dollar amounts, not the amount of pain inflicted on the business. Here are some tips to avoid this digital type of disaster:

  • Create a backup and disaster recovery plan. A disaster recovery plan is the “playbook” of processes and activities, invoking backup and disaster recovery services and their interaction with your data and servers, that will enable you to stay up and running in the event of a disaster.
  • Establish your recovery point objective (RPO) and acceptable recovery time objective (RTO). RPO is the maximum period of time allowed in which data might be lost and unrecoverable (think time between backups). RTO is the maximum period of time allowed in a disaster recovery plan between when critical network functions cease and when they are restored (i.e., when data and data operations are recovered to acceptable operating conditions). Ensure your DR technology choices support the performance that your business responsiveness requires.
  • Ensure that your employees know that a backup and recovery plan exists! Provide details of the plan to those individuals at your organization who will need to take action on the plan. Train them. Practice.
  • Stay current and informed. Be sure to keep your data protection tech stack up-to-date (or patched) so that all systems can deflect the most common attacks. This means updating antivirus definitions, application versions, and backup software. Leveraging DR solutions that automatically verifies that your data backup is working (and reports to you when it’s broken) is critical!
  • Don’t put all your data in one place. If a natural or manmade event negatively impacts one part of your IT environment in a given geography and leads to data loss, it may have the same effect on another part of your IT environment. So, even though you have backed up your data, the backup can be lost as well. To avoid this scenario, keep your data backup in a different location from the data you’re currently using for operations. Specifically:
    • Ideally, these locations should be in two separate geographies. For example, if your business is in an earthquake zone, consider putting your data backup outside that zone.
    • The cloud is an effective place to back up your data. You can rely entirely on the cloud for disaster recovery, or you can keep your spin-up capabilities local and the backup only in the cloud. Also, leveraging cloud-based disaster-recovery-as-a-service (DRaaS) offerings from a managed service provider (MSP) can remove the burden of handling disaster recovery on your own.
  • Test your disaster recovery plan on a regular basis. This approach will help you iron out any wrinkles related to data disaster recovery. You may want to test your data protection backup and recovery strategy at various times and from different angles. To do this, conduct regular, random tests in which you simulate an event that would call for data disaster recovery and access your on-premises backup or data protection online backup.

Data protection will never go out of style

To summarize, yes – there are many, many things that can go wrong with your data.

The good news is that even as threats to data protection become ever more complex and numerous, there are solutions and strategies available today to prevent, mitigate and fight them. You can’t go wrong planning for the worst and implementing the actionable steps described in this post. Data protection is our mission – so we can say with confidence and experience that these tips are battle-tested, and they work!