The down & dirty guide on developing a backup strategy

People who run small businesses have a huge number of tasks to attend to every day, from hiring decisions to customer service to budget reviews. So, preparing for data loss can get lost in the shuffle.

After all, the notion that your company could lose all of its data might seem far-fetched, especially if you have defensive security precautions like antivirus software in place. You might conclude that your time is better spent focusing on products, services and day-to-day management duties.

However, data loss afflicts companies of all sizes, including those that seem secure. And, once your customer, employee or business information is compromised or lost, restoring it can be nearly impossible. Daily operations and transactions can immediately come to a standstill, and you could go out of business in a short period. In other words, disaster planning is critical.

There are quite a few scenarios that can lead to data loss, so understanding the most common ones is an important first step. Let’s look at a few.

Physical server destruction

A natural disaster like an earthquake or hurricane could demolish your server environment, wiping out your data in the process. Furthermore, even without a natural disaster, the building it’s located in could suffer a fire, flooding or roof collapse, damaging the hardware that carries your critical files and systems.


Ransomware is becoming more and more common. When malware strikes a company’s digital infrastructure, it encrypts all of its data, rendering that material unusable. To get the perpetrators to unencrypt the data, the business must pay a sizable ransom, most likely with a cryptocurrency. Even if the payment is made, however, there is no guarantee the criminals will make good on restoring the seized data.

Errors and malfunctions

Employee error is a major cause of data loss. It’s all too easy for a worker, especially someone who’s tired or whose mind is elsewhere, to accidentally delete or overwrite a crucial file. A staff member could also physically damage a file by, say, spilling coffee on a laptop, exposing a machine to a power surge, or dropping an important computer.
In addition, hardware can fail. Software can be corrupted. A system could crash. The power could go out before a certain file is saved. Even if you ultimately recovered your data after such an event, you’d still have to face a costly stretch of downtime.

Choosing a data backup strategy

With all of these dangers lurking, it’s good business practice to develop a data backup plan as soon as possible. Your backup data could be stored in the cloud, a vast system of secure virtual servers. And, as you’re sending your private information to the cloud, it can be encrypted to prevent outsiders from viewing it en route.

Another possibility is copying your data to onsite hard drives, which would remain locked in a climate-controlled, restricted-access storage facility. This option is economical and makes your data easily accessible, but you’d still have to worry about a natural disaster or other calamity striking your storage unit.

Of course, you don’t have to choose between these courses of action. The best strategy is to ensure redundant backups across different locations and methods, including the cloud and a secondary, on-premises server. Depending on your priorities and needs, you can update your approach based on latest trends in backup.

Moreover, you needn’t make this decision on your own. Instead, IT managed service providers can analyze your network and your business needs, walk you through your various options, ensure that your disaster plans don’t have any major flaws and help you determine the best backup solution for your company.

In the end, there are many reasons to develop a strategy for data backup, including regulatory compliance and simple peace of mind. The information you collect and curate over time makes all of your business operations possible. No entrepreneur should ever have to discover that, in an instant, it’s all disappeared.

Disaster recovery drill best practices (2019 edition)

A disaster recovery plan (DRP) is a great way to stay proactive about your data security. But a DRP is no good unless you test it—you have to make sure it actually works, after all.
There are some things you can do during your drill to ensure you get results—good or bad—that are reliable. The goal is to test whether the plan is effective as drafted or if something specific needs to be changed to improve it.
There are a lot of factors in play with a DRP, so it pays to be methodical.

Define your goals

First, before you conduct a test, you should define your goals.
We’re not talking about goals like “Have the server back up in 20 minutes.” For the tests they will be more like “How good are communications between departments?” or “How does stress make the IT team interact with each other?”
Your goal is to answer those questions, whatever they may be. Strategic questions that give you an idea of how prepared you really are. You want to test different variables to see how they influence your DRP’s execution.
Your IT crew will be trying to get the server up quickly, but you’ll be observing their performance through the lens of “communication.” Do they ask for help when they need it? Do they keep the other departments in the loop? Can they document what they’ve done and what worked?
You need to think of all the angles that could cause problems and test for each one.

Related: 7 typical disaster recovery plan mistakes (and how to fix them)

Get the team together

This may seem like a no-brainer but get the team together and on the same page.
If anyone is out of the loop, it creates a point where communication could break down. If everyone is on the same page from the beginning, everything will run more smoothly.
You may also want to include backup personnel, just so that they have an idea of what they are supposed to do. Running a disaster recovery plan 100% from the documentation can be difficult even without the pressure that a disaster provides.

Run different types of tests

There are all kinds of tests to you run, ranging from a simple conversation walking team members through the process to a fully simulated disaster.
Don’t rely on just one kind of test. You want a variety.
This is important because it will give you a more well-rounded idea of how your DRP  will actually function. Sometimes what makes sense in one test doesn’t make sense in the another. Or what the technicians might do to provide a hasty fix might violate compliance regulation.
You can use the culmination of all that data to make your DRP as solid as possible.

Related: Disaster recovery testing: A vital part of the DR plan

Run tests often

If it’s been more than a year since you’ve run a test, do you know if it’s still applicable? How much could change in your company in a year? Or six months? In one month?
You don’t have to test every day, but decide on an interval that makes sense based on how you do business and how often your network configuration, staff, tech tools and compliance requirements change.

Take good notes

Good documentation of these tests is a must. Not only will it help you remember what exactly happened when, but it will help anyone else who reviews the test see the results, which keeps everyone on the same page.

Post-test assessment

Of course, you want to take any new insights learned during testing into account to make your disaster recovery plan better. Valuable data does no good for anyone just sitting in a drawer.
This is especially important when things go wrong during a test.
If the downtime is double what was expected or if a new aspect comes up that no one saw before, then it is important to determine what caused the holdup and how you can overcome it in the future.
What if the disaster that you’ve been planning for happens tomorrow?

In conclusion

Communication is paramount.
Whether that means meetings with the team or solid documentation. A good DRP drill should be about setting everyone up for success so you’re well prepared for whatever the future holds.
We’ve covered a lot of ground, but everything really just boils down to the scientific method: Ask a question, perform a test, observe the results, refine your understanding.
Disaster recovery is a lot like science in many ways, so treat it like science. Reach out to experts in the field and ask for guidance if you need it.

Microsoft doesn’t back up your Office 365 files

Microsoft Office 365 opens up a whole new world of collaboration and document sharing for small and mid-sized businesses (SMBs). However, it doesn’t, of itself, provide sufficient backup to protect your critical data. 58% of SMB’s across the US aren’t prepared for data loss—an alarming statistic, given that 60% of SMB’s who lose data shut down within 6 months.
Below, we break down why backing up data is so important and why Microsoft Office 365 isn’t sufficient for your data protection needs.

What is backup?

When you back up data, you make a copy of the data or the data files. This can be a physical copy, such as copying files to a USB drive, or a virtual copy, such as a cloud-based program.
Backing up your data means, if original data is damaged, lost, or breached in any way, you still have access to the original files.

Why you should back up your data

In business, you should always prepare for the unexpected. You need to minimize downtime and protect your business activity. That’s where backup comes in.
A data backup strategy is critical to any SMB’s disaster recovery plan. Without backing up data, you risk:

Loss of productivity and falling behind on timelines

Whenever you lose files or data, employees can’t get their work done. This may mean wasted time for you and your employees. It could also mean disappointing customers who are relying on you to complete a job.

Profit losses

if you’re spending more time rebuilding, repairing, or locating lost files, you’re not moving your business forward. Backing up data keeps your business moving in the right direction.

Damage to your brand and reputation

This is especially worrying if you lose files because of a data or security breach. When customers lose faith in you, it’s difficult to earn this trust back—especially as an SMB. Show you take both your customers and your business seriously by backing up your data.

Costly downtime and wasted resources

Smaller businesses struggle to recover from prolonged downtime, which all too often leads to wasted resources. Backup systems prevent or mitigate this lost time.
Don’t waste time redoing work and hunting down files for an audit. Get a proper backup strategy now.

Why Office 365 is insufficient for your backup needs

While many of us assume that Microsoft Office 365 protects and backs up our data, this is not strictly true.
There’s a big difference between the responsibility we have for properly backing up and securing our data and the responsibility held by Microsoft. Although the data protection policies for Microsoft Office 365 are more thorough than earlier policies, Microsoft doesn’t guarantee quick data retrieval—or complete data recovery.
By relying entirely on Office 365, there’s a real risk you won’t recover all of your data and that you’ll still experience lengthy downtime.
Cloud-based computing is safe, but that doesn’t mean it’s infallible.

Why you need a specific Office 365 backup solution

When you’re using Office 365, you’re likely sending, amending, and creating documents all the time. You need a comprehensive, reliable, and efficient way to back up all this changing data before it’s put at risk on the cloud.
What’s more, if one file in your Office 365 suite is compromised through, for example, a security breach or human error, it may affect multiple files across your business.
Having a separate backup system, completely removed from Office 365, is the best way to select the files you want to replace and ensure you never lose more files than necessary.

7 typical disaster recovery plan mistakes (and how to fix them)

A disaster recovery plan is just one step in an approach to keeping your business running well. Cyberthreats aren’t going away and new threats emerge all the time. Complete data protection requires a robust plan that includes everything from backup and disaster recovery to business continuity.

If you’re serious about crafting a disaster recovery plan that will protect your business, there are some common mistakes you’ll want to avoid. Here are 7 pitfalls we see businesses get sidelined by on a regular basis—and how you can overcome them.

1. Not having a plan at all

The only thing worse than a disaster is a disaster you’re totally unprepared for. If disaster recovery is totally new for you, don’t sweat it. Start by reading our guide to completing a disaster recovery plan.

2. Not clearly noting who is responsible for what

It’s natural to focus your data recovery plan on the data, itself, including the hardware and cloud storage you depend on. But what will keep your business going is your people.

If you have a managed IT services provider, they can certainly help, but it’s not all on them. That’s because this is about your business.

For each step of data recovery, you need to know who will be affected and who will be responsible. Consider management, employees, departments and sometimes even customers.

3. Not having a plan for communication (internally & externally)

An easy mistake to make is assigning roles for each task but not considering how people will be notified of the step in the process.

Your communication plan can take many forms, from modern solutions like mass notification through SMS messages to an old-fashioned phone tree. The specific tools you use doesn’t matter nearly as much as having a clearly-outlined plan well in advance.

Make sure everyone in your organization, as well as your managed IT services provider, is included and informed.

4. Not identifying critical processes

It’s easy to get stuck in the weeds. You know the systems you use, as well as the pitfalls and obstacles associated with each. But don’t forget the goal: business continuity.

Everything you do isn’t critical. Evaluate each process your company relies on and ask yourself what will happen if each of these processes goes offline. Having taken into account the risk associated with each process, decide which processes absolutely have to stay up and running.

Those are your critical processes. Your business continuity plan should focus on maintaining them.

5. Not having key buy-in

Disaster recovery plans affect the whole business. Because that’s true, it’s important to keep leadership in the loop about the plans and the risks.

If you’re not sure where to start, consider checking out this resource: 4 cybersecurity facts your company’s leadership team should know.

But don’t stop with the leadership. From there, make sure that everyone in the organization knows what your business continuity plan is and why it matters.

6. Not monitoring, testing & updating

A good disaster recovery plan is active.

You should be monitoring and testing. Monitoring your network will make you aware of potential issues before they have a chance to take your network offline. Proactive in testing also helps to identify potential, as well as giving you a better picture of overall risk. And system updates mitigate vulnerabilities and ensure functionality.

As your system updates, don’t forget to update your recovery plan to match your newly patched system.

7. Not mitigating risk

Disaster recovery isn’t just about preparing an inevitable emergency. It’s also about mitigating negative impact whenever possible.

A recent example of the power of mitigation is the MyHeritage breach over the summer. It affected a massive 92 million customers. But through smart, thoughtful systems design and preparation, the damage was minimal. MyHeritage didn’t store passwords directly, but rather in a one-way hash unique to each user. As a result, the breach did not actually compromise the passwords. Further, they didn’t store personal information (like credit card numbers or family tree information) that they didn’t need to maintain.

This kind of thorough, thoughtful systems approach lowered their overall risk well ahead of time. The breach they experienced could have been devastating. But their strategy turned it into a relatively minor inconvenience rather than a true emergency.

Why does your business need a proper backup policy?

Backing up your business information is as crucial as conducting daily business itself. Which is why you need a solid backup strategy.

With a proper backup policy, you can secure all your business data—files, documents, client and customer correspondence, and in-house or remote team communications.

No matter which industry or sector you serve, proper backup is pivotal. Data loss can seriously cripple a business of any size. A good backup strategy is the best way to avoid losing essential information due to systems failures, security breaches or plain old human error.

What can a network backup do for my company?

There are several benefits of having a backup policy for your business.

  • Any kind of data loss incident hurts. But when all your business data is backed up, you can bounce back quickly.
  • Data backups tend to lessen the impact and length of downtime. The less downtime you experience, the more you can get done . . . and the more profitable you are.
  • Backups often save you and your staff from duplicate work. Even if it’s easy to rebuild that report, do you really want to waste the time?
  • You’ll be prepared if you ever have to work through an audit or even annually when you complete your business tax preparations.

Ultimately, a well-developed backup strategy serves to protect your business by protecting your company data. That impacts your organizational efficiency, your cybersecurity and even your reputation.

Granted, the best case scenario is to never actually need your data backup. But the moment you need it, you’ll be so glad it’s there.

Related: How big data is changing the game for backup and recovery

How important are backups for my new business?

Occasionally, new SMB owners feel the need for backup isn’t as pressing. After all, there’s not as much data. A backup strategy can feel like something you can take care of later.

We strongly advise against waiting.

Network backups are of paramount importance. It’s far better to backup all your company data from the very beginning.

And if your SMB has been around awhile, it’s just as important to stay on top of backups. Don’t make the mistake of thinking that just because you haven’t needed a backup yet, you won’t need one in the future.

All about human error

Network backup plays an instrumental role in reducing human error. Think about it. How many times have you, yourself, accidentally deleted the wrong thing? Now imagine the potential for impact if the same thing happened at the network level.

Read about how backups saved Toy Story 2

Human error is a real factor. It will be for the foreseeable future. Data backups are perhaps the best way to insulate your company from the risks of human error.

Automated the process

Automation is big in the IT industry for good reason. Automation makes repetitive tasks easy, routine and consistent. It’s perfect for backup.

As you work with your managed IT services provider to set up your custom backup strategy, make sure the process is automatic. Manually saving all network files to an additional hard drive is not a thorough backup process.

Automatically backing up all files to a secure cloud server, on the other hand, is.

A word about the cloud

The cloud is a convenient location for network backups—if it’s a good fit for your business. Be sure to think through this from all possible angles. You’ll need to take the following into account:

  • The level of security provided by your cloud vendor. This is a good thing to think about for all cloud solutions—backup and otherwise.
  • Any regulatory requirements for your industry. If your cloud provider doesn’t meet your industry’s compliance guidelines for security, for example, then the cloud may not be an option.
  • How quickly do you need to be able to access backups? Cloud backups typically take a little longer to access than local backups.
  • Scalability options with your cloud vendor. If your company grows, can you easily add space?

If cloud backups aren’t an option for your business, you can back up everything locally. In some cases, this is actually preferable. We recommend a thorough, strategic conversation with an IT consultant if you’re not entirely sure which is the best fit for you.

3-2-1 Backup Rules Best Practices

Companies that backup to tape as their offsite backup often aren’t aware of what recovering from tape looks like until they unfortunately have to live through it. Depending on the nature of the failure and the extent of the data involved, that type of recovery can take days to restore “business as usual” functionality.

Image result for 3-2-1 backup rule

What Backup Is… and What It Isn’t

Data backups are critical for data protection and recovery, but they should not be a substitute for other important parts of your IT strategy:
$1,000 Free Cloud Connect Services

  • Backup is for data protection and targeted item recovery:
    It is not for archive. Archives ideally will be indexed for search, have a managed retention policy, and will be stored on less expensive storage mediums.
  • It is not for disaster recovery. It is nearly impossible to test a full environment recovery scenario when relying on this method. It will often require 100% more equipment overhead to have the empty equipment in standby, equipment not providing any usefulness or return on investment
  • It is not a failover solution. Recovery times with this method should be measured in weeks, not hours.

Snapshots are not backup:

  • Snapshots can be used as one part of a backup strategy, but provide no protection on their own in scenarios where the storage devices have failed or are no longer available
  • Snapshots are usually not very granular and are commonly the recovery method of last resort
  • Snapshots are not disaster recovery on their own, only a part of a comprehensive plan

The untested data recovery plan is both useless and a waste of time to create:

  • Make time for testing, it will always be worth it.
  • Do not let the single point of failure be a human, involve many members of the team in the process so that when the time comes to execute your plan it does not have to wait for the only one who knows how.

Free White Paper

Could a network assessment have saved Southwest from major downtime?

Southwest Airlines has been having a pretty turbulent few weeks. First, starting on July 20, the organization had one of the largest IT outages ever to affect a major airline. Now, two unions associated with the company are demanding that CEO Gary Kelly step down or be fired, according to David Koenig of The Tribune of San Luis Obispo.

Although it was originally estimated that the downtime cost as little as $5 million, one Southwest representative stated that it’s most likely going to be “into the tens of millions.” With so much money being lost to a technical failure, the question remains: How did this happen, and was it preventable?

One router started all the trouble

Koenig reported that all of these IT issues stemmed from a single router. Basically, this piece of equipment failed in an unpredictable way, which eventually led to other systems being knocked offline. Southwest is keeping specific details about this undisclosed, but the scale of this particular outage suggests that the network associated with this router was not properly set up.

“Companies need multiple points of failure to accommodate for a singular outage.”

As their name implies, these devices route information to their intended destinations. Data generally is bounced between multiple locations before arriving where it’s being sent. Generally, this means you have multiple points of failure to accommodate for a singular outage. If it’s true that one router’s downing caused this event, then Southwest most likely had a poorly engineered network. FlightStats stated that around 8,000 flights were affected in this incident, and a single router simply should not have the ability to affect that many planes.

The conclusion to be made here is that Southwest should have tested its network more rigorously. Network assessments are incredibly important in order to determine weak points within a particular IT system, such as how one router could be made accountable for thousands of flights. Simple tests such as these could have easily uncovered this point of failure, allowing Southwest to take actions to mitigate the risks of such a catastrophic outage.

Network assessments can prevent more than downtime

Although downtime is certainly something businesses should work to avoid, it isn’t the only problem that network assessments can unveil. These tests also help companies determine their preparedness in terms of cybersecurity. Perhaps the best recent example of this is the massive heist levied against Bangladesh Bank.

At its most basic, hackers gained access to a global banking system and basically tricked financial institutions into sending money to fraudulent accounts. When all was said and done, the criminals involved in this got away with $81 million, according to Serajul Quadir of Reuters. After some investigation, it was discovered that the bank was relying on $10 network switches for the banking system. On top of that, Bangladesh Bank had no firewall protecting private financial data.

This is one of the biggest heists in history. Hackers got away with millions from Bangladesh Bank.

IT companies are generally surprised to hear when small businesses don’t have firewalls, so the thought of a multi-billion dollar corporation lacking these most basic of cybersecurity tools is simply mind-boggling. To top this off, the heist could have been so much worse. The criminals were originally trying to get closer to $1 billion dollars, but their plans were foiled when they accidentally misspelled the name of a financial institution.

Simple mistakes such as those made by Bangladesh Bank are exactly what network assessments are designed to catch. IT employees at these organizations often need to focus on keeping systems running, and cybersecurity can sometimes take a backseat. As this incident shows, this can often have disastrous results, and companies need to be aware of the consequences of letting something like this go under the radar.

Let ISG Technology help preserve your company’s image

Clearly, missing even the smallest detail in your network’s setup could seriously affect both your company’s finances and its client-facing image. No one wants to put their money in a bank that can’t keep it safe, and consumers certainly don’t want to spend money on an airline that has a history of leaving passengers stranded. As such, it might be time to have your company’s IT infrastructure checked out by an experienced professional.

ISG Technology’s experts have spent years investigating and solving some of the most complex network problems out there, and we can help make sure your company’s name isn’t dragged through the mud. If you’d like to find out how you can benefit from a free consultation, contact one of our representatives today.

Schedule Your Free Consultation with ISG

White Paper: Best Practices For K-12 Tech

Register to receive the ISG white paper

k-12Done right, IT can ensure a strong return on investment and have a proven positive impact on Education Success Measures (ESM). This free report will teach you the common pitfalls to avoid, along with best practices for network implementation, including:

  • 5 benefits of converged technology
  • A sample strategic IT hierarchy for planning
  • 2 critical factors for successful Wi-Fi upgrade
  • Wi-Fi purchasing tips
  • Keys to successful video surveillance and access control systems
  • 3 security benefits of IT as a Service

Disaster Recovery

When creating your disaster recovery plan, it’s all about expecting the unexpected. In order to rest easy that your disaster recovery and business continuity plans are secure, you need to make sure you have all your bases covered and are not cutting corners now that can cost you greatly later on! In the infographic below, we walk through how to prepare your disaster recovery plan and how the cloud plays a role in your plan creation.

Free Disaster Recovery eBook