Getty Images/iStockphoto
Backup strategy for small businesses 101
Small businesses must review data protection needs and choose a backup strategy accordingly. This ensures that they meet requirements without going over budget.
Although the subject of backup planning is almost always framed in the context of large enterprises, backups are every bit as important for small businesses, maybe even more so. A major data loss event could put a small company out of business.
Every small business must take the time to consider how best to protect its data and prioritize putting a backup plan into practice. Specific steps will vary by organization and industry, but small businesses can follow several best practices to create a solid backup strategy.
There are multiple competing backup products and numerous vendors that all claim to be the best. Rather than picking out a backup product and then trying to configure it to protect the organization's data, it is better to develop a comprehensive backup strategy built for small businesses. At that point, IT leaders and backup administrators can decide which products will best fit that strategy.
A good backup strategy for a small business prioritizes reliable backups without going beyond the company's resources. Below are some key elements of a strong small business backup plan.
Backups, backups, backups
To adequately protect data, there must be at least three copies of that data. The first copy isn't really a copy; it's the production data that is in use every day. The second copy is a backup kept on-site, and the third copy is an off-site backup.
There are two primary reasons to have multiple backup copies. The first reason is for the sake of redundancy. If the on-site backup copy is unreadable because of a bad tape or a similar problem, the secondary backup copy will likely be available.
Having an on-site copy also gives you the ability to restore data quickly. Restoring an off-site backup copy is much slower, but having an off-site backup copy will ensure that a copy of the data survives if the business suffers a catastrophe, such as a fire or flood. Furthermore, an off-site data copy can act as a stopgap. If your business is attacked by ransomware, it could destroy your on-site backup. Having a disconnected, off-site copy gives you a way to get your data back without paying the ransom.
Choosing the right backup media
The storage media should be a major consideration when developing a backup strategy. It's important to strike an appropriate balance between capacity, durability, throughput and cost when selecting storage media. It's also worth remembering that some organizations use multiple types of backup storage as a way of getting the best of both worlds. For small businesses in particular, cost will likely play a big role in the choice of storage.
Tape isn't quite as popular today as it once was, but tape backups are relatively inexpensive and reliable. Once a tape is ejected from the drive, it is disconnected from the system, so a ransomware attack cannot compromise the data stored on an ejected tape.
The disadvantage to using tape is that it doesn't work well for data that changes frequently. Usually, only one tape backup is made each night, so the most recent data will always be left unprotected. Users also have to find a secure way to store tapes to prevent data theft.
A common technique in a backup strategy for small businesses is to use portable hard drives as a backup target. This method has similar advantages and disadvantages to tape, but the hard drives tend to be more expensive and can't survive being dropped like a tape might.
Continuous data protection constantly backs up data to a series of disks within a backup server or an appliance. CDP backups run all the time, so even the most recent data is protected. The disadvantages, however, are that CDP backups are more complex than tape or portable hard disk backups, lack portability, and can be very expensive.
Because CDP backups are not portable, it is common to copy backup data to a tape or to the cloud for off-site storage. This enhances the level of protection, but it also increases the cost and complexity of the backup.
While cloud backups are reliable, they aren't well suited to backing up large volumes of data. The cost of transferring and storing the data increases as the business accumulates more data. In addition, internet bandwidth limitations can make backing up to -- or restoring from -- the cloud impractical with large volumes of data. Many organizations use the cloud as a secondary backup for these reasons.
Cloud backup products aimed at small businesses are often designed for use by people who have minimal technical experience. This makes them a good option for small organizations with limited IT resources.
Key areas of focus for small business backup
There are several things that small businesses should focus on when designing a backup strategy. One such consideration is the backup frequency. The frequency with which backups are created directly determines how much data could potentially be lost in a crisis. An organization that performs a nightly backup, for example, could lose up to 24 hours' worth of data in a worst-case situation. Similarly, modern CDP tools can create backups every 30 seconds, meaning that an organization that is using such a tool should never lose more than 30 seconds' worth of data.
Another important consideration for small businesses is the backup retention period. Suppose, for example, that a business backs up data to tape. How long should the backup administrators keep a tape before overwriting its contents?
The decisions surrounding backup retention generally come down to regulatory requirements and business requirements. If a business operates within a regulated industry, then there are likely laws pertaining to backup retention. Nonregulated businesses should consider the question "How old is too old?" In other words, at what point does a backup become so outdated that there is no point in trying to restore it?
One more thing to consider is how well a particular backup tool will enable an organization to function during a crisis. If an organization has a large amount of data and a simple backup product, it could take days to do a full restoration. While a lengthy restoration might be unavoidable, small businesses should at least have a plan for prioritizing the restoration of critical systems. Likewise, there are tools available that will keep mission-critical workloads online during certain types of failures, but such systems tend to be costly and complex.
Much of the backup-related guidance that exists online is geared toward enterprise-class organizations. Small businesses typically have far less data than an enterprise, but they also tend to have much smaller IT budgets.
Despite these differences, the stakes are just as high for a small business as they are for an enterprise when it comes to preventing data loss. Smaller organizations should look for ways to derive the maximum benefit from their data protection budget. It's also a good idea to honestly assess the IT staff's data protection expertise, then invest in training, subscribe to a backup-as-a-service vendor or hire a consultant if the IT staff lacks the necessary skills.
Brien Posey is a 22-time Microsoft MVP and a commercial astronaut candidate. In his more than 30 years in IT, he has served as a lead network engineer for the U.S. Department of Defense and a network administrator for some of the largest insurance companies in America.