This article was originally posted in the Union Leader and can be found here.
NH Legal Perspective: Backups- It’s Your Business
By: Tom E. Mitchell
September 21, 2019
A rule that I’ve had for over 15 years, when approached with any IT emergency, is asking the question: “When was the last good backup?”
The folks working for me learned that it was always my first question, always. The Urgent Conversations began with “Tom, Client X is down, the last good backup was 1 hour ago, and this is the problem…” From there, we could move on to important business restoration solutions knowing there was a good backup.
The reason is if you have a good backup, everything else will go much easier for all involved. If not, recovery is going to be very ROUGH!
Many will smile and think “I’ve got this covered. My IT Staff (in-house or outsourced) tells me that we’ve got good backups.” Your data is the lifeblood of your business. If you haven’t audited your backups yourself within the last 90 days, I wouldn’t be so sure. I have repeatedly witnessed companies hit with a network crash that were found to have backups lacking all the necessary components to successfully run their businesses.
1. Backups reported as good, but no one noticed that the “good date” was seven months ago.
2. New applications and servers were added to the network but not added to the backup routine.
3. The backup destination was full and the “failed backup” notifications were going to someone that left the company.
4. Someone was in the process of “fixing” the backup and left the company before finishing.
5. Everyone thought someone else was responsible for backups as “it’s not my job.”
6. The backup software expired, and no one noticed the missing daily reports anymore.
I can go on and on because my old company was brought into remediate after a disaster, which typically resulted in firing of the incumbent IT services company or staff member for gross negligence. It was how we acquired many good and long-term clients, simply through reporting and testing, that we were taking care of backups.
Rebuilding after this type of event is:
• Expensive recovery typically not covered by insurance.
• Negative effects on efficiency & profitability for months
• Lost viability resulting in the company losing business or closing its doors permanently.
Now the next thought is “I don’t have to worry about this because we run in the cloud.” Sorry to be the bearer of bad news but YES YOU DO have to perform backups, even if you are “in the cloud.” Being in the cloud means you are paying to use someone else’s hardware while that hardware uses your data to run your company. It is still your data, and you must know how it is being backed up.
Years ago, we allowed one of our new clients to use only Office365 to run a small startup company. Trying to keep startup expenses low, we didn’t sell a backup solution as we thought Microsoft would never screw up and delete their data.
Six months after starting up, a Microsoft patch accidentally deleted all their data. It took eight business days for Microsoft to recover the data. We failed to do backups, and we were justifiably fired.
I’ve told this story at least 50 times, probably more, to get business owners to understand why backups must happen even if you are in the cloud.
Your data is encrypted by a piece of malicious software then a ransom is demanded, which must be paid to get the decryption key to get your data back.
Ransomware attacks are growing on a track that will continue for years to come as it has an excellent profit model for “The Bad Guys.” The Bad Guys are driven by profit, the same as your company. They spend $10,000, $25,000, maybe $50,000 on a set of tools to do ransomware and can make $100,000 to $500,000 in a few months. That’s a great return on investment. For an example, search for “Gandcrab Ransomware Retirement Notice June 2019”
The main reason that ransomware continues to grow and be profitable is that companies are still not paying attention to whether their data is being backed up correctly, often enough, and with restores being well tested to ensure business viability after an attack. Look at the news — there are stories every week on this subject.
A ransomware attack of today is no different than a server hard-drive crash of 10 years ago, the math is still the same. It can affect your local computers and your cloud data, too.
So, I strongly suggest you ask these questions to whomever is responsible for backup:
1. When was my last good backup?
2. When was the last successful restore?
3. How often is my data being backed up?
4. When was the last successful full spin-up test of my data?
5. What are your expected RPO & RTO?
6. Have your RPO & RTO changed since your backup system was deployed?
• RTO (Recovery Time Objective): How much time does it take to recover?
• RPO (Recovery Point Objective): How long can I be down before the business is negatively affected permanently?
Please remember, while I have written specifically about your company data backup, it applies equally to your home computers and smart phones too. When was the last time you backed up the home computer with all the family photos on it?