11 Backup Best Practices for 2023
Backup solutions are critical for all businesses but can become a liability if not done correctly. Backup solutions that consume resources unnecessarily, fail during recovery, or aren’t protected from malicious and accidental deletion are ineffective and incomplete. MSPs understand the potentially fatal consequences of bad backups, but your clients may not.
Table of Contents
Use this article as an educational tool with end users to help them understand the importance of comprehensive backup and the consequences of forgoing backup or choosing a legacy vendor and solution. Armed with the following backup overview and backup best practices, MSPs can highlight the value of your solutions and the peace of mind you give end users.
Consider Retention Span
Data retention policies balance how long information remains accessible against the storage space needed to hold retained data. When considering retention limits, you should know that the larger the backup, the longer it will take to restore, impacting your recovery speed. Also, depending on who your BCDR provider is, storage costs can soar with multi-tier pricing plans and limitations that, when exceeded, incur surprise fees and overages.
Additionally, state laws and industry regulations often govern data retention policies for documents and data. Companies that operate in regulated sectors often need to comply with backup retention best practices which can be complex. For example, companies holding medical information in compliance with HIPAA regulations must comply with state laws on data retention which vary from state to state.
Read more about compliance standards in Medical Record Retention.
The backup solution a business uses must employ a retention span that complies with state and industry requirements while minimizing storage space for cost-efficiency and accelerating recovery speeds. Solutions using chain-free backups with pooled storage and long-term retention deliver the right balance to keep businesses running.
Document Policies and Procedures
A good backup plan needs a policy that defines the purpose of the backup, why you need it, and how you’ll use it. Without a policy, you won’t know if you’re making the proper backup or if it will solve the problem for which you’ve made the backup.
The backup policy defines high-level governance of backup systems, identifies regulatory and legislative requirements, sets responsibilities and accountability for backup and recovery team members, and details how you’ll implement the policy.
Backup procedures are step-by-step instructions for creating and restoring backups that meet the requirements of the backup policy. These instructions tell your team what to do and when so everyone knows their role and can act quickly in the event of a disaster. It also provides the information needed to test backup integrity to make sure backups are available no matter what.
Protect and Encrypt Backups
It’s essential to protect backups for the following critical reasons:
The first is confidentiality. A data backup strategy typically includes critical data and business information such as planning documents and contracts, commercially sensitive data around pricing, personal information in payroll and healthcare records, and configuration settings for security controls and firewalls. Any of this information would be attractive to a hacker, so storing it together in a backup makes it a prime target for bad actors.
Next is integrity. If an attacker corrupts your backup data via ransomware encryption, your only option is to pay the ransom. Unfortunately, even after paying a ransom, there is no guarantee that your data will be returned or hasn’t already been sold on the dark web. Moreover, ransom demands can be so high that they’re often fatal for small businesses.
The other risk to backup integrity is accidental deletion. If an employee accidentally alters a backup file, you may discover that your disaster recovery plan no longer works, or it can’t be accessed, and business operations cannot continue.
The best way to protect confidentiality and integrity is to use encryption technology, with an up-to-date and robust algorithm and sufficiently long key to ensure that no attacker – irrespective of their knowledge and resources – can crack the code. Encryption keys must be managed and handled correctly by experienced cybersecurity experts to prevent theft or loss. Without your encryption keys, you won’t be able to decode your data backup and restore business functions.
Backup Frequently and Consistently
Data should be backed up no fewer than three times a day to minimize the impact of critical data loss. Again, it’s best to work on the worst-case assumption that your system will fail immediately before the next backup is due. With this perspective, you create a disaster recovery plan that sets you up for success, no matter how minor or major the loss is.
If you schedule backups too infrequently, you will lose too much information between the last backup and a data loss incident. At the same time, scheduling backups too frequently wastes time and resources, costing your business money. Too many backups can affect productivity negatively if the process impacts normal operations by slowing the system.
You can calculate your backup schedule by assessing how frequently data changes, how important data is to the business, how much downtime the business can tolerate, and how much of the most recent information changes are safe to lose. Depending on your answers and the type of information being backed up, the backup frequency can differ from system to system.
For example, business plans may only change once a month, but online orders may change every minute. Therefore, losing the last few hours of orders will be more damaging than the changes to an internal planning document.
Automate Backup Operations
Manual backups are subject to human error, with various factors affecting the occurrence rate. Automated features included in innovative backup solutions remove the risk of incorrectly performing procedures or forgetting steps that can compromise your backups.
Automation ensures that backup operations follow procedures at the correct scheduling, irrespective of external factors. High-quality backup solutions can automate backing up data multiple times a day, perform extensive backup integrity checks to confirm bootability for recovery, and take self-healing steps in the event of a backup failure.
Incorporate Backup in BCDR
Backup is critical to business continuity and disaster recovery (BCDR) because a company cannot recover without backups. And if a company cannot recover after a cyber incident, business continuity is interrupted, and productivity stops.
Therefore, it is essential that your BCDR capabilities are satisfied by your backup strategy and solution. You need backup automation, company-wide backup policies for all types of data, business continuity planning, and disaster recovery testing to protect your business and keep it moving.
Regularly review and audit the backup policies as part of regular governance to manage the impact of system changes downstream.
Regularly Test Backups and Recovery
One of the most common problems with backups is businesses only find out a backup has failed when they need to restore a system. At that point, it’s too late to fix the problem, and now you’ve got a disaster. This is why backups alone can create a false sense of security, especially for businesses trying to manage their BCDR infrastructure on their own.
Backup testing must occur at least once a day if not more, to capture any issues before they escalate to the point of preventing recovery after an incident. In addition to confirming that backups are healthy and complete, you also confirm that all the information needed to recover systems is part of the backup.
The best way to comprehensively prove a backup is correct is to recover a system using the backup. However, doing this on a production business system is fraught with risk, so having test data that accurately mirrors the production data is preferable.
Ideally, you should check every backup to make sure it was successful. Disaster recovery testing can be less frequent but must be regular enough to validate your disaster recovery plan and allow you to resolve problems before it’s too late.
Use a 3-2-1 Data Backup Strategy
The 3-2-1 backup strategy is a tried-and-tested approach for securing stored backup data to ensure availability as quickly as possible under all failure situations.
The name 3-2-1 comes from the three critical requirements for each backup created.
- You should keep 3 copies of your data: 1 primary and 2 backups.
- You should store backup copies in 2 different locations
- You should have 1 backup copy offsite
Multiple copies of backups prevent accidental loss or damage to one copy impacting your ability to recover.
Storage options include virtual cloud storage in a public or private cloud or on-premises storage using local hardware devices.
An off-site backup, like the cloud, is stored in a different geographic location from the system, which could be on-premises. If the system is in the cloud, its cloud backup must be in a different data center than the system. You can strengthen this backup strategy by creating one immutable or air-gapped backup copy that separates data deletion requests from data deletion mechanics. This way, even if data is deleted, it can be recovered from the air-gapped archive.
Use Remote Storage
Remote storage of backups prevents natural disasters or major incidents that might impact the business system from also impacting the backup. The distance required depends on the credible threats to the system and its geographic reach. Consider these catastrophes when creating remote storage solutions:
- You can lose a backup stored in the same room as the system if there is a localized fire.
- You can lose a backup stored in a different building from the system in a major fire or a significant weather event such as a hurricane or an earthquake.
- You can even lose an off-site copy of a backup stored in a different part of the country following a geopolitical event such as an act of war.
Choosing the right remote location for an off-site copy means balancing credible risks against the time and effort needed to access the remote site for recovery.
Cloud storage provides an opportunity for a cloud backup to be almost anywhere geographically, assuming network connectivity can be assured when recovery is required. However, choose carefully, as data sovereignty requirements can limit where you are able to store data.
Avoid Legacy Chains
Legacy chain-based backups create several issues with backup integrity that can render BDR ineffective, making their use significantly problematic.
The first issue is storage bloat, where you can’t easily erase consolidated data without creating a deletion policy. The next issue is compliance with long-term retention policies. Chain-based backups should never be used without maintenance past 12 to 24 months and require time-consuming yearly reseeding. The last issue is a big one, slow recovery times and extensive resource requirements extending downtime during recovery.
Learn more about the pains of chains in this quick video, why you should care how your backups work, and discover how a chain-free image-based backup solution eliminates legacy chain-based problems.
Choose Chain-free Backups
Unlike chain-based backups, where the infrastructure is risky, problematic, and puts backups and recovery in jeopardy, chain-free backups are modern, hands-free, and efficient. Because each recovery point is independent bad data blocks are isolated and can be deleted without compromising data integrity. There’s no data loss, wasting time or storage having to start new chains, and no reseeding.
Additionally, chain-free backups alert you if storage corruption occurs so you can fix it before it becomes a problem.
The scale, sophistication, and frequency of threats to companies and their IT systems make having an effective backup strategy essential. However, just backing up isn’t enough. You must follow best practices in order to recover.
It’s best to have a backup policy to ensure you are backing up the correct elements immediately to comply with business needs and any regulatory and legislative requirements. Additionally, backup procedures ensure the backups work and will recover your systems correctly.
Complete, healthy, and chain-free backups are critical to ensuring business continuity and disaster recovery no matter what. These best practices offer a starting point to help you protect your business and should be followed up with your MSP to ensure complete data security.
Frequently Asked Questions
What is a backup?
A backup is a copy of your data that is saved in a protected location and will be used to restore an environment after data is deleted by accident, by a cyberattack, during a natural disaster, or due to another disruption or outage.
Who are backups for?
Anyone and everyone with an information system needs backups. Whether that’s an individual with a home computer or a business with a vast corporate infrastructure, you can’t recover from accidental or malicious data loss if you don’t have a backup strategy to protect data.
What are the critical aspects of backups?
- They must be complete. Backups must include all information needed to recover a system. That includes the operating system and services configuration data, applications, documents, databases, and other files. If a backup is incomplete, you will not be able to restore enough data to get systems working again. The result is that business stops, and you may experience significant downtime with high costs.
- They must be protected. Backups must be kept safe from accidental and malicious deletion, alteration, and corruption. If the backup is vulnerable, you can’t rely on it being available when you need it most. Backups should always be stored separately from the system to prevent a complete downtime scenario.
- They must be available. Backups must be ready for restoration within a reasonable time frame that does not exceed one hour. The two measures for recovery availability are recovery time objective (RTO) and recovery point object (RPO).
About the Author: Carissa Johnson // Product Marketing Manager, Axcient
Carissa Kohn-Johnson has a background in healthcare technology and information technology, and is now the Product Marketing Manager for Axcient. She has a lot of MSP Channel experience from planning and attending hundreds of conferences and tradeshows, and found her passion in IT. Carissa is also an elected official in Cary NC, a town chock full of technology-forward people. Connect with her on LinkedIn – perhaps you can contribute to the Axcient blog?