Why Your Business Data Backup Might Not Be Enough

Just as you wouldn't leave your family unprotected during a crisis, your business deserves the same level of preparedness. At Legacy, we believe true security means protecting both your family's future and your livelihood. Because when disaster strikes, both are at risk. James, the author of this article, is a resiliency expert with extensive experience helping businesses navigate data crises and implement comprehensive,  effective backup strategies.

Why Your Business Data Backup Might Not Be Enough

Could your company lose 25% of its revenue and still survive? I had a customer who did not have a good backup program. The systematic backup was restored only to find that it was corrupt. They then attempted to recover from their immutable backup, but in doing so, they discovered that they could not access the data once it was restored.  This national dental service company now had to develop both short-term and long-term plans. Their short-term plan was to recreate the patient profiles as they showed up for their appointments. They were fortunate that the schedule database was not impacted. Although it would delay the check-in process of each patient, they could maintain the level of service for each patient daily.

However, their long-term plan was much more costly, as it was estimated that each site had at least $5 to $10 million in accounts payable from insurance companies, for which they had no evidence of the services performed, what was billed, or what had been collected. We brought in a specialist who was able to recover the data from the original storage arrays at a significant cost, approximately 25% of the estimated revenue.

In the meantime, if there were any inquiries regarding accounts payable or billable items when they were entered into the accounting systems, the data was blank, as if it were a ghost.  

In 2024, MediSecure, an Australian provider of electronic prescriptions, experienced a breach that compromised the records of 12.9 million people. The limited information available about the breach indicates that it was the result of a ransomware attack. Although it is unclear whether the company paid the ransom, it sought a financial bailout to protect itself against potential lawsuits. The bailout was denied, and the company underwent a reorganization.

Ghost Data

Although a company may be able to restore its applications, what can it do when it cannot recover the data? The potential for data to become a ‘ghost’ is a threat that can result in significant legal expenses or even the company's inability to remain in business.

These are just two examples of many companies that have lost access to their data. Not all are a result of ransomware, though it is a common headline topic in the news. Poor data maintenance practices can be just as costly as ransomware but are easily avoidable.

Data Resiliency

It does not matter the size of the company; without data, a company could face legal action, regulatory action, loss of income, sales, and potentially be forced to close. What could be done to avoid such devastating losses?  The solution is to architect your data, network, and data centers effectively, regardless of the size of your company. In fact, for smaller companies it may be easier due to the lack of silos within your company.

Your company's resilience is more than just data, applications, and availability; it's a combination of these elements to ensure the CIA triad (confidentiality, integrity, and availability). To prevent your company from falling victim to such a severe loss, where your data becomes inaccessible, consider the following practices before it's too late.  

Resiliency Options

Systematic data backups, which reflect your company’s recovery time objectives (RTO), are the minimum action to take. This would ensure you can recover data in your production environment that has not been corrupted. 

Immutable Backups are a must for any critical data. Immutable means the data is written once and cannot be altered. They cannot, when appropriately configured, be tampered with, altered, or deleted. In today's cloud environment, immutability is assumed; however, it is the responsibility of technicians and application owners to ensure that critical data is backed up in an immutable manner.  Where your immutable backups are stored is just as important. Air gap storage is a standard industry practice for creating immutable backups.

When silos exist within companies, they can be roadblocks to ensuring the right course of action is taken. For example, the onsite data backup team may have a robust environment for backing up, providing both standard backups and immutable backups. As the company migrates to the cloud, the team may not be empowered to consider cloud data backup, believing it is the responsibility of the cloud team.

As your environment changes, ensure that the exact requirements for systems applied in your on-site data center are carried over into your cloud environment.  Even if the responsibility is being transferred to another group, your migration plans should consider this and ensure that the policies and requirements are not only thought out but also that leadership signs off and confirms which group is responsible in the new environment.

Although it may sound rather complex, consider cross-region backups, which ensure your data is stored in multiple locations and on multiple media types. Additionally, consider cross-account backups, which allow for seamless data access and recovery if one account loses access or rights, another account retains the necessary permissions.

Where is My Data? 

Traditionally, data resides within databases, which reside in storage systems. All of these items are connected through a network. All companies have critical data that extends into the environment configuration. It is for this reason that network cloning is advisable to save time when performing a restoration. Firewall rules, segmentation, and access rights can be time-consuming to recreate, and in the process, may result in multiple access issues.

When responding to a data-corruption event, the national dental office, I mentioned earlier, we successfully recovered over 30 terabytes of corrupted data. However, due to the loss of access rights, the users who needed access and the applications could not see the data. The RTO and Recovery Point Objective (RPO) were technically met. Still, since no one could see or access the data, it took several days to properly recreate the access rules and rights before the full recovery was completed. Even afterwards, the company experienced glitches in accessing and routing data for several weeks.

Is Protecting Data Expensive?

Ensuring your data is properly backed up and can be recovered within your RTO and RPO requirements can be costly. However, it is far less expensive than the costs of paying ransoms and lengthy recoveries of data that was not properly maintained. It also ensures your company’s reputation when consumer data is not compromised.  I have always found that when the environment is architected to have the appropriate redundancy, data backup, recovery, and resiliency planned before going live, it costs significantly less than addressing these issues afterwards.

In summary, take an honest look at your recovery and resiliency, ensuring you do so without thinking it cannot happen to you. Instead, ask yourself: when it does happen, can we recover? If your company has any doubts and has not proven the recoverability, then you have a job to do!

Next month, we will examine staff resiliency, including the challenges of maintaining security and availability while meeting your capacity needs.

James Knox is a resiliency expert with an innovative spirit who thrives when building meaningful solutions to various daily problems in the corporate world. He is an avid outdoorsman and loves extreme rock crawling, fishing, and hunting. As a survivalist, James has learned from necessity how to prepare for life’s bumps and thrive with practical and sensible solutions, supporting his family's self-sustaining lifestyle.