All I want for Christmas is a foolproof data backup and recovery plan

When our grandparents were kids, they didn’t even lock their doors. Now alarms, electric fences and motion-sensitive cameras are commonplace. But it’s not only the physical world that has become a more dangerous place. Cyber attacks used to be something that only happened on the dark web, but in today’s interconnected world, everyone who uses an electronic device is at risk.

Besides, when it comes to data protection and recovery, malicious attacks are not the only threats. Often, when data is lost, it’s as a result of human error. “I thought I’d saved it, boss!” or “I didn’t mean to press delete!” A flood, an earthquake or a power outage (especially in South Africa) could just as easily be the culprit.

Since the start of the COVID-19 pandemic, businesses have migrated to the cloud in their droves. And with good reason: Having your office in the cloud makes running a company much, much easier. But, Dirk Prinsloo, a cloud solutions architect at BUI, cannot stress enough that simply storing your backups in the cloud does not constitute a sound data backup and recovery plan.

Still as easy as 3-2-1

Despite widespread adoption of the cloud, the 3-2-1 rule remains as relevant as it’s ever been. The rule states that, when it comes to backing up data, businesses should keep three copies of their data, on two devices (or locations), one of which is held offsite. “Physical backups are still very much a thing,” says Prinsloo. “Even in 2021.”

There are many reasons for this, not least the fact that very few businesses have all their data in the cloud. Virtually every business on the planet has some offline data, and it goes without saying that this needs to be backed up.

But even if your business exists entirely in the cloud, you shouldn’t assume that your data will never be stolen or lost. Firstly, the cloud is made up of physical computers that can fall prey to the threats outlined above. While the fact that they’re housed in secure data centres and managed by massive multinational corporations makes a loss less likely, it doesn’t rule it out entirely. Google, Microsoft and Amazon have been affected by cyber attacks in the past, and just last year a major data centre in New York was flooded. “We talk about avoiding a single point of failure,” says Prinsloo, “which is basically a fancy way of saying ‘don’t put all your eggs in one basket’.”

If you fail to prepare, then prepare to fail

Following the 3-2-1 rule for backups is only half of a sound backup and recovery plan. All your backing up is worth nothing if you can’t recover your data in the event of a breach and/or loss. How many of us have lost our WhatsApp chat history despite being “100% certain” we had enabled backups? While this example may seem trivial, the same kind of wishful thinking is often employed by multimillion-rand businesses. “To use an analogy,” says Prinsloo, “installing fire extinguishers and fire escapes in a block of flats is all very well, but they don’t count for squat if you don’t train residents to use the extinguishers and regularly practise evacuating via the escapes.”

If your company backs up data every day, you should – as a rule of thumb – be running recovery tests once a week. This means going to all three of the places you’ve stored your data (onsite, offsite and the cloud) and trying to retrieve it. Is the data stored in a format you can access? Can you actually use the backup to restore to a particular point in time? Can you remember the password for the cloud? And, if you look for 10 randomly selected documents, can you find them all?

What’s more, your backup and recovery strategy needs to be clearly outlined in a widely circulated plan that is signed off by all the relevant people. And this plan needs to be amended at least annually (preferably more often) to take into account changes to the technology and security landscapes.

Cirrus, stratus or cumulus?

Before you head out to light the braai, please take a moment to reflect on the fact that not all clouds are created equal. While your personal Dropbox account is perfect for keeping those hilarious snaps of Frikkie’s toga party, it’s not a good place to store company data. Something like Microsoft Azure Backup would be far more appropriate.

And even once you’ve chosen to partner with a cloud provider that’s both reputable and fit for purpose, you still need to know how best to use the cloud. Prinsloo warns against “relying on the vendor as a backup strategy”, citing the example of the Azure backup solutions offered by Microsoft. “In South Africa, Microsoft has data centres in Joburg and Cape Town,” he explains. While your data will be automatically stored at the data centre closest to you, it’s possible to design your cloud architecture so that your data and infrastructure can be replicated across both centres. You can also take advantage of architectural design elements such as Microsoft’s Availability Zones. “These aren’t a bog-standard feature,” says Prinsloo. “But they’re easy enough to set up if you know what you’re doing.”

Which brings us to the crux of the matter. Having a foolproof backup and recovery strategy is no longer a nice-to-have – it’s an absolute necessity. Whether you do it in-house or you outsource it, formulating and implementing this plan will require an investment of both time and money.

But the alternative, says Prinsloo, doesn’t even bear thinking about. “It’s a no-brainer,” he says. The financial and reputational costs of an irrecoverable loss are simply “too massive to contemplate”.