What Every SME Needs To Know About Backups And Compliance

The government’s UK Business Data Survey 2020 found that 83% of small businesses (10-49 employees) handle data from other sources than their employees. The cybersecurity threat facing SMEs as a whole is significant. In a recent report by the European Union Agency for Cybersecurity (ENISA), 90% of SMEs surveyed found that cybersecurity issues would have serious negative impacts on their business within a week of the issues happening, with 57% saying they would most likely become bankrupt or go out of business.

In this context, it is critically important that companies have a secure business continuity and disaster recovery (BCDR) plan in place, especially when consideration is given to how many small and medium-sized businesses are affected by breaches. According to Verizon’s 2021 Data Breach Investigation Report (DBIR), 44% of businesses with fewer than 1,000 employees had their credentials compromised in the year up to report publication. This growing consciousness has led SMEs to focus more on upgrading their BCDR plans.

For some time, vendors and MSPs have been encouraging SMEs to ‘exercise’ their BCDR strategy. Increasingly too, they have shifted their focus from just protecting and recovering a system to pinpointing the risks of events happening that could threaten backup strategies from delaying data backup maintenance and prevention to using the recycle bin as a backup option. As we move further into 2022, and beyond, vendors, MSPs and SMEs will need to collaborate to develop smarter cybersecurity initiatives to counter ever-evolving threats.

Cloud can help mitigate threats

Leveraging the cloud is a smart option for all SMEs to consider. BCDR can be appliance-based or in the cloud. Adding immutable cloud storage is an important additional component of resilience. If a cyberattack reaches the SME’s network, having immutable cloud storage for backups makes them untouchable to bad actors. As long as the SME employs technologies that prevent a threat actor from getting from the business’s core network into its cloud data, the organisation can be well protected.

The importance of regular testing

SMEs also need to ensure they are continuing to test their backups. Some organisations test quarterly, but many, unfortunately, do not test at all. Businesses run the risk of unplanned downtime due to a failed recovery plan or procedure. Despite the importance of disaster recovery (DR) testing, many companies do not test more often because DR testing can be costly, difficult and involves risk by interrupting critical business processes.

Key role of automated testing

Testing should be done on a regular cadence. There are several solutions that SMEs can leverage to deliver this in an automated way. And the frequency of automated testing can increase based on the importance of the workload being tested.

It is important to highlight too that a common misconception among businesses is the belief that accessing data means everything is good. They may think that if they can boot the machine, then there are no problems. This can lead to falling short of taking the next steps in testing because they are trying to do everything quickly. The concept of testing how machines work together and ensuring the applications inside them are running, by carrying out service checks and testing transactions, and how they flow through the different systems, is an important one. Increasingly today, it can be automated also.

Implementing a backup solution with fully automated DR testing involves simply setting up the testing to run at the frequency that’s right for the business. Once configured, automated reports are generated for 100% confidence that the business will recover from a downtime event. 

The value of good process documentation

A well-documented DR plan is critical to rapid business recovery. This recommendation is more about saving time when it matters most – speeding up recovery after a downtime event.  Skills shortages continue to be an issue, with many IT staff moving from job to job more frequently. Businesses find they lose significant levels of knowledge when the IT professional responsible for BCDR leaves. To mitigate this risk, SMEs should ensure they are documenting processes well, automating as much as possible and, where they can, leveraging services from MSPs. 

Today, the IT security industry remains busy helping SMEs navigate the growing risks to their data. Ransomware, in particular, saw a significant uptick in 2021. The strategies discussed in this article – from leveraging the cloud to regular testing and good process documentation will continue to be key in protecting against these evolving threats.

About the Author: Joe Noonan has spent over 18 years delivering hardware and software technology solutions for virtualisation, cloud, data protection, and disaster recovery. He has worked for Unitrends since 2010 driving its software product strategy for data protection, recovery automation, and cloud disaster recovery and migration. Joe has also held roles in developing technology alliances and is now the GM for the backup and DR suite at Kaseya, which includes Unitrends, Spanning and Kaseya-branded backup solutions.