I participated in a wonderful panel on Information Security for small businesses this week. The event was hosted by HCCC’s Continuing Education and Workforce Development Division. This will be the first webinar in a series. Check here for more information. We covered critical material for business people, and my bit was discussing backup and patching.
As technologists, we love our jargon. Backup really just means having multiple copies of your most important stuff. I recommend that for a small enterprise, you follow the 2 + 1 backup best practice. For critical data, you should make two full copies, on physically separate devices. Keep the third copy physically separate and not connected to your computers or networks. What could those “devices” be? They could be a USB drive, external hard drive, or a cloud service like Dropbox. Keep in mind that to avoid damage by ransomware, the backup should not directly be connected to your business computers. When should you backup? The answer depends on how long you would be able or willing to re-construct your business data. That could be daily, weekly, or even hourly. Even if you are using cloud services like Google, Microsoft, or QuickBooks Online, you should keep periodic backup copies of critical business and financial information. This could be something like quarterly financials or tax documents.
Critical to all security is understanding what is actually crucial. Think about the information that your business would fail without. Maybe you can reconstruct your customer files, but you must have financial data to file taxes. Perhaps your accountant has the financial and tax information, but you cannot function without detailed information about client preferences. It could be that formulas or plans for your products must be protected at all costs. That inventory of what is most important to your business is the first step in securing it. You also need to keep track of where that information is stored. Is it in QuickBooks? Office 365? Google Drive? You cannot secure data if you do not know where you keep it.
Once you know what is critical, and where it is, and how often you need it, you can build a plan for backing it up. It is not ridiculous to assume that Google or Microsoft will be up and running nearly 24/7/365. However, you must remember that you or your employees can accidentally delete important information, even in a cloud service. Also, the only 5 minutes of downtime that Google has this year, could be just the 5 minutes when you must access it. Keep that in mind as you determine how often you copy your data and how many places you keep it.
You can read more about backup strategies at CIO Magazine. I will discuss “patching” for small businesses in another post.