I often talk about the importance of backups to mitigate cybersecurity risks.
However, I was personally reminded this week how important backups are also for business continuity in general.
It started innocently as a simple late-night task.
I did my research and finally decided on a new software plugin to add to my website.
Much to my dismay, what should have been an easy exercise turned into a disaster when the plug-in corrupted my website and took it offline.
Fortunately, I knew that my site had an automatic backup and that I double-checked to see if it was working not too long ago. So, I didn’t completely panic.
About 12 hours later, my website was back online but without the plugin that brought it down.
Disaster avoided!
Why are backups so important?
While my personal experience this week shows the importance of backups in one way, there are many other reasons why your Not for Profit should be investing in such storage.
Here are a few other reasons to consider:
- A disgruntled employee decides to delete important files before they exit the organisation, and you don’t realise this until months later.
- A cybersecurity attack corrupts your data or locks you out of a primary system.
- Data is migrated to another location, and you realise later that it was not complete.
- A natural disaster hits your primary data storage location.
- You are audited (or doing an internal audit) and believe there is a discrepancy between the information in your system and what you believe should be there.
- Your third-party vendor suffers a cybersecurity breach or major outage, and you cannot access your primary system.
- For those orgs that still use a server room, there’s a flood or fire or long electricity outage that impacts your primary systems. Even your remote workers could not work in this case.
This is obviously not a complete list, but hopefully you can see how backups are useful in so many ways for business continuity.
Where should they be located?
Cloud storage offers so many more options for backup locations these days.
I once worked for a charity where one of the executives took a physical hard drive with a copy of our CRM home every Friday to ensure we had a backup offsite.
While most Not for Profits have all their data and network infrastructure in various cloud solutions today, it’s still important to know for sure that the backups exist and where they are physically located.
Ideally your backup should be stored in a different city away from where your primary information is so that a natural or man-made disaster is unlikely to impact both locations simultaneously.
Also, if you have rules about the data being stored in Australia/New Zealand, be sure that your backups are stored there too.
I recently spoke to a local CRM vendor that is storing their backup in Europe for “lower cost” reasons I still don’t fully understand.
Why organisations might not have backups.
When I find Not for Profits with insufficient backups, they tend to fall into two categories:
- They know they need more backup but haven’t actioned it due to cost and/or effort.
- They believed they were backed up by their cloud software provider.
For any of you in the first category, you should know that you are playing with fire!
For those of you in the second category, you really should review your agreements to ensure that is the case.
As an example, most organisations believe that everything they have in Microsoft 365 is backed up by the vendor.
However, for most license types, deleted items in OneDrive, SharePoint and Exchange are only retained for 14 to 93 days.
For many Not for Profits, this is not sufficient. So, it’s important to know what your backup agreement says for each of your major systems and data sources.
How long should you keep backups?
File storage backups can be quite expensive over time as your organisation accumulates information. So, it’s important to be strategic about what and for how long you retain that information.
Common retention periods (depending on the importance of the data) include:
- Daily backups: 1-2 weeks.
- Weekly backups: 1-3 months.
- Monthly backups: 1 year.
- Yearly backups: Up to 7 years, depending usually on regulatory or contract requirements.
Organisations that don’t create data retention rules for old or unneeded data can find their backup costs increasing significantly each year. So, beware!
Final thoughts
I narrowly avoided a disaster this week by having an automatic backup on my website.
In today’s cloud environment, many Not for Profits are assuming that they have sufficient backup in place when that is probably not true for many of their major systems and data locations.
So, if in doubt, ask more questions to ensure your organisation can continue to conduct business even if something like this happens.
I regularly help Not for Profits mitigate cybersecurity and business continuity risks. Let me know if you need some help.
P.S. If you found this article helpful, you might want to read these too:
- Risky Business: Why servers are a liability for your Not for Profit
- What is a Data Strategy?
- What’s the difference between a server, a virtual server and the cloud?
Tammy Ven Dange is a former charity CEO, Association President, Not for Profit Board Member and IT Executive. Today, she helps NFPs with strategic IT decisions, especially around investments.
