Back-ups to provide for quick and ideally complete recovery of your data in case of loss due to malicious, accidental or coincidental scenarios are one of the crucial basic protection measures an SME should take. This requires the implementation of a refined data back-up process.
The most important points for companies to remember:
- Draw up an inventory of your IT systems and data, and establish the maximum tolerable loss or outage for each item.
- Based on this information, create protection categories for objects with the same risk, and define a data back-up concept for each respective protection category.
- Define and implement a data back-up process in your SME.
- Regularly check that your data have been backed up correctly and can be recovered in accordance with your data back-up concept.
The data back-up process
With increasing digitalisation, the number of IT systems used and the quantities of data processed is continuously rising in SMEs, too. This means that an SME’s reliance on the unlimited availability of its IT systems and data increases as well.
Extensive data loss, for instance due to malicious cyber-attacks, technical defects, force majeure or accidental deletion, can pose an existential threat to SMEs. The ability to recover company data quickly and ideally completely from a data back-up is therefore part of their vital basic protection.
To this end, a data back-up process should be established which safeguards that back-ups are carried out properly in accordance with a data back-up concept. And it is just as important to also check that data recovery works properly as part of this process, too.
Protection classes
Not every IT system run by an SME is equally vital for its business processes. A differentiated assessment of the respective need for protection for all IT systems and data is therefore needed. An extensive and up-to-date inventory of all IT systems and data is the basis for gaining an overview and to allocating all items listed to an appropriate protection class.
PC | Description | Risk | Max. tolerable outage/loss | Recovery time | Retention period |
---|---|---|---|---|---|
I | Standard need for protection | Small | > 1 day | < 1 week | > 1 week |
II | High need for protection | Medium | 1 day | 1 day | > 1 month |
III | Very high need for protection | High | < ½ day | < 1 day | > 1 year |
Next to the threat posed by the harmful influences mentioned, there are additional criteria to be considered. This includes the maximum tolerable duration of any temporary outage of IT systems or quantitative loss of data on the one hand and the retention periods required on the other.
Such an assessment makes it possible to combine IT systems and data with a similar need for protection into protection classes. Subsequently, the requirements for a suitable data back-up concept are then established for every protection class.
Data back-up concept
The data back-up concept determines organisational and technical back-up details for every protection class. In particular, the following organisational details count amongst them:
- Extent of data back-up (scope)
- Frequency of data back-up (daily, weekly, monthly, ...)
- Time of data back-up (end of the day, week-end, month end, ...)
- Retention period of back-up versions (generation principle)
- Required recovery times (maximum tolerable outage)
From this, the following technical details of implementation can then be deduced, in particular:
- Data back-up process (complete, differential, incremental)
- Back-up medium (hard drive, tape, …)
- Storage of data back-up media (on premise, physical external storage, cloud, ...)