Home Page Navigation Contents Contact Sitemap Search

Data back-ups in an SME environment

Back-ups to pro­vide for quick and ide­ally com­plete recovery of your data in case of loss due to mali­cious, acci­dental or coin­ci­dental sce­narios are one of the cru­cial basic pro­tec­tion mea­sures an SME should take. This requires the imple­men­ta­tion of a refined data back-up process.

The most impor­tant points for com­pa­nies to remember:

  • Draw up an inven­tory of your IT sys­tems and data, and estab­lish the max­imum tol­er­able loss or outage for each item.
  • Based on this infor­ma­tion, create pro­tec­tion cat­e­gories for objects with the same risk, and define a data back-up con­cept for each respec­tive pro­tec­tion category.
  • Define and imple­ment a data back-up process in your SME.
  • Reg­u­larly check that your data have been backed up cor­rectly and can be recov­ered in accor­dance with your data back-up concept.

The data back-up process

With increasing dig­i­tal­i­sa­tion, the number of IT sys­tems used and the quan­ti­ties of data processed is con­tin­u­ously rising in SMEs, too. This means that an SME’s reliance on the unlim­ited avail­ability of its IT sys­tems and data increases as well.

Exten­sive data loss, for instance due to mali­cious cyber-attacks, tech­nical defects, force majeure or acci­dental dele­tion, can pose an exis­ten­tial threat to SMEs. The ability to recover com­pany data quickly and ide­ally com­pletely from a data back-up is there­fore part of their vital basic protection.

To this end, a data back-up process should be estab­lished which safe­guards that back-ups are car­ried out prop­erly in accor­dance with a data back-up con­cept. And it is just as impor­tant to also check that data recovery works prop­erly as part of this process, too.

Pro­tec­tion classes

Not every IT system run by an SME is equally vital for its busi­ness processes. A dif­fer­en­ti­ated assess­ment of the respec­tive need for pro­tec­tion for all IT sys­tems and data is there­fore needed. An exten­sive and up-to-date inven­tory of all IT sys­tems and data is the basis for gaining an overview and to allo­cating all items listed to an appro­priate pro­tec­tion class.


Example pro­tec­tion class allo­ca­tion based on cri­teria
PCDescrip­tionRiskMax. tol­er­able outage/lossRecovery timeReten­tion period
IStan­dard need for protectionSmall> 1 day< 1 week[/av_cell]> 1 week
IIHigh need for protectionMedium1 day1 day> 1 month
IIIVery high need for protectionHigh< ½ day[/av_cell]> 1 year

Next to the threat posed by the harmful influ­ences men­tioned, there are addi­tional cri­teria to be con­sid­ered. This includes the max­imum tol­er­able dura­tion of any tem­po­rary outage of IT sys­tems or quan­ti­ta­tive loss of data on the one hand and the reten­tion periods required on the other.

Such an assess­ment makes it pos­sible to com­bine IT sys­tems and data with a sim­ilar need for pro­tec­tion into pro­tec­tion classes. Sub­se­quently, the require­ments for a suit­able data back-up con­cept are then estab­lished for every pro­tec­tion class.

Data back-up concept

The data back-up con­cept deter­mines organ­i­sa­tional and tech­nical back-up details for every pro­tec­tion class. In par­tic­ular, the fol­lowing organ­i­sa­tional details count amongst them:

  1. Extent of data back-up (scope)
  2. Fre­quency of data back-up (daily, weekly, monthly, ...)
  3. Time of data back-up (end of the day, week-end, month end, ...)
  4. Reten­tion period of back-up ver­sions (gen­er­a­tion principle)
  5. Required recovery times (max­imum tol­er­able outage)

From this, the fol­lowing tech­nical details of imple­men­ta­tion can then be deduced, in particular:

  1. Data back-up process (com­plete, dif­fer­en­tial, incremental)
  2. Back-up medium (hard drive, tape, …)
  3. Storage of data back-up media (on premise, phys­ical external storage, cloud, ...)

Exten­sive data loss – for instance due to mali­cious cyber-attacks, tech­nical defects, force majeure or acci­dental dele­tion – can pose an exis­ten­tial threat to SMEs.

Using a clever data back-up con­cept, such risk sce­narios can be min­imised by achieving a quick and ide­ally com­plete recovery of any data lost.

Fur­ther information

The data back-up scope serves to estab­lish which data (sources) will actu­ally be included in the data back-up. A well thought-out and struc­tured data filing system can to a great extent ensure that no impor­tant data are over­looked. In addi­tion, you should check whether the data (sources) for back-up are actu­ally avail­able at the time of the data back-up run (for instance with regard to devices which might be switched off over the week-end)

If you create a data back-up at short inter­vals, this does safe­guard against any minor data losses. On the other hand, it also increases the effort required for data back-ups. In par­tic­ular, this could lead to bot­tle­necks on the net­work, if you back up large data quan­ti­ties every day. In this case, it is rec­om­mended you care­fully assess your needs for protection.

The time of your data back-up depends on your busi­ness processes. Here you should assess the risk evo­lu­tion of any poten­tial data loss inside the time period between your indi­vidual data back-ups. A fre­quent prac­tice is there­fore to run back-ups at the end of every day, so not to dis­rupt daily oper­a­tions and use the resources avail­able at night for data back-ups.

In case of data loss, you gen­er­ally restore the ver­sion of the last avail­able data back-up. For var­ious rea­sons, it might also be nec­es­sary though to be able to recover older his­tor­ical data from fur­ther back at times. For such data, you should deter­mine a reten­tion period for your back-ups. With the help of a well thought-out rota­tion schedule (gen­er­a­tion prin­ciple) geared towards data vol­umes and pro­tec­tion needs, such reten­tion periods can be safe­guarded with a min­imum of data back-up media. When backing up data daily for instance (Mo to Fr), it only takes 20 data back-up media to be able to recover the back-up ver­sions of the last four week­days (Mo to Th), the last 13 week-ends (Fr), the last two month ends and the last year end.

The term required recovery times denotes the period of time between the dis­covery of any data loss up to the time access is rein­stated. The shorter this max­imum tol­er­able outage period is set, the higher the organ­i­sa­tional and tech­nical require­ments with regard to your data back-ups. Things to be con­sid­ered here are the required time for iden­ti­fying data to be recov­ered, locating such data on their respec­tive data back-up copies, access to the required data back-up media and the actual data restoring process.

Some­times, the time avail­able (e. g. during the night) is not suf­fi­cient to com­pletely back up data from a cer­tain pro­tec­tion class at the required fre­quency. You can mit­i­gate this problem by care­fully choosing the type of data back-up method you use (com­plete, dif­fer­en­tial, incre­mental). With a com­plete data back-up, a com­plete copy of all data inside the scope is cre­ated on your data back-up medium. This method requires most space on your data back-up medium and the most time. With the dif­fer­en­tial method how­ever, only the data changed since the last com­plete data back-up are backed up (those dif­ferent from the last com­plete back-up). This con­sid­er­ably reduces the data volume, since unchanging data in par­tic­ular only ever have to be backed up once. Recovery of a data back-up ver­sion takes place in two stages with this method: First, you will need to restore the last com­plete back-up you have, and then restore the required dif­fer­en­tial data back-up. The incre­mental method reduces the data volume to be backed up even fur­ther. Here, only changes com­pared to the last data back-up (no matter of what type) are backed up. If there is a need to recover data, you will there­fore have to restore the last com­plete data back-up, the last dif­fer­en­tial data back-up as well as all sub­se­quent incre­mental data back-ups.

The term data back-up medium denotes the con­tainer used to record a cer­tain data back-up ver­sion. In its sim­plest form, this could involve a simple file with a spe­cific file format, or a phys­ical data car­rier (hard drive, optical medium, mag­netic tape,) on a ded­i­cated back-up system. The choice of a suit­able data back-up medium pri­marily depends on the organ­i­sa­tional require­ments (extent, fre­quency, reten­tion periods and recovery times). In par­tic­ular for long-term reten­tion (archiving) of large data vol­umes, mag­netic tapes have become the medium of choice.

Data back-up media and their storage are of absolutely vital impor­tance for the whole data back-up process. As far as risk assess­ments are con­cerned, fac­tors such as phys­ical pro­tec­tion, storage con­di­tions, avail­ability, acces­si­bility etc. must be con­sid­ered. Gen­er­ally, data back-ups should be insu­lated against external influ­ences to the max­imum extent pos­sible. In con­nec­tion with ran­somware for instance, you have to ensure that data back-ups are stored in such a way they are com­pletely out of reach of any attacker. It is there­fore vital to store them offline.

What else would you like to learn about security when e-banking?

Reg­ister for a course now
and learn more:

Basic course

Find out about cur­rent Internet threats and some easy pro­tec­tive mea­sures, and how to securely use e-banking.

fur­ther information

Online course mobile banking/payments

Find out about mobile banking, mobile pay­ments and how to securely use these apps.

fur­ther information

Online course for the under-30s

Learn how to use your smart­phone securely. Next to basics, we will show you what you should know about social media, clouds, mobile banking and mobile payments.

fur­ther information

Course for SMEs

Is your organ­i­sa­tion suf­fi­ciently secure? Learn which mea­sures you can take to sig­nif­i­cantly strengthen your organisation’s IT security.

fur­ther information