On March 10, 2021, OVH, a large data hosting center in France that is responsible for thousands of customers and millions of websites’ data, experienced a devastating fire. OVH has four data centers – in four separate buildings as part of the same complex – and one was destroyed. Another building was severely damaged. The other two were far enough away from the fire to remain safe, but the data center was left with half of their previous operating capacity.
What does this unfortunate situation have to do with your cybersecurity efforts? Since many organizations rely on these types of data centers for their cloud storage, network housing, and backups, there is much we can learn from the incident. We’ll look at the lessons learned below.
1. It’s important to have a backup plan.
We already know that it’s important to take proactive measures in defending your organization from hackers and cyberattacks. Equally important, though, is taking the steps to protect yourself from physical disasters, such as a fire. Because of this, it’s always recommended to include physical security as part of your disaster recovery plan. You should also think about physical security when assessing your digital backup needs.
When developing a backup plan, first identify your needs and develop a schedule for conducting set backups. Make a list of all the tools you will need to implement for doing the backups – such as external hard drives or an online backup solution – and finally, you’ll need to test and document the disaster recovery and backup process.
It’s also important to know about the data you need to store. Can it be accessed on different applications or devices? If your organization has legacy equipment or older applications that are no longer be viable, you should plan how you’ll backup, store, and continue to access that data in the event of a physical disaster. For example, if you lose information and have to restore data on a Windows device that previously lived on an Apple device, will you be equipped with the necessary tools to make the transition go smoothly?
Finally, you should include logistics in your disaster recovery and backup plan. Who from your organization will maintain the backups? Or will a third-party cloud service provider take care of the backups? If you go with a third-party vendor, you should ask how they handle their physical security to ensure it meets your security standards.
All of this should be taken into consideration when developing a backup plan for your organization.
2. Determining frequency of backups is key.
Determining the schedule for how often you will conduct backups requires a bit of balance. The key is to try to weigh the potential loss versus storing so much data that you can’t easily maintain it anymore. While it’s nice to say you will back up everything immediately, that is not always feasible for most organizations.
When determining frequency of backups, you should think about how long your organization would be able to function without certain data, an application, a device, or anything else living in your digital space. This should also include any contractual obligations to clients or vendors.
Following are some things to keep in mind when developing a backup schedule:
- Determine your recovery time objective (RTO). How long will it take your organization to recover in the event of an incident?
- Determine your recovery point objective (RPO). How much data, if any, will be lost after a “full recovery” has taken place?
By having an idea of your RTO and RPO and knowing how much data you can or can’t afford to lose, you can then use the numbers to determine your backup schedule.
3. It’s best practice to consider physical tools and restorative measures.
You’ll also want to have pre-established physical tools in place that you could use to help protect your backed-up data in the event of an incident. To determine the tools and preventative measures needed, you can look at climate control, fire suppression, power supply, and any other physical tool you might need to avoid an incident turning into a full-on disaster.
If something does go wrong, you should also make sure you have restorative measures in place. For example, examine whether it makes sense to do offsite data backups so that a fire in your office building, for example, doesn’t destroy the original copy and the backups. Have alternate work sites in mind so that employees will be able to get back to work quickly. Finally, you’ll want to take a look at the fine print of your cybersecurity insurance policy to know what would and would not be covered in the event of a disaster.
4. You should document and test everything.
Before your backup plan can be considered reliable, it will need to be tested and documented. Ensure that your backup schedule, tools to be used, and restorative measures are written down. Note who was responsible for each backup that is conducted, and what tools were used in each backup process. If electricity or email isn’t available, you should also make hard copies of this documentation so an alternate form can be accessed if necessary.
Next, you should be sure to test your backup process and protocols by doing a dry run. For example, if you want to be sure that information is being recovered, pick a day and try to do a full restore. Follow the instructions for everything you have documented and see if it works. If the restore attempt fails for any reason, be sure to go back and refine your process and correct the documentation for further testing.
Finally, when documenting and creating your safe storage policies, remember the 3-2-1 rule. Make sure you have three copies of the media, your backup data is on two forms of storage, and store one copy of it offsite so that a single disaster cannot destroy all versions of your valuable data.