Data Backup vs IT Continuity

Summary

Data backups and IT continuity are often looked at as the same thing.  There are differences that can have consequences for a business. Here's a look at the difference between backing a basic data backup and IT continuity.

Basic Data Backup Defined

Data backup means having a copy of a specific set of data from a specific point in time. It does not include things like application(s) that use the data. It also doesn't cover the computer operating system. Testing and verifying the backed-up data is a separate consideration.

As an example, if your QuickBooks data is corrupted, you can potentially restore it from the last backup file. This assumes the backup is not also corrupted. But what if something happens to the computer like a ransomware infection? The QuickBooks backup itself isn't useful until you recover the computer.

An image-based backup is a next step up. This is an image of the entire computer. This includes software, data, and the operating system. If any data files are located on another machine like a network server, those must also be backed up to have a chance at a full recovery.

Data Backup and Continuity

Offsite solutions are part of IT Continuity

How does backing up differ from IT continuity?

For starters, IT continuity involves a plan. IT continuity is typically a part of a larger Business Continuity Plan (BCP).

IT continuity involves mapping out key systems, workflows, and data locations. That is an important distinction between business continuity and IT continuity. Business continuity goes beyond the scope of the IT systems. It takes into account things like people, facilities, etc., and the contingencies needed to replace them.

For example, if a facility were destroyed, IT continuity would address what is needed from a systems perspective. The business continuity plan would cover things like temporary facilities, insurance claims, and people.

Time is a factor

Another important aspect of IT continuity involves time. These considerations impact costs. It's important to spend time reviewing what your business requires based on the following:

RTO (Recovery Time Objective)

If a system goes down, how quickly do you need to recover? The shorter the recovery time, the larger the investment needed in the solution.

A good way to measure the ROI is to know what the hourly run rate is for your organization. For example, if an hour of downtime costs the company $100K, how many hours of productivity can you sacrifice? What is an acceptable investment to protect against that downtime?

RPO (Recovery Point Objective)

How far back in time do we need to be able to go in order to recover lost/corrupted data?

This is another important consideration that affects the cost of the solution. As the number of recovery points increases, so do the space requirements to store that information.

One thing to consider is the frequency of critical data changes. Let's say you have an important spreadsheet, but it's only updated quarterly. The data becomes corrupted but it wasn't discovered for 6 months. Is that data worth protecting for a year?  Two years? You would want to weigh the cost and ability to recreate the data from scratch in your needs analysis.

Data Retention

This is a little different from RPO as it relates to how long are we required (organizationally or from compliance/law) to keep historical data.

If you are in an industry that has regulatory or compliance requirements, you may be required by law to keep certain data for a period of time. Here is an example covering PHI (Protected Health Information) that would need to be considered as part of any continuity plan:

"A document itself is subject to HIPAA retention laws, which means it must be retained for six years. However, if the document is part of the patient´s medical record, it is subject to the state´s medical record retention requirements, which could be longer. Furthermore, if the covered entity operates in a state in which the Statute of Limitations for private rights of action exceeds six years, it will be necessary to retain the document until the Statute of Limitations has expired."

Fill the gaps

IT continuity will also take into account a plan for both onsite and offsite recovery. This can include an "air-gapped" strategy. This means at least one recovery system is disconnected from the live environment. This strategy prevents an attacker or natural disaster from destroying the continuity of critical systems.  It can allow for recovery from something like a ransomware attack.

Please note, air-gapped systems require manual processes. Depending on your RTO/RPO requirements, this can get expensive. There is also potential for data loss depending on how frequently an air-gapped system is updated. Typically, the air-gapped portion of a continuity plan is considered the last line of defense in a layered strategy.

Conclusion

We hope this has been a helpful review of the major differences between simple data backup and full-blown IT continuity. These are the discussions with your IT department or IT provider that should be driving your decisions. Our goal is to provide education in an unbiased manner to help you make the best decisions for your organization.