An essential guide to the top Cyber Scams of 2016 and why having a Backup and Disaster Recovery strategy that works is vital to your business. Learn the top questions you need to ask your IT team or provider about your current BUDR setup with this easy-to-follow presentation from AAG Systems.
2. Content
• Cyber attacks and why it’s relevant to Backup & Disaster Recovery
• What is Backup and how does it differ to Disaster Recovery?
• Why should you Backup?
• How to Backup
• Case studies: how not to do Backup
• Why is Disaster Recovery important?
• What are the risks of not having Disaster Recovery?
• It’s not my fault but it’s my responsibility…
• How to make BUDR cost-effective
3. Cyber attacks
Key facts about cyber attacks against UK businesses in 2015:
• 6.2 million cyber attacks on UK businesses took place last year
• 75% of attacks are down to human error and could be avoided
• Lost data from cyber attacks will be dealt with far more severely under the EU Data
Protection Regulation
• The fines for a breach of Data protection will be up to 4% of Global Turnover/£17.5 million.
With cyber attacks against businesses on the rise year after year, educating your workforce on
how to spot and avoid scams is increasingly important. Combine this with a resilient Backup
and Disaster Recovery strategy and you are putting yourself in the best position to protect
your business. This is looked upon favourably by insurance companies when choosing your
policies.
4. Why should I Backup?
in an age when cyber attacks are rampant, Data Backup is as important as
securing your house. Recovering lost data is impossible without a well-tested
Backup strategy. Failing to back up your data – and not having a plan on how
to recover it in a crisis is closely linked to entire businesses failing:
70% of businesses fail within one year of a major data loss (PWC IOC Report, 2015)
75% of businesses fail to successfully execute an untested Disaster
Recovery plan (PWC IOC Report, 2015).
The close proximity of these stats is no coincidence.
With the average cost to small businesses of a cyber attack sitting at
between £75k and £311k, Backup that works is worth the small investment.
5. What is Backup?
A backup, or the process of backing up, refers to the copying and archiving
of computer data so it may be used to restore the original after a data loss
event.
Backup is different to Disaster Recovery:
• Backup is simply making one or more copies of your data in case the
original is lost or damaged
• Disaster Recovery is restoring that data in the instance that the original
is lost or damaged.
6. How should I back up?
Any backup strategy starts with the concept of a data repository, and
means of organising it. In order of reliability, the types of storage media for
your backups are:
• Optical Disks
• Tapes
• USB Disk
• Disk to Disk
• Offsite Backup
• Cloud
7. How should I back up?
Unstructured
An unstructured repository may be CDs, DVDs or USB drives. This is the most simple form but has
the lowest success rate for data recovery.
Incremental
An incremental-style repository aims to make it more feasible to store backups from more points in
time by organising the data into increments of change.
Differential
Each differential backup saves the data that has changed since the last full backup.
Continuous
Instead of scheduling periodic backups, the system continuously logs changes on the host system.
8. How not to back up
A large company in Yorkshire trusted that their IT Support company was
backing up their system. Recently they fell victim to Cryptovirus and spent
two weeks trying to recover their critical data and server. The last viable
backup they had was from May, meaning they lost five months’ worth of
data.
The cost to this company in lost revenue was £30k-£40k.
A medium-sized company put their backup tapes in a fire
safe within their building. They were never tested. In a fire
scenario, the employees would be unlikely to be allowed
back into the building to rescue the tapes in order to
restore the data for quite some time until it had been
secured. How would they operate in the interim?
9. Testing your Backup & DR
When was the last time you tested your backup?
All too often, testing is the missing step.
Companies make substantial investments and spend a lot of time backing up their data only to
find the backups aren’t viable when something goes wrong.
Step 1. Test your backups regularly
Step 2. Test realistically
Step 3. Test systematically
Step 4. Test everything.
10. Disaster Recovery
Why is it important?
DR is essential if the data held by your business is at all important to its
function. This includes:
• Client details
• Financial and invoicing data
• Tenders and proposals
• Operational documents
• Confidential employee data.
How would your reputation be affected if you lost any of this? What would you
do if you couldn’t recover it? How long could your business survive without
access to your data?
This is why Disaster Recovery is a critical element so often overlooked – until
it’s too late.
11. Can I manage without DR?
Yes, you can – until something goes wrong.
Disaster Recovery (DR) is only needed if you suffer a data loss due to a cyber
attack, human error, a disenchanted employee, theft or natural disaster. The
trouble is you can’t predict these events, so you’ll need to invest in DR as a
safeguard. With 1 in 4 UK businesses having to implement a DR plan in 2015
after a data loss, our clients tell us it’s an investment worth making.
12. Director’s responsibility
Gartner Group said that in 2015 43% of companies were immediately put out of business by a “major
loss” of data.
As a Director or business owner, chances are you do not physically take care of your Backup mechanism.
In many businesses this task is given to the Accounts Department or a junior member of staff, often with
little knowledge of the importance of proper Backup.
As a Business Owner or Director not only do you have a moral obligation to your staff, you also have a
legal obligation to look after all aspects that may affect the running and viability of your business, under
your Duty of Care. Major data loss can be seen as negligent (Morrison’s data breach 2014; Seagate
2015) and lawsuits are costly and can damage reputation even if the verdict favours the employer.
Imagine if that data went missing and you could no longer access it. How would you do business? How
long – hours or days – could you survive without your data?
The data that is stored in your system is often worth millions of pounds, if this was physical cash would
you take more steps to protect it?
13. How cost-effective is BUDR?
When looking at Backup and Disaster Recover (BUDR) it is important that a cost versus value
analysis is carried out.
If we break it down by turnover versus cost of BUDR, based on 254 working days per year, we
can calculate the cost versus value as:
£1m annual turnover = £3,937 per day or £82,677 per month.
Average cost of BUDR = £23.80 per day or £500 per month
With an annual turnover of £1 million, this is 0.7% of the monthly turnover cost to secure your
business’ data.
14. How expensive is BUDR?
ANNUAL TURNOVER DAILY REVENUE
(254 WORKING DAYS)
MONTHLY REVENUE
(21 WORKING DAYS)
£1 million £3,937 £82,677
£3 million £11,811 £248,031
£5 million £19,685 £413,385
£10 million £39,370 £826,770
The average cost of BUDR is just 0.13% of a 5 million turnover company.
When hit by a major catastrophe most companies experience 10-15 days of
lost business. With the above figures and based on £1 million annual turnover,
the loss incurred would pay for advanced cloud backup for 7.5 years.
15. Secure your business
Practical steps to improve your data security:
Cyber Scams:
• Do your staff know how to spot potential cyber scams such as fake invoices, the ‘bogus boss’ scam or
emails containing Cryptolocker?
• Would your staff know what to do if hit by a cyber scam?
Backup:
• Do you know how your company backs up its data?
• When was the last time you tested your backup?
• Do you know how long your business could survive without its data?
• Do you understand the reputational damage your business could sustain from a data loss?
Disaster Recovery:
• Identify the key systems the business cannot function without
• How long can your business function with each of the key systems offline?
• How much data can your business afford to lose (if any)?
• Should you outsource your DR?*
*according to PWC 92% of companies save money by outsourcing their DR
16. Summary
• If your business is important to you, it is worth protecting it with a Backup & Disaster Recovery strategy
that you can be confident works
• Educate your staff of the latest cyber scams and types of Ransomware attacks (ask AAG for posters
for your office)
• Test your current backup
• Review your disaster recovery plan
• Implement a Responsibilities chart
• Book an independent consultation with AAG to assist with the above.
sales@aagsystems.co.uk www.facebook.com/aagsystems 0114 399 0995
Editor's Notes
Unstructured. This is the easiest to implement, but probably the least likely to achieve a high level of recoverability as it lacks automation.
Incremental - Restoring the whole system to the date of the last incremental backup would require starting from the last full backup taken before the data loss, and then applying in turn each of the incremental backups
Differential. It has the advantage that only a maximum of two data sets are needed to restore the data. One disadvantage, compared to the incremental backup method, is that as time from the last full backup (and thus the accumulated changes in data) increases, so does the time to perform the differential backup. Restoring an entire system would require starting from the most recent full backup and then applying just the last differential backup since the last full backup.
Continuous-This is generally done by saving byte or block-level differences rather than file-level differences.[5] It differs from simple disk mirroring in that it enables a roll-back of the log and thus restoration of old images of data.
Tapes – relatively low cost and high storage – prone to corruption
USB Disks – cheap for high storage size , slow to recover from
Regular - most large companies test DR plans at least once a year. Simple backups should be tested much more frequently -- at least once a quarter and whenever there is a major hardware or software change to your backup system. It's particularly important to run a test after upgrading the firmware in your backup system to make sure the new firmware works properly with the rest of your system.
Realsitically - As much as possible, your test should duplicate the conditions you will face when you need to actually restore. The ideal situation would be to do a complete restoration of all your data to a second system with an identical configuration. This isn't always possible, of course, but you should test as much of the backup as you can on as much of the backup system as feasible.
Systematically - Testing should consist of more than simply poking around. For example, if you just restore a couple of files you can't be sure that your directory trees and other features are working as they are supposed to. When you test a restore, take a minute to study the directories to make sure everything that should be backed up is actually backed up. The test should include restoring entire folders, complete with subfolders, as well as one or more critical applications.
Everything -Every critical application should be tested regularly, if not on every test. Pay special attention to complex applications. Microsoft Exchange, for example, is a particular problem because of its complex database structure. (An Exchange database is actually several linked databases
Regular - most large companies test DR plans at least once a year. Simple backups should be tested much more frequently -- at least once a quarter and whenever there is a major hardware or software change to your backup system. It's particularly important to run a test after upgrading the firmware in your backup system to make sure the new firmware works properly with the rest of your system.
Realsitically - As much as possible, your test should duplicate the conditions you will face when you need to actually restore. The ideal situation would be to do a complete restoration of all your data to a second system with an identical configuration. This isn't always possible, of course, but you should test as much of the backup as you can on as much of the backup system as feasible.
Systematically - Testing should consist of more than simply poking around. For example, if you just restore a couple of files you can't be sure that your directory trees and other features are working as they are supposed to. When you test a restore, take a minute to study the directories to make sure everything that should be backed up is actually backed up. The test should include restoring entire folders, complete with subfolders, as well as one or more critical applications.
Everything -Every critical application should be tested regularly, if not on every test. Pay special attention to complex applications. Microsoft Exchange, for example, is a particular problem because of its complex database structure. (An Exchange database is actually several linked databases
Regular - most large companies test DR plans at least once a year. Simple backups should be tested much more frequently -- at least once a quarter and whenever there is a major hardware or software change to your backup system. It's particularly important to run a test after upgrading the firmware in your backup system to make sure the new firmware works properly with the rest of your system.
Realsitically - As much as possible, your test should duplicate the conditions you will face when you need to actually restore. The ideal situation would be to do a complete restoration of all your data to a second system with an identical configuration. This isn't always possible, of course, but you should test as much of the backup as you can on as much of the backup system as feasible.
Systematically - Testing should consist of more than simply poking around. For example, if you just restore a couple of files you can't be sure that your directory trees and other features are working as they are supposed to. When you test a restore, take a minute to study the directories to make sure everything that should be backed up is actually backed up. The test should include restoring entire folders, complete with subfolders, as well as one or more critical applications.
Everything -Every critical application should be tested regularly, if not on every test. Pay special attention to complex applications. Microsoft Exchange, for example, is a particular problem because of its complex database structure. (An Exchange database is actually several linked databases