Why You Need to Include RPO & RTO in Your Backup & Recovery Plan

 In Blog

Why You Need to Include RPO & RTO in Your Backup & Recovery Plan

Any type of business disruption, large or small, is going to cost you money. Those that are the worst could take your business down for days while you’re trying to recover.

For example, a successful ransomware attack can result in a total loss of access to data and the systems that use that data (scheduling systems, accounting, CRMs, etc.). This can mean you can’t service customers for days while you’re trying to recover.

The average cost for a ransomware attack (including lost opportunity, ransoms paid, lost productivity, device costs, etc.) rose to $1.85 million in 2020. 

A backup and recovery plan is designed to protect companies from suffering those types of costs. If done right, it can mitigate downtime and ensure a company has a restorable copy of all its data. 

This takes paying the ransom out of the decision tree, and drastically reduces the overall remediation costs. But… many companies are missing two vital pieces that need to be included in their backup and recovery strategy. These are RPO and RTO.

What are RPO & RTO and Why Are They Important?

Why do large companies like Colonial Pipeline and JBS (the world’s largest beef and pork supplier) still pay a ransom to attackers even though they have a backup of their data? You would think they were covered, right?

While they may have backed up their data, what they may not have done is determine their recovery time objective (RTO) or recovery point objective (RPO)

Recovery Point Objective (RPO)

Your RPO is the time increment that decides how often you back up your data. For example, if you were hit today, how much data would you be willing to lose?

If you say “none,” then you’d need something like a 60 second RPO. But backing up all your data every minute would be expensive and would not make sense for many small and mid-sized companies.

A more reasonable RPO that would not result in needing tons of cloud backup storage space, might be a 12-hour recovery point objective.

This would mean that if you were to get hit with a data loss event right before your next backup was about to run, the most you would lose would be half a day’s worth of data.

It’s important to determine RPO upfront so you can set up your backup intervals accordingly. This helps reduce the risk of losing vital data that would be difficult, expensive, and/or impossible to recreate.

Along with RPO, you also should decide how long you want to keep your backups before they are no longer relevant to you.

Recovery Time Objective (RTO) 

The other vital component that is often missing from company business continuity and disaster recovery plans is RTO. This is how long it will take you to recover from a business-stopping incident, such as a ransomware attack.

This is another factor that needs to be realistic. It also needs to be tested regularly. For example, you could say that you want to be able to recover your data in case of ransomware and get back up and running in an hour. But is that realistic? Not usually.

You want to discuss RTO with your IT provider and ensure the tools that you choose for backup and recovery can support your RTO. Such as using a solution that takes a full image backup of devices rather than just backing up individual files.

RTO needs to be tested through disaster recovery simulations/drills at least once or twice per year. This ensures that the recovery time objective you have is one that you can actually meet in the case of a downtime incident.

Doing data recovery drills also helps train your team on the process and steps that need to be taken should operational downtime occur. A well-trained team can execute a disaster recovery plan faster than one doing it for the very first time. 

So, training improves your ability to meet your RTO as well as reduces downtime and the associated costs. 

What Other Things Should You Factor Into Your Backup & Recovery Plan?

Ensure All Data Is Being Backed Up

Don’t only backup company servers or onsite devices. Now, it’s estimated that as much as 80% of the workload in an enterprise is being done by mobile devices. Make sure these are included in your backups.

Cloud data in SaaS tools and other cloud platforms also need to be backed up in case of a cloud-based ransomware attack or provider outage.

Don’t Forget Remote Workers

Many companies are dealing with remote and hybrid teams, so you need to evolve your backup and disaster recovery plans to incorporate the data that may be spread throughout your remote workforce.

Get a Demo of AhelioTech’s Business Continuity Appliance

AhelioTech can help your Columbus area business ensure you have all your bases covered when it comes to an effective backup and disaster recovery strategy.

Contact us today to learn more. Call 614-333-0000 or reach out online.


Recent Posts
Your Company Could Be Contributing to Phishing Risk Without Knowing It6 Ways to Keep Cloud Data Safe from Ransomware