It’s more important than ever for companies to have a sound data protection strategy. A failed data recovery can lead to lost clients, revenue, and being out of compliance.

That’s why we recently partnered with Probax to host a webinar on this topic. Kevin Allan, Probax’s founder and CTO walked us through the process of building a data protection strategy, which we’ve summarized below.

The 5 Steps of Building a Data Protection Strategy

Kevin began by outlining the five main steps in building a data protection strategy:

1. Identify the data
2. Classify the data
3. Protect the data
4. Monitor the data
5. Test restores

He noted that this process is ongoing and the steps should be continually reassessed.

Breaking Down the Process

The five steps above are a bit broad, so Kevin got into some specifics. He framed building a data protection strategy as asking the following series of questions:

Where does the data live?

One of the most common mistakes that businesses make is simply not knowing where all of the company’s data lives. Servers and local machines are one source, but these days, a huge amount of data — especially sensitive and critical information — is stored on the public cloud.

When using cloud vendors, remember that while they may have uptime SLAs and security protections in place, it is ultimately the business’s responsibility to protect company and customer data. Kevin added that it’s crucial that companies don’t store all of their data “eggs” in one basket; storing backups in different places or with different vendors.

Where should I protect the data?

The safest implementation involves some combination of local and cloud backup, taking into consideration each option’s pros and cons.

• Local – The biggest benefit is faster restore times, but the human factor required to implement this method opens additional risk.
• Cloud – Geographic separation can protect you in the event of a natural disaster, but data sovereignty laws may require you to store data in specific countries or jurisdictions.

Should I encrypt the data?

The short answer is yes, always. Kevin also mentioned more specific recommendations:

• Local backup – Don’t leave the data all in one place, and use secure passwords or keys.
• Cloud backup – Data should be encrypted before it leaves the network, and make sure you understand your vendor’s security settings.

How do I safeguard the data?

Kevin recommended that businesses follow the “3-2-1-0” rule:

• Create 3 copies of data and applications
• Store data 2 different types of media
• Store 1 copy in the cloud
• Verify that you have 0 errors

In addition, partner with a reputable company that you can trust to be around for a long time. Many laws require data to be stored for at least 7-10 years.

How can I tell if I’m protected? (And how do I stay protected?)

According to Kevin, just knowing where your data is and having a simple view of it is half the battle. Next, be vigilant with monitoring and use some level of automation to streamline the process.

What about compliance?

There are a growing number of data privacy and security regulations on the books. To stay compliant and ensure that it is safe from insider attacks, archive data to low-cost, air-gapped long-term storage.

How do I perform test restores?

Test every quarter by either restoring the data or turning on the environment. Ensure restore times are acceptable for your business based on your ideal restore time objective (RTO) and restore point objective (RPO).

How do I get back to business immediately?

This will depend on how much downtime your business can afford. Thinking back to the second step of classifying data, consider the importance of your data and how the business would be affected if it wasn’t accessible. Businesses that cannot afford to be without their data for less than 15 minutes should consider working with a disaster recovery as a service (DRaaS) provider.

What’s my overall risk?

Kevin ended the webinar by noting that data protection is more than just backup and disaster recovery. The best way to manage risk is with vigilant monitoring, management, and automation with the help of outsourced support.