Why do I need Offsite Backups? Key Reasons Explained

Are you wondering how offsite backups work and why you even need them in the first place?  

You are not alone with a lot of small and medium business owners.  The number of clients that come to Secure Packet with an incomplete disaster recovery plan that also lacks proper offsite backups would surprise you. 

Thanks to the advancements in backup software, cloud hosting, and remote storage offerings, enacting complete offsite backups have never been easier.  This article will go into the basics of offsite backups, some common SMB examples of remote storage, and how to implement them with different backup software offerings. 

First, we should cover the main question from business owners which is why do I need offsite backups?  A great blog post to review to get up to speed or a refresher is the 3-2-1 Backup Rule post by Secure Packet. The owner might be aware that they are already paying for a type of RAID on their drive arrays, a local backup system, and possibly backup software.  What most non-technical business owners don’t think about is what happens if there is a disaster onsite with your live data and possibly your local backup servers?  All your data that is local to your servers are now gone.  Depending on the type of disaster will determine if you have a chance to recover any of the data from a forensic recovery attempt.  If you are unsure on what your risk factors are or really where to get started, you can work with an IT consultant like Secure Packet. If this blog post helps start to understand what you need, but you still have more questions than answers, we are here to help!

Polling Secure Packet engineers, they have seen anywhere from floods, fire, malicious employees, malware, and beyond cause total data loss.  Locking crypto-malware has been on the rise over the past 7 years or so which has it even some of the most technical companies out there.  

Examples of the rise of malware attacks

1. Malicious emails are up 600% due to COVID-19. (ABC News, 2021)
2. In 2021, the largest ransomware payout was made by an insurance company at $40 million, setting a world record. (Business Insider, 2021)
3. About 1 in 6,000 emails contain suspicious URLs, including ransomware. (Fortinet, 2020)
4. The average downtime a company experiences after a ransomware attack is 21 days. (Coveware, 2021)
5. 42% of companies with cyber insurance policies in place indicated that insurance only covered a small part of damages resulting from a ransomware attack. (Cybereason, 2021)

So how do you protect yourself from a localized disaster that results in a total loss of data?  This is where offsite backups come into play with your disaster recovery plan.  Offsite backups should be at least 100 miles away and preferred to be in another region of the country due to limiting exposure to natural disasters like hurricanes.  In the United States, selecting a different region is easy due to the size of the nation.  For example, if your primary location is in the southeast region then selecting a central or west coast region for your offsite backup location would be ideal and minimize the chances of both data sites being affected by a single natural disaster.  

A common question we receive is if the client is able to use a remote office they have for offsite backups.  The answer depends on what the remote office’s connectivity, data center or rack, power infrastructure, and cooling look like.  If you only have a 100 mbps connection for the remote office since there is only a handful of employees then restoring a 8 TB server will take over a week to restore and that is assuming you have full use of the 100 mbps connection.  Much worse is if you have a cable business connection which usually limits the upload speeds to 20 mbps or so on 100 mbps download speed.  Where you place your backup servers in the remote office is also key to compliance and regulations like HIPAA for example.  If you do not secure your hardware then you will fail the physical security portion of HIPAA compliance.  Another key factor for your backup hardware is cooling.  Most office buildings only provide AC from 7 AM to 7 PM.  So there will be another 12 hours of no cooling to your hardware which can result in your hardware overheating and shutting down.  Server hardware puts out more heat than normal small office firewalls, routers, and switches due to the higher power usage on CPUs, RAM, and disk arrays.  

Another decision that needs to be made is for your remote users that might use a laptop or desktop and are not in an office that is directly connected to your production network. The most common route that is taken by businesses is utilizing a VPN connection to the production environment to perform a backup to what is considered the local backup servers. From there, most companies will also backup that entire backup server to the offsite location since this is considered unique data that your end-users do not want to lose.

There are now hundreds of providers offering remote storage, however, when selecting one for your needs you need to take several different factors into account.  The first is compatibility.  We can use Veeam for instance, you have the ability to spin up a Cloud server in a different region and configure Veeam to use it as storage. This would be overkill for most basic offsite backup needs as there would be ongoing operating system maintenance, network configurations, usually a firewall that has licensing and maintenance, and more.  Veeam can utilize Veeam Cloud Connect which is provided by Cloud Connect Service Providers.  The service provider will take care of all the storage, connectivity on their end, security, etc.  This will free up an immense amount of time and know-how on your IT team.  You would pay for the storage you need and usually nothing else.  Most Cloud Connect providers roll everything up into a single price so you do not have any surprises at the end of the month.  

There are also other alternatives like S3 storage in AWS and dozens of highly rated providers that offer S3 compatible storage that will be a plug-and-play alternative to AWS and their higher prices.  The concern with these open storage options with Cloud Providers is that you will need to understand and implement the correct security protocols and settings.  There have been countless misconfigured S3 buckets that were the cause of a data breach.  Security Boulevard covers some examples here. The misconfiguration of any object storage that is open to the world can easily be subject to a data breach and if you are backing up your entire cluster of production servers, that would mean that a hacker can pull down all of your data (hopefully encrypted) and now try to breach into it with their local hardware.  

As for Backup software, there are a lot of options nowadays.  It highly depends on what you are looking to backup.  Backing up a server is different from a database or application like WordPress or Quickbooks.  One thing for sure is that Dropbox, Microsoft One Drive, Google Drive, Box, and other cloud storage providers are not backups.  Veeam, Datto, and Zerto are just a few that have wide compatibility for servers, databases, and even SaaS offerings like Microsoft M365.  

Here at Secure Packet, we evaluate what the workloads for the company look like, what retention period is required, compliances, restore point objectives, restore time objectives, and overall budgets.  All of these are key factors in determining what backup systems and software will work for you and your company’s needs. 

If you need any help with determining what backup solution is right for your company and how to ensure you are meeting all regulatory and compliance needs, reach out to Secure Packet today at [email protected] and we will craft the perfect solution for you.  

---