Why Do You Need to Include RPO & RTO in Your Disaster Recovery Plan?

by

Why Do You Need to Include RPO & RTO in Your Disaster Recovery Plan

When most business owners consider a business continuity and disaster recovery plan, they immediately think of cloud backup services.  Backup and recovery are vital to ensuring your company can recover from an event such as a ransomware attack, hard drive crash, or other data loss incident. 

However, how a company backs up its data and how fast it can recover isn’t always factored into the plan. Then when a disaster strikes, companies that thought they were covered with a good strategy are often left at the mercy of attackers.

One recent example of this is the ransomware attack in 2021 on Colonial Pipeline that caused gas prices across the country to increase. The company had a backup of its data but decided to pay the ransom that attackers demanded to decrypt its files anyhow.

The reasoning the CEO gave when being asked in a congressional session on the attack was that it needed to return operations and the petroleum supply to customers as soon as possible. The company did not have a good grasp on how long it would take to recover all of its data from its backup system and didn’t want to take any chances.

This is a key reason that you need RPO and RTO in your disaster recovery plan.

What Are RTO & RPO?

RPO stands for recovery point objective and RTO stands for recovery time objective.

Both are vital to ensuring your company can recover all files as completely as possible if needed and that you can do it quickly to mitigate downtime. We’ll explore each in more detail below.

How Much Data Can We Afford to Lose? (= your RPO)

Recovery point objectives can be determined in hours or days. It’s the point at which your last backup can restore your data. For example, if you have a 24-hour RPO, then you back up once per day.

This means that if you were to be hit with a ransomware attack right before your next backup, you could lose as much as a day’s worth of data that was saved or generated and added to hard drives and/or your file storage systems.

Your RPO is going to help you determine how often you need to back up as well as how long to keep backups. If you discover a ransomware infection on Monday morning that happened after everyone logged off for the weekend on Friday, you’re going to want to restore before that event, not from the last day’s backup.

Cost and the performance of your systems during backups will determine your RPO. If you have a 1-hour RPO, that means all systems with data in your business need to back up every hour. If you have an efficient backup system, then that should not cause any disruption for users. 

It will, however, mean more data storage is needed if you are also keeping backups for at least 3 months, than if you backed up every 12-hours instead of every hour.

It’s a good idea to speak with your IT backup provider to determine the “sweet spot” for your recovery point objective that will ensure less disruption from fewer potentially lost files as well as cost-efficiency.

How Fast Can We Restore Operations? (= your RTO)

Recovery time objective is your realistic and tested estimation of how fast your business could recover from a crisis incident that negatively impacts your operations.

Without knowing your backup restoration timing, you’re left like Colonial Pipeline was, unsure how long data recovery would take. This is why it opted to pay the ransom instead.

When determining your RTO, you don’t want to just say “1 hour is our goal.” Because that’s typically not realistic in something like a ransomware attack. You have to consider your realistic timing and then put systems in place to make that RTO as short as possible.

The average cost of downtime is $5,600 per minute

Factors that go into estimating and determining a realistic RTO include:

  • If you have an existing IT service provider (it takes longer to find someone and get help if you don’t)
  • How fast your backup system can recover data (this needs to be tested at least once or twice per year in drills)
  • Whether or not your team knows what to do in the event of ransomware or another crisis (teams that are trained and drilled regularly are faster at recovery)
  • How familiar your team or IT provider is with your backup and restore system (if you already work with a provider that knows your IT, this is a faster process)

Get Help Developing a Reliable Backup & Recovery Plan

Does your Treasure Valley area business do regular testing of your recovery timing? Do you include RTO & RPO in your business continuity plan? If not Connect2Geek can help you with a solid and reliable solution.

Schedule your free consultation to learn more today! Call 208-468-4323 or reach out online.