Your backups are worthless

Last week, we discussed that business owners do a good job of protecting their business assets – except for work-in-process and data. While I could one-off any number of work-in-process situations, doing that in a vacuum isn’t particularly effective. I can, however, cover some common steps for making backups of your data that anyone can work from.

Backups don’t matter if…

Backups don’t matter if you can’t restore from them. That’s what makes them worthless. I once encountered a financial services client whose backup tape had not been written to for over five months. Meaning: They couldn’t have recovered any of the contracts, loan documents and other paperwork that had been processed for at least five months. Even worse, the tape was bad, so even the five month old backups were unusable. Their financial / account data was housed off-site, so it was not at risk. Even so, having no backups of those files could have put them at serious risk if a hardware failure occurred.

The take home: It’s important to check your backups to make sure they succeeded and to attempt a practice recovery on those files on a regular basis. If you can’t restore a backup, the time taken to make the backup is wasted and your business data is unprotected.

Don’t forget your website

While the next portion of this pertains specifically to WordPress, the steps and justification for the steps I’m about to recommend also apply to other web-based content systems – such as Drupal, Wix, Joomla, etc. These systems are popular because they allow you to build and maintain a nice site without an expensive custom programming job. According to research done by non-WordPress researchers, WordPress is used on 27% of web sites.

In February 2017, a WordPress bug related to their new REST API was fixed and rolled out. While WordPress fixed the bug quickly, they waited only a week after the bug fix was available before publicly revealing the details of the most severe part of the bug. Legit or otherwise, any delay in updating WordPress on sites that use it made a WordPress site subject to this hack. Within hours of revealing the previously mentioned details, the volume of hack attempts using this bug escalated into the millions of attempts over a few days. In a few days from Feb 6th through Feb 10th, over a million WordPress sites had been defaced. Fortunately, the defacing was easy to reverse.

While the flaw was on WordPress, it’s a painful reminder to keep your WordPress-based site updated. You can tell WordPress to auto-update itself, as well as themes and plugins. Despite the availability of auto-update functionality, only 37% of the many millions of WordPress sites are up to date, according to data published by WordPress.org.

In addition, replace or remove plugins that aren’t updated and tested regularly. Many once-popular plugins are no longer maintained. They may continue to work, but any security vulnerabilities in the plugin(s) won’t get fixed. Any security problems will be there until you stop using the plugin. Bottom line – Not worth the risk.

Finally, protect yourself against the cretins who do this kind of stuff. I recommend a combination of the free Sucuri security plugin and the paid WordFence plugin. The latter tool provides a flexible set of tools to block people from your site – including the ability to block users by country. If your business has no need to interact with folks from countries known to harbor hackers, then you can prevent most access by people in that country. “Most” because IP-based geolocation technology is dependable, but not 100% perfect.

Automated and off-site

As with most things of this nature, I suggest automation. There are a number of tools you can use to automate backups for your website, whether or not the site uses a content management system like WordPress. There’s no reason to make this yet another manual task you have to do each day. As I noted above, backups are worthless if you can’t restore from them. Be sure to test your ability to restore from the backups you’re taking.

Last but not least, take a copy of the data off-location or use an online service. If your building burns, the backup media was sitting on the computer won’t help you recover. Dealing with fire or theft is tough. Losing your business data only makes it worse.

Protecting traditional assets isn’t enough

Protecting traditional assets is one of the most important duties of a business owner. You’re constantly taking steps to deal with the need to protect and maintain your assets including buildings, cash flow, receivables, furniture/fixtures/equipment (FFE), etc. You have insurance, attorneys, maintenance contracts and any number of other processes, mechanisms and protections in place to sustain the value of the things you’ve invested in, and in some cases, to keep you out of trouble.

Yet despite all that effort and all that expense, I encounter at least one sizable business leaving themselves at significant risk… every single week. However, I don’t mean about FFE and other hard assets. There are at least two other assets worth protecting – and they’re as important as the ones you spend plenty of time, effort and money protecting. While you might be able to think of other assets that need protection, I’m speaking of work-in-process and data.

How do you protect work-in-process?

Every small business knows the pain of trying to get work out the door when they’re sick or an employee has to call in sick – or quits. The smallest of businesses, such as those with no staff, have to suck it up and deal with it. Sometimes this means having to tell their client(s) that they can’t deliver on the previously predicted schedule. Even when they deliver a little bit late, it plants a seed with that client that their vendor might unintentionally put them at risk by being unable to deliver at some random time in the future. If Murphy has his way, the timing won’t be ideal.

While many businesses do cross-training, the most resource-constrained ones struggle to make the time to do so. The resource-constrained small business isn’t the exception, it’s often the rule. While you might have plans in place when losing a “key employee”, that isn’t necessarily what causes the pain. It isn’t necessarily about losing your best welder, hairstylist, millwright, programmer, salesperson or finish carpenter. What gets hurt is what they’re doing when they depart, whether the departure is permanent or temporary. Do you have people sitting around who can simply step in and take over without missing a beat?

In most cases, that isn’t reasonable.

A salesperson who has been working a deal for months is tough to replace. They’ve established rapport with the decision makers. Starting over is likely to delay closing that deal. A hairstylist has the same kind of rapport and trust established with their 20 best clients. Your best welder may not be able to take over a job that someone was doing because they are backed up, or they aren’t used to working under water, or they can’t leave town to work due to their family situation. Your best programmer is unlikely to step in and immediately do their best work on code they’ve never seen on a subject matter they might know nothing about.

There isn’t a magic wand to these kinds of problems, only hard, important work. There’s documentation, cross-training and meetings (yay!). It probably seems normal to ask your best players what they’d recommend in these situations, but don’t forget to ask everyone else so nothing is missed. Who do they think can take over? Who needs to be cross-trained? What processes need to be excruciatingly documented? Talk about it and plan for it as best you can before the uncontrollable happens.

It’s time to treat data as one of your traditional assets

I see data at risk on a regular basis. The maintenance and protection of data and computing equipment is often left to the end user – who is all but certain to have no experience in such things, or will not have the tools (or time) to do the job. I regularly hear from businesses who were held hostage by ransomware, by systems with no anti-virus, or by hardware failure. Years back, I had a bank client that hadn’t backed up in over five months. How did I know? The ONE backup tape they had was dated five months earlier. It was damaged.

Can orders be filled without order data?

People ask me how often they should backup. I usually respond with “How much work can you afford to re-do?” It isn’t a flippant question. Can you afford to pay your staff to redo everything they did last week? Yesterday? The last two hours? What delay can you afford?

Photo credit Rita Willaert

What happens if I refuse?

Minnesota Guard removes floodwall, opening Minot bridge

Yesterday, we talked about backups.

Did you do anything about it?

If you didn’t, think about this: What would happen to your business if the hard drive containing your customer list, orders, accounting and communications with customers and vendors failed? What would it cost if you lost that data?

I asked startup CEO Doug Odegaard from Missoula for a quick angle on the cost of not keeping good backups. He said “Add up how much people owe you and how much it cost to build your business and that is how much it is worth.

Pratik, a tech business owner from New Jersey who also owns a restaurant, added this: “and don’t forget the good will and revenue loss until operations can resume again“, then reminded me of his experience with a fire:

Mark, if you recall when we had the fire caused by lightning at the pizzeria, I had the entire customer base with purchasing and sales history synced to my home. Insurance company had the first check cut in 10 days of the claim. This practice is so important. We had our standing corporate catering resume in one week from an alternate commercial kitchen which kept revenue coming in as well as routed our VOIP phone service to my mobile for those customers that tried calling. Made recovery a bit easier.

What’s it worth?

That metric Doug offered merits consideration. If you can’t wrap your head around the cost of starting over, doing inventory from scratch, calling all of your customers (assuming you have their contact information somewhere) and asking them to tell you what they orders, how much people owe you and so on, then ask yourself this:

How would you like to go back to the day you started your business and start over?

Ask your insurance agent how many businesses survive a fire or flood if they don’t have these things taken care of.

MobileMe becomes ImmobileMe

Call me old fashioned, but when someone says they’re gonna host all of my email somewhere else and Im just supposed to trust them and not keep a copy here where I can protect it, I think I’ll pass.

Doesn’t matter to me if it’s Google, Apple’s MobileMe, Amazon S3 or whoever. All of them have had email downtimes or lost data.

As have I. At least if I lose it under those circumstances, it’s my fault and I have control over the backup processes.

Are you trusting your critical business email to (immobile) MobileMe?

Think hard about what happens to your business if you lose access to MobileMe, Gmail or Amazon S3 data for an hour.

Or…

  • A day.
  • A week.
  • A month.
  • Permanently (as occurred last week for some MobileMe users).

Does your stomach hurt yet? It should.

And if you’re using MobileMe or any of these services without a local backup of your critical business data, it’s no one’s fault but your own when you have to shut the doors.

Outlook (or your email program of choice) may be annoying as crud compared to that cool web interface, but I control how many backups I have and where they are, and I can get to them ASAP without having to drive to Cupertino (or wherever) to beg for a restore disk cuz I once golfed with Kevin Bacon and he knows someone who is only 7 levels of separation from Steve Jobs.

Heck, I could probably find Kevin on LinkedIn 🙂

Seriously though, where is your critical path data?

Think about what happens to your data, and thus, your business, if the internet goes down for a few days – or at least, your access to the net.

Think about what happens to your data, and thus, your business, if you can’t access invoices, contact info, and so on.

Think about covering your backside a little better.

And make sure you have a few candles in the closet.