Recovery point objectives 101: Planning for cyberattacks

Congressional hearings regarding the UnitedHealth cyberattack that occurred earlier this year revealed that the massive security incident could cost the company a total of $1.6 billion. During testimony, UnitedHealth CEO revealed that hackers infiltrated its systems through a remote portal that wasn’t protected by multifactor authentication and other safeguards the company had in place that were designed to prevent and detect also failed. Unfortunately, there are many companies that find themselves victims of cybercrimes like this every year.    

While a lot of the conversation is focused on breach prevention, this should be only one part of a company’s overarching data protection strategy. One often overlooked area that is just as important as detection and prevention capabilities is the ability to recover data at scale across your organization when bad things happen. Breaches and ransomware attacks happen, and unfortunately, tools and processes designed to detect and prevent do not catch everything. Which is why having strong recovery capabilities and a disaster recovery plan are so important for defense-in-depth. Here’s a look at recovery point objectives, or RPOs. Measured in seconds, minutes, hours or days, RPOs help a company define the maximum amount of data loss that can occur in the event of a cyberattack.

When RPOs are set prior to a data-loss emergency, normal business operations can resume far more quickly than if a company hasn’t set RPOs. With RPOs, organizations set the parameters for data loss risk that are aligned with their risk tolerance. For instance, if an organization can’t afford to lose more than an hour’s worth of work, set the RPO to an hour or less. That means a cloud backup solution should back up files every hour at a minimum. 

Determining RPO intervals

RPOs and data recovery capabilities are foundational to a solid disaster recovery plan and support a strong data resilience posture. The first step is determining RPO thresholds — starting with critical functions of the business where sensitive data needs additional protection and then rolling up to the organization as a whole.   

Here’s a primer on how to determine RPOs:

  • If operations are critical and losing data isn’t an option, set the RPO to every 15 minutes. 
  • If operations are semi-critical and can withstand losing up to four hours of data without seriously impacting business, set the RPO between 15 minutes and four hours.
  • For departments managing important, but non-critical data and can tolerate losing a full day’s data without negative business implications, set the RPO between four and 12 hours.
  • For departments that manage semi-important data the RPO can be set between 13 and 24 hours.

RPO best practices

It’s best practice to avoid setting an RPO for longer than 24 hours. But there are other considerations that factor into defining an RPO. Think about the operational needs of the business and risk tolerance and select systems that take those needs into account. Rather than focusing on how quickly data can be recovered, consider how quickly it needs to be recovered.

And don’t forget about recovery time objectives (RTO). For instance, if you need to recover a week’s worth of data, an RPO of once an hour and ultra-fast backup solutions are likely overkill. However, if data needs to be recovered very quickly, choose fast backup and recovery solutions that can restore the data at lightning speed.

What and where to backup

Backup and recovery solutions deliver an automated solution for creating, managing and restoring data. They enhance data resilience by protecting many file types, but the most common are documents, videos, databases, photos and music. Additionally, they safeguard data housed in a variety of storage locations including servers, the clou and endpoints.

Features of strong backup solutions

There are a wide variety of backup technology is available including full backup software, incremental backup software and differential backup software. The features to look for in a strong backup solution are: 

  • Automated backups on a set schedule that don’t require manual actions.
  • Easy to recover data at scale if a cyberattack or other disaster strikes.
  • Cloud-based technology that offers multiple backup locations with control over geographical locations — cloud based and off-site.
  • Platforms that are configurable to meet the varying organizational needs.
  • Software that meets the security and compliance needs of the organization.

No let up in sight

Malicious actors and cyberattacks continue to proliferate going forward. According to the SANS Institute, ransomware attacks increased by almost 73% from 2023.

If a healthcare giant like UnitedHealth is vulnerable, so are many organizations across a wide range of industries. Having RPOs and a strong backup solution can mean the difference between having to pay a ransom to retrieve valuable company data and stripping bad actors of their leverage.

https://www.securitymagazine.com/articles/100754-recovery-point-objectives-101-planning-for-cyberattacks