Setting Recovery Time Objectives (RTO)

With ransomware and network hacks on the rise, data backup and recovery has never been more important. But how do you know what backup and recovery objectives you should set for your business? After all, the more frequently you back up, the higher your DBR and data storage costs. In this post, we’ll walk you through the basics and what things to consider when setting your recovery time objectives.

What Is a Recovery Time Objective (RTO)?

A recovery time objective (RTO) is the time it takes to recover your data in the event that access has been interrupted. Interruptions take many forms, from natural disasters to criminal attacks including ransomware. An interruption can also be the inability to access your data’s location, such as when COVID quarantine began and work locations suddenly shifted. 

Your business will have many types of data, therefore you will most likely have more than one RTO.

Start Assessing Applications

Start determining what is at risk, beginning with your applications.

  1. List every application you use to conduct business. Prioritize them.
  2. Which of those will be the most affected by a disruption to your system?
  3. Which are irreplaceable and which are replaceable from other sources?
  4. List who or what would be affected by disruptions in those applications.
  5. Estimate the cost per hour if a particular application was affected.

Whoever is providing you with IT support will need this information. They will also need to know how many different types of backups you have and how often the individual applications are backed up. 

Yes, it’s a lot to document, but it is essential to the continuity of your business and will save you time and money in the long run.

Downtime Impact

All businesses should know how much downtime they can sustain if data is compromised or inaccessible. One hour? One day? One month? What’s the longest amount of time you can be down before it is catastrophic to your business? Document this as well. How much downtime can your business sustain? What is the revenue loss during downtime?

Don’t forget downtime also affects your reputation with your customers and clients. If their data is unavailable to them when they need it,  will they drop you like a hot potato and go elsewhere for their needs? You KNOW the answer to that question so do what you can to prevent it from happening.

The Process of Data Backup and Recovery

  • Who is responsible for your data backups? An outsourced provider or someone in-house? Whoever is tasked with that responsibility needs to own it.
  • Where is that backup located? Onsite? On the cloud? At a different offsite location or locations so that if a tornado or flood hits your onsite location, your data is protected?

Recovering Your Data

Answer those questions and you will be able to start to determine your recovery time objective. Ask your in-house IT staff or your managed service provider to continue the conversation and come up with a data backup and recovery plan that works for your business.  

We’re here to help.  Contact us or book a meeting if you have questions or concerns around RTO or any IT service needs.

Dave Hatter (CISSP, CCSP, CCSLP, Security+, Network+) is a cyber security consultant, writer, educator and on-air media contributor. See hundreds of Dave’s expert interviews on cyber security on his YouTube channel, or tune in to 55KRC every Friday morning at 6:30 for his “Tech Friday” segment.

Not Sure Where To Start Looking for an MSP?

Our Managed IT Checklist will help you choose the right IT provider.

Share this Blog