CPAs are used to thinking about and planning for audits, but how many have considered the effect of not being able to produce that data? If you lost client information due to data corruption or a disaster, what would be the result to your practice?
The automated copies made by some software programs are good on a very small scale, but are they enough if an electrical fire takes out your primary and backup storage at once? You might store client data on a spare drive attached directly to a laptop or server, but if they’re stolen, are they encrypted so the thieves get nothing? If a virus erases your data, could you recover?
Risk management is already part of your services, and you offer assurance for your clients that they are compliant with tax law even as changes come at you non-stop. You want to assure them that their data security and integrity is handled expertly as well, but when did you sign up to become a storage and disaster recovery expert? Even with today’s sea of options, many leave you only partially protected and offer a false sense of security. Here are some insights into what you should ask and consider when building a disaster recovery plan.
Many options, onsite and off
In order to protect your client data, you should consider a three-tiered approach:
1. Onsite backup.
2. Offsite backup, preferably including tape.
3. Testing, verification, and management of your backups.
Sounds simple enough, right? Let’s take a look at each.
Onsite backup should be a no-brainer. At minimum, a scheduled backup program should be running to get your server data to media such as CD, tape, DAS (Direct Attached Storage), or NAS (Network Attached Storage). DAS is any thumb drive or external hard drive that plugs into your server or laptop, and NAS is plugged into your network equipment for easier sharing on the network. These drives range from very cheap to quite expensive depending on capacity and various features, but in all cases the software used to create the backup schedule needs to be set up manually and monitored.
As you grow, or if you already have, a simple DAS or NAS may or may not scale with you. Consider that a technology once available only to large enterprise is now available to small businesses – instant server recovery. No, a server won’t heal itself – yet!
However, the right technology services provider can copy your complete server – with its operating system, applications, plus all files and folders – to a network attached “appliance” that will spring into action within a few minutes of any trouble that takes down your server. The only downside to this near-panacea is that it still won’t protect you if your office or technology is wiped out or by fire, water, or theft.
While this fast and reliable technology has been affordable only to larger firms in the recent past, there are now IT support companies known as “managed services providers” (MSPs) that regularly implement these solutions starting at a few hundred dollars per month. They often include offsite storage protection, and local IT firms may have an option to backup to archive tape at their site as well.
For many firms, this is a cost-effective solution for highly reliable access to your data after a disaster – even a minor one such as an accidental deletion or a need to see old data that’s since been replaced. During tax season it would be a business-saver if a server goes offline two weeks before March 15th.
When considering costs, don’t forget the cost of labor to rebuild your server from scratch may be several thousand dollars. By comparison, bringing your primary server back online after moving to the “instant” server provided by an MSP won’t take more than an hour or two – and it can be scheduled at a convenient time to your practice.
If loss of access to your server and non-hosted applications for less than an hour – versus two days up to a week – could save your practice from suffering financial losses, strongly consider this type of solution as a primary strategy for onsite recovery, especially if there are offsite options included.
Maybe you’re comfortable with your current onsite backup, but what about Internet backup? With so many online “cloud backup” services available, how can you avoid wasting time and just get the data backed up? After all, you now have new or pending tax legislation to review more often than ever before. Why not just find the least expensive option and be done with it? If you have an IT vendor, why not just leave it to them if they say they have offsite backup handled?
Let’s look at these in reverse. The information technology space is full of IT support companies that broker the services of other backup providers without disclosure to their client… you. Maybe your provider isn’t one of them, and maybe you don’t think you should care, but as a CPA don’t you want to know where your client data is stored and how it’s protected?
Beyond protection, consider that your IT vendor is not legally required to disclosure that your data might be housed out-of-state, stored across International borders, handled by companies and employees far outside of the control of your IT vendor, or providing jobs and economic benefits elsewhere when those benefits could easily be local.
Consider whether you would hand over a box of your paper tax returns to a company when you know nothing about their practices. Your IT vendor, who may also be looking for a low-cost option in this economic climate, is entrusted by you to choose where your business-critical client data is stored on your behalf. Management of your IT operations is one thing; complete control over your vital data assets over the public Internet is another. You should definitely be asking questions here. A good start is – “Are you managing our data directly at your site?” If not, “Who is?”
Tape - not gone yet
Tape is a classic option that comes with its own set of challenges and headaches, such as tape management and rotation, testing, and moving tape offsite securely and reliably. Ultimately, when you need a year-end report from several years ago or document that was deleted months ago, it comes down to archival recovery and historical tracking.
Tape is still the most practical long-term solution, but that doesn’t mean you need it in-house. An offsite data backup provider will save you money if they move your data to tape for long-term archive instead of using growing amounts of hard-disk storage that will cost you more and more year over year.
Alternatively, you might find an offsite backup provider who offers a tape-like strategy with something called “versioning,” – a fancy name for copies of copies. Make sure you know how many versions, how much the space for this feature will cost, and if there is an option for long-term archiving or just a set number of versions.
Bottom line, tape handling onsite at your office, unless you have a dedicated IT employee, is going the way of paper returns… but that doesn’t mean you shouldn’t have tape, or an equivalent versioning method, as part of your backup and recovery strategy.
Low- cost offsite backup
So what about that low-cost backup option that you, and potentially your IT vendor, are looking for? Along with issues we’ll cover shortly, your IT provider might not offer widely-recognizable brands because some don’t have reseller programs and if they do, the margins are low.
So, backup technology companies you’ve never heard of are the generally the ones they’ll be using and trusting with your client data. That’s not an implication that the backup companies are shady in some way, just that you won’t be able to verify anything about them unless you know to ask. So ask.
As for those inexpensive and highly advertised backup companies, consider how you’ll get your data back… via download over the Internet.
How much data do you have? Let’s say you have 50GB of important data, and you’ve been slowly transferring it offsite for a year or two, a few files at a time. Now, let’s assume that you have a fire, a burst water pipe near your server, or a theft, and you no longer have your laptop or server or any secondary storage. With this remote low-cost backup provider, you’ll have to download all of your files once you have purchased and configured replacement hardware.
The news you don’t know… you might get 10GB of data per day if you have business-class broadband; it’s even stated in the fine print on the Internet backup providers’ websites if you look for it. That’s five days of downloading at 10GB/day. Maybe you’ll be able to order the 71 CDs or 11 DVDs of your data for an additional fee via UPS or FedEx, but you’ll still need to load all of the data or have it loaded along with a new server setup. Is this really inexpensive?
If additional downtime would add insult to injury after a major disaster for your practice, consider finding a local provider who can immediately drive over and install a copy of your data for you – or even deliver your data on a new temporary server within hours – instead of relying on Internet pipe.
If someone in IT says that your data should be 500 miles away, or in “geographically dispersed locations” as the best practice in disaster recovery preparedness, they aren’t lying. However, we don’t all live in the academic “worst-case scenario” world that covers all potential scenarios including small nuclear-missile attacks.
In the real world, your business is much more likely to suffer from multiple days of downtime due to your own site disaster than you are likely to suffer from a regional disaster – the rare scenario that wipes out your site, your local vendor’s, and their entire offsite tape collection. If hurricanes or tornadoes regularly wipe out businesses in your area, then take that into account. Whatever you do, if you’re going to plan, weigh the logical against the most severe… just like you do in professional practice.
After you know where and how your data will be backed up, you have to calculate and consider your time and the time of your staff to manage it. Do you have time to manage an onsite or offsite backup process and watch for errors on a nightly basis? Automated email alerts are okay if you’re not going to ignore them after a few weeks. If you add folders or move data, you need to make sure the right data is still backed up. You also need to take the time to test your backups to see if they are reliable.
Backup and disaster recovery is a necessity for a CPA firm’s longevity considering the trust you’re given with every client’s sensitive data. If you outsource, don’t make the assumption that every IT vendor is just as reliable… any more than every tax preparer is just as good as another. The details matter in both cases.
A final note
In the world of online criminals and data thieves, you won’t do much better searching for a high value target than the records of a CPA – client net worth, SSNs, bank access numbers and passwords – you know the list is long. These are not pleasant items to consider, but just like you plan for a potential audit, you should consider revisiting your backup and disaster recovery scenarios and strategies, or find a consultant and do so.
Unfortunately, hoping it won’t happen to you isn’t a viable business practice, and the wrong disaster could wipe out your client data and put you out of business and at legal risk.
Joel Pippin is the President and chief executive of Secure Network Administration, Inc., an IT managed services provider in the RTP area of North Carolina. He welcomes your feedback at firstname.lastname@example.org.