Your business data is threatened by many types of risk – everything from natural disasters, data center outages, breaches by hackers, and even disgruntled employees. Mitigating the risk of data loss is all about reducing exposure to threats. There are three standard questions to consider to help prioritize risks that need to be addressed first.

  1. How important are the assets to the business? Email, databases, accounts, contracts, personnel files—everything that is typically backed up.
  2. How severe are the consequences of data loss? The business impact can range from painful, but recoverable to absolutely devastating.
  3. How vulnerable or exposed are the assets? (Hint: This is where backup risk assessment comes in.)

The value of lost data is many times greater than the price of prevention, so failing to back up information properly is perhaps the most costly mistake an organization can make. It’s also easy to stop checking for vulnerabilities when backups seem to be running smoothly, but that can lead to exposure later.

Do your backups have your back?

The goal of a backup risk assessment initiative is to make informed decisions on activities and investments in people, processes, and technology to guard against data loss, which can improve the resiliency of your entire business. By assessing your current backup regime and potential risk, you can continuously improve best practices.

In addition to ensuring you can recover from a breach, outage, or disaster, there are other important benefits of performing a risk assessment, such as fully utilizing the solutions you have in place and keeping your security strategy aligned with the goals of your business.

But where should you start in evaluating your current data backup health? We’re sharing a sample checklist (with some helpful hints) to help you develop your own list and start uncovering the risks that may be present in your organization.

Here is a sample risk assessment checklist that covers seven critical categories


Business Health: Does your data security strategy support your specific business needs?

  • Yes/No: Can you quantify the impact on revenue and workflow if critical business functions cannot operate?
  • Yes/No: Have you documented business continuity and incident response plans and do you review them regularly?
  • Yes/No: Do you have defined RTOs or RPOs that must be met?
  • Yes/No: Have your RTOs or RPOs been reviewed since your backup strategy was defined?

Backup Basics: What is your process?

  • Yes/No: Do you consistently meet your required backup window, or does the backup take longer to run than the required RTO period?
    Determine whether you can still meet the requirements for a full system restore in the required timeframe. Check your change rate calculation and understand how much data is being written each week.
  • Yes/No: Have there been errors in backups during the past days or weeks?
    How many and how severe? Recent patterns may signal the need for a greater sense of urgency.
  • Yes/No: Do only the right people have the authorizations and permissions to access your backups, including people outside of the backup team?
    Personnel and job assignments change regularly so when out-of-date permissions occur, IT team members are unable to act quickly in an emergency. Restrict access appropriately and keep a record of all who have held critical data access roles.
  • Yes/No: Is your organization’s unique recovery/restore process documented?
    Again, with changing personnel, it is vital to have an up-to-date record of your procedures and best practices.

Licensing: Are you paying for something you’re not using?

  • Yes/No: Do you know precisely what backup capabilities and services you are currently paying for—and using?
    There’s a big difference between levels of licensing, whether those levels are Gold-Silver-Bronze or Enterprise-Standard-Foundation.
  • Yes/No: Is everything still under warranty?

Hardware: Are levels of performance and support sufficient across all servers?

  • Yes/No: Do the servers and media servers have enough backup space?
  • Yes/No: Are all servers configured for high availability?
    Evaluate how many high-availability components are necessary for your business and determine what additional resources should be deployed if any.
  • Yes/No: Is all of your gear under a maintenance contract?
    Hardware failures may lose all data and the ability to recover it in one instance. If a single storage array is lost, make sure you are not at risk of losing everything.
  • Yes/No: Have you shut off the inbound Internet for your backup servers?
    Inbound connectivity to backup servers from the Internet is highly risky and should not be permitted. There are specialized management tools available that enable you to do backup server administration remotely.

Running jobs: Are they running amok?

  • Yes/No: Are any jobs running too long or never finish?
    This can be a sign of future trouble. Run a report to discover when the jobs fail and examine the job history for errors.

Alerting: Is what you don’t know hurt you?

  • Yes/No: What thresholds are set for storage?
  • Yes/No: Are your job failure alerts enabled?
  • Yes/No: Have licensing alerts been activated for over- and under-utilization?
  • Yes/No: Are the alerts going to the right people?

Data Center Replication: Are the assets safe when they are in the “safe?”

  • Yes/No: Is there a high degree of resiliency built into the backup facility itself?
    Multiple active data centers allow critical backups to cross-replicate from A to B and B to A, but remember that a truly passive offsite data center is probably a better choice.
  • Yes/No: Are your naming conventions clear?
    It’s important to label where data resides and where it is backed up.
  • Yes/No: Are target servers and data at the backup facility fully secure?
    Only authorized personnel should have access to the facility where your backup repositories and hosts are located. Also, only authorized users should have permission to access the backups and replicas on the target servers.
  • Yes/No: Are guest OS updates and authentication protocols up to date on your backup servers?
    If out of date, attackers may hack into backup infrastructure servers and proxies to obtain credentials of user accounts.

The answers to the questions above can lend insight into areas that are meeting industry standards and regulations, as well as the areas that require attention. Once the risks are identified, you can determine the level of impact each may have on the business, and then prioritize when certain solutions are deployed.

Please don’t consider it a “one and-done” checklist. As your business evolves and changes, so do your objectives. We recommend going through the checklist once a quarter or twice a year to re-evaluate the levels of risk for each item and make any necessary adjustments. That way your data protection strategy will be fortified through continuous improvement and your business continuity plans will be sound.

To learn more about risk assessment and data backup best practices, click here.