Recovery Point Objective Explained for SMBs

Recovery Point Objective is an important part of your Incident Response Plan and Data Recovery Strategy. It is, however, often confused with other similar terms such as Recovery Time Objective, Recovery Point Actual, and Recovery Time Actual. In this article, we explain in great detail what is RPO, how it works, its pros and cons, how it differs from RTO, RTA, and RPA, and how to calculate it for your SMB.

What is Recovery Point Objective

Recovery Point Objective (RPO) is the maximal amount of data your business can lose in case of a cybersecurity incident without damage to its operations.

Here are other ways to explain and view it. RPO is the acceptable age of data that can be retrieved from backups. RPO is the maximal acceptable amount of time between the last backup and the incident.

How does RPO work?

Willing to avoid data loss in case of cyber events and in keeping with existing regulations, modern SMBs back up their data. Unless a company has continuous data protection, its data backup has a certain frequency, usually one or three times a day.

When a cyber incident with data loss occurs, the company retrieves the data from a backup. However, all the data generated between the last backup and a cyber incident will be lost.

The company needs to decide what amount of data loss is acceptable and bearable. What amount of data will not impact the business operations dramatically?

This will impact the choice of the backup frequency and ultimately the backup strategy and the choice of the backup tool.

The pros and cons of the RPO approach

In this section, we’ll talk about why your business needs RPO in the first place. We’ll also cover some issues that this approach doesn’t take into account.

The pros:

The 2 key advantages of calculating your Recovery Point Objective are:

1. You can identify the frequency of backups that your company needs, as well as the budget on recovery.
2. You will need RPO to outline your Incident Response Plan and Data Recovery Strategy.

As a result, your business can achieve several goals:

1. Save costs, time, and labor on data recovery.
2. Decrease company downtime and the resulting revenue loss.
3. Control the loss of your data more efficiently.
4. Improve cybersecurity.
5. Achieve compliance.

The cons:

This approach doesn’t take into consideration several factors:

1. The daily/weekly/monthly fluctuations of data generation.

A business that operates within one or several adjacent zones, will have most of its data generated during business hours. Thus a cyber event during the night and a cyber event during the day will have a different impact on business. The same can be applied to weekends vs business days, or holiday time vs regular periods.

2. The quality/value of data lost.

Businesses do not generate equally valuable data every day. Here’s an example. Compare the following events.

A research team recorded the results of longitude quantitative research and this data was lost in a security incident. A sales team composed several email drafts that were erased. A content manager wrote one section of the article. The accountant calculated the salaries for the whole company using standard formulas.

The most valuable data is the one generated by the research team. Also, it’s the hardest to retrieve because it contains the numbers. Obviously, the data recovered from the backup wouldn’t be as valuable as the lost data.

Recovery Point Objective vs Recovery Time Objective vs Recovery Point Actual vs Recovery Time Actual

With so many terms pertaining to recovery, it’s easy to get lost. Some businesses confuse Recovery Point Objective with Recovery Time Objective, Recovery Time Actual, and Recovery Point Actual. In this section, we explain how to tell the difference between these terms.

As mentioned above RPO is the amount of data that a business can lose without significant impact on its operations.

Recovery Time Objective (RTO) is the maximal amount of time a business can spend on data recovery without a significant impact on its operations. It calculates the number of hours/days/weeks from the incident to full data recovery. Alternatively, RTO equals business downtime that will not harm business.

Both RPO and RTO declare the business’s recovery goals. They demonstrate the best-case scenario in the event of a cyber incident. Unfortunately, life doesn’t often take the most desirable course of action. That’s when RTA and RPA come in handy. Both show the real situation.

Similarly to RPO, Recovery Point Actual calculates the amount of data lost due to a cyber incident. It can differ significantly from your RPO, for example, in case something went wrong with the backup or if the business doesn’t have a backup at all.

Reduce your RPA with Office backup.

Finally, RTA measures the actual amount of time the business spent recovering its data. Once again, your RTA can differ from RTO significantly due to multiple factors.

Let’s take a look at the RTA, RPA, RTO, and RPO example:

ABC is a translation agency that works with corporate clients all over the world. They have 100 translators, each producing approximately 1,000 words per business day which is approximately one A4 page of text. They all use Google Docs for translation and work the same business hours. The files are backed up at 8 PM every day.

This means that their Recovery Point Objective amounts to 100 files containing accumulatively 100,000 words.

Let’s say a cyber incident or a data breach happens at 7:59 PM wiping all the data from ABC’s Google Drive. It means that the company hasn’t backed up data produced on this day. The company decides to not pay the ransom and instead retrieve data from a backup. Thus, their Recovery Point Actual is equal to their RPO, i.e. they’ve lost 100 files and 100,000 words of translation.

Now, ABC’s Recovery Time Objective is to recover all the data lost from the backup in 12 hours. However, on that day, their Google Workspace Admin is on vacation and doesn’t answer the phone. The recovery thus starts in 20 hours. As a result, the Recovery time actual is 32 hours.

How to Calculate RPO?

Calculating the Recovery Point Objective is important for a business to plan its backup frequency.

RPO heavily depends on a multitude of factors:

1. Rules and regulations of the country, and region, including regulations of specific industries, and types of business.
2. The amount of data the loss of which affects severely the business operations.
3. The speed of data recovery process of the cloud technology the business is using (see API limits) and the resulting downtime duration.
4. The balance between the cost of backup and the cost of data loss and downtime.

How to Calculate the Recovery Time Objective Step-by-Step

1. Check with the legal department on the regulations and laws governing your business and its data.
2. Analyze the amount of data generated on a daily basis. You most likely will need to ask your Heads of Department employees for this information.

You can also use the data monitoring functionality of your cloud platform to see the amount of data generated on a daily basis. Here’s an example of Storage Used by Apps in Google Workspace Admin Console:

3. Discuss with Department Heads the amount of data loss that is acceptable for their respective departments.
4. Check the goals of your Business Continuity Plan to be in line with them.

We also suggest revisiting the RPO at least once a year depending on the growth of your business operations.

SpinOne Backup and Recovery Point Objective

SpinOne can help companies establish their Recovery Point Objective as well as provides an automated backup solution for their cloud data.

As mentioned above, SpinOne platform provides cloud monitor for businesses. It operates in Google Workspace and Microsoft Office 365. The functionality uses API to create reports on various types of activities that happen within your digital environments, such as file edits, deletions, shares, logins, and application use. Its primary goal is to detect multiple cybersecurity incidents and take immediate action.

However, it can also be used to monitor your data generation. Using SpinOne you can understand the amount of data created by your business on a daily basis and set Recovery Point Objective more clearly.

Additionally, SpinOne provides regular automated backup of your cloud data that can be set either once or thrice a day. It backs up your email, drive, calendar, and contacts for both GW and MSO365.

The benefits of SpinOne backup:

1. Fully automated and regular.
2. Prompt because it only backs up the changes that have been made to your files since the last backup.
3. Stores up to 100 versions of the same document.
4. Unlimited storage in the world’s most protected data centers (Azure, GCP, AWS) or the data center of your choice.
5. Recover your entire corporate data or just one document from a certain point in time.
6. SOC 2, EU Privacy Shield, and GDPR-compliant.