EDR / MDRIdentify, contain, respond, and stop malicious activity on endpoints
SIEMCentralize threat visibility and analysis, backed by cutting-edge threat intelligence
Risk Assessment & Dark Web MonitoringIdentify and quantify unknown cyber risks and vulnerabilities
Cloud App SecurityMonitor and manage security risk for SaaS apps
SOC ServicesProvide 24/7 threat monitoring and response backed by ConnectWise SOC experts
Policy ManagementCreate, deploy, and manage client security policies and profiles
Incident Response ServiceOn-tap cyber experts to address critical security incidents
Cybersecurity GlossaryGuide to the most common, important terms in the industry
Recovery point objective (RPO) meaning
What is RPO?
Recovery point objective (RPO) is the maximum acceptable amount of data loss possible after an unexpected disaster event involving data loss. Examples of such events include widespread power outages or damage to hard drives in server enclosures. This translates to the point before a disaster event where data can be successfully recovered and business continuity is maintained.
The core RPO meaning revolves around disaster recovery. If a particular disaster event happens more than once, then the likelihood of a successful response will be less with each repeated instance. This is due to the lack of a sound disaster plan and focus on fixing the cause that led to the first and second disaster/data loss event.
RPO is used during disaster recovery planning as a metric that defines the frequency that data needs to be backed up in order to enable the fastest possible recovery and return to business continuity after a disaster.
Having a set recovery point objective in place allows a business to:
- Back up data at the correct intervals in order to streamline disaster recovery
- Ensure that data loss never exceeds allowable loss tolerance
- Helps organizations understand how quickly they can recover after a data loss due to a disaster, failure of technology, or malfeasance
Why is RPO essential for disaster recovery?
No matter how often you back up your data, you will most likely lose some percentage of it. Due to the fact that data is always changing and due to the cost of data storage hardware, it is unlikely you can backup your organization’s data 24 hours a day. RPO helps to eliminate the risk of major data loss by establishing a metric indicating the maximum amount of data an organization can lose without risking interruption of business continuity. In a disaster, many departments and functions are affected, and it is critical that data across the organization is safeguarded.
How can MSPs use RPO?
Managed service providers can use RPOs to design and evaluate their technological infrastructure and its effectiveness in terms of avoiding data loss. Periodically both businesses and MSPs need to evaluate their disaster planning preparedness and readiness, so it's important for MSPs and organizations to regularly evaluate whether they have adopted appropriate RTOs and RPOs compared to their industry.
As a hypothetical example, consider the CTO of an MSP for a client who has just faced a catastrophic disaster due to a fire in their organization’s server room. They obtain a copy of the client’s disaster recovery plan and notice the critical areas of their business data include financial transactions and customer data. Current backups were completed yesterday. The RPO for each of these items is under 24 hours old, which meets disaster recovery expectations. The Recovery Point Objective has been met.
In the case where this same organization does not have access to mission-critical data in the same amount of time, RPO cannot be assured. This would require the business to implement further steps to inform their clients and banking partners to inquire if data can be recovered in other formats. This likely will harm the reputation of the organization and its customers/clients due to the organization’s apparent irresponsibility with disaster planning and data backups.
For more information on developing a strong backup and recovery plan, check out our blog on the subject. If you’re interested in further support, contact us to elevate your offerings as an MSP and offer your clients peace of mind.
How to calculate RPO
In order to calculate an appropriate RPO, it’s important to analyze a few factors that are unique to your business or organization:
- How often do your files update? Having frequent file backups and data integrity allows you to meet and exceed the time in which your business can reach normal operations after a major disaster/widespread data loss.
- What are the goals and objectives of your Business Continuity Plan (BCP)? Business Continuity Plans allow your team to understand and work towards improving their disaster recovery planning strategies and minimize data loss and business interruptions.
- What are the standards and expectations users and clients hold within your industry? By understanding the standards your industry holds concerning uptime and data continuity, you can build a proper strategy that avoids disasters and data loss. Organizations can also build a reputation for being ahead of their competition in terms of data integrity and data loss protection.
- Which functions within your business are mission-critical? Each of these areas may need its own individual RPO and RTO. By establishing which functions and data are mission-critical to have, you can establish proper disaster recovery strategies which focus on getting the most important data restored first.
- Consistently and routinely evaluate your disaster recovery plan, RPOs, and RTOs to ensure maximum effectiveness. It’s important to routinely evaluate disaster preparedness due to the ever-changing nature of business operations.
Recovery Point Objectives focus on the frequency a backup must be made to ensure minimum data loss. Examples of RPOs include time between data backups for business financial data/banking transactions, customer relationship management databases, and patient records. Business units may each be able to continue to function if they lose data from within a specified period (the RPO).
For example, RPOs often would be the following:
- CRM database (8 hours) – depending on your business, customer contact information may not change as much as new data being added to a Quicken database or data holding financial transactions. Thus, the data itself may hold less of a priority or be as mission critical as banking/financial transactions would be.
- Banking/financial transactions (2 hours) – banking and financial transaction data is one of the most critical parts of a business’ operations. These need to be backed up as quickly as possible if that data is mission-critical. RPOs for these data types are quite short due to the business relying on this data type to conduct its business effectively.
- Patient records (6 hours) – For a quiet medical office, patient records may need to be backed up infrequently (every 24 hours), but a larger clinic or online pharmacy may need to back up this form of data every 3 to 6 hours due to patient volume and laws which oversee the storage/processing of this type of data.
Summing up RPO & disaster recovery
RPO gives your organization a guardrail and an understanding of what the maximum amount of data can be lost during a disaster. Organizations need to be able to maintain business continuity in order to function properly. Mission critical data should always be prioritized in disaster recovery/business continuity planning.