Q: As an MSP, I frequently see businesses make mistakes when developing a data retention policy. These mistakes often result in businesses losing their data due to accidental deletions or exposing their data to bad actors because the company has kept it for too long. What can I do to help my customers establish the right retention policy?
Data retention policies are widely regarded as being a key part of protecting the data of any business, in any industry. Despite this, some SMB customers are hesitant to commit to retention policies, which leaves their data at risk. And, other businesses may choose a retention plan that doesn’t appropriately meet their unique needs, which can be just as dangerous as not having one at all. That’s why it’s so important for MSPs to be involved in the process and help identify the right retention policy for each business they support.
To provide further insight on this topic, we asked Kyle Marsan, systems engineer at Barracuda MSP, for his guidance on best practices, obstacles to avoid, and how to communicate the importance of having a retention policy in place.
Importance of retention policies
A data retention policy sets guidelines for a company or organization on what information to keep and what information to delete. Most importantly, a retention plan helps those in a business understand how long the data needs to remain available for and disposing of it once it’s no longer needed.
In certain cases, a retention policy can detail how data should be deleted, while also taking compliance requirements into account. The retention policy can explain the reasons for why specific data should be kept and why other data must be deleted at a certain point.
Every modern business is reliant on their data. Many have requirements for their retention policies — whether it’s formal compliance laws or promises they made to their customer as part of their marketing efforts.
Retention policies can also help protect MSPs and their customers if their data is deleted, stolen, or otherwise compromised. Without a retention plan in place, these events could mean that data is permanently lost, which could be a devastating blow to the business, from which they may never recover.
Any industry, such as healthcare and financial organizations, that is held to legal compliance standards —like HIPPA or FINRA —should make retention policies a high priority.
Hazards to watch for
Regardless of what industry you are protecting, it is important to set the right length for a retention policy. Setting it too short will leave the customer at risk for data loss, as the data will become unrecoverable once it becomes compromised and has aged past a certain point. Setting the retention plan too long can incur unnecessary expenses for the customer and negatively impact their attitude towards keeping it — and their partnership with your MSP.
Another danger of setting a longer-than-needed retention policy is that it could leave your MSP liable if the data is stolen when it could have been “aged off.” There is such a thing as being too overprotective, so be sure to “age off” files and data once they are no longer needed. Finding the “sweet spot” in terms of length of retention, amount of data being kept, and cost of the retention for each customer is key to minimizing these limitations.
Another limitation is that backup is schedule based, meaning that there is no autosave. Whatever version of the file is saved at the time the backup is scheduled is the one that is backed up.
Best practices for setting up retention plans
It’s important to offer a solution that is flexible and customizable. You’ll want to get an understanding of how critical their data is to their business. Find out what their absolute requirement is — would they be able to continue business if they lost data from an hour ago, 24 hours ago, or a week ago?
Also, ask if they look back at data from previous projects, and how long ago those projects were completed. These questions will give you a better idea of how long you need to set their retention policy to keep their data for. If the customer can’t immediately provide the answers to these questions, a good blanket policy is to keep images for two weeks and file data for 6 months.
Don’t let a customer’s reservations about the cost of a retention policy allow them to settle on a retention policy that doesn’t truly protect them. Use real life examples where retention policies were not properly set or customers were hesitant to pay for a retention policy and suffered data loss as a result.
Pitch the retention plan as an insurance policy for the customer’s data and they will get a better understanding of why paying that price is so important. Take a step-by-step approach to putting the retention plan in place with the customer to set clear expectations upfront.
By utilizing the insights that Kyle brought to our conversation, your MSP can provide the customized retention plan for each individual customer to best protect their data.
Photo: Gemenacom / Shutterstock