What's Inside

A recovery point objective (RPO) measures the amount of data an organization can tolerate losing after an outage, breach, or disruptive event. By meeting its RPO, a company minimizes data losses and quickly resumes standard operations. 

In today’s landscape, you can’t easily separate a company’s data from its services. As a result, data breaches or system outages can spell the end of a business. In fact, data breaches cost companies with under 500 employees nearly $3 million per incident. To minimize losses and avoid high recovery costs, your organization needs to set a recovery point objective (RPO) for any lost information. 

A recovery point objective describes the amount of data you can afford to lose after a disruption. By setting the right RPO, you can minimize the damage done to your business and protect as much data as possible. 

Below, we’ll explain what an RPO is, give examples of how it works, and teach you how to define the best RPO for risk management.

What Is a Recovery Point Objective?

A recovery point objective refers to the maximum data loss an organization can bear after a disruptive event. RPOs express data loss tolerance, or the amount of data you can lose without harming operations, as a measure of time. 

RPOs determine the maximum age of stored files before you have to back up your data again. In the event of a breach or system failure, RPOs synched with your backup rate can meet their recovery targets. For example, if you set your RPO to one hour, you must run a system backup each hour to minimize data losses. When setting a backup schedule to meet a RPO, one must assume the worst possible scenario, which is data loss immediately following the latest backup. 

Organizations shouldn’t use a blanket RPO for each system and app. Instead, you should set RPOs based on a component’s function or importance in your IT environment. For example, you might create a data backup for your most critical systems once an hour. By contrast, you can stand to lose more of your less important data. 

Advantages of an RPO for disaster recovery include:

• Loss prevention: Data losses can consist of customer information and vital company details. RPOs recover as much valuable data as possible. 

• Prioritization: RPOs help prioritize your systems, apps, and data based on disaster recovery time. 

• Financial savings: Recreating data takes time and money you can’t spare after a disruption. Shorter RPOs and built-out data recovery plans retrieve data more efficiently than lengthy data-salvaging projects.

• Optimized processes: Poor incident response plans with subpar RPOs can cost days of your staff’s time. The shorter your RPO window, the quicker employees can get operations back up and running—and get back to work.

• Compliance: Disaster recovery strategies help companies stay compliant with industry regulations. RPOs also help meet data protection requirements. 

RPO vs. RTO: What’s the Difference?

A recovery time objective (RTO) is the amount of time your systems and apps can stay down without damaging your organization. You can think of RTOs as the time allotted to restore normal operations after a significant incident.  It's important to align your RTO with the uptime percentage or SLA commitments you have made with your customers. Both an RPO and RTO play crucial roles in disaster recovery. 

You can also differentiate RTOs and RPOs by looking at their main purpose:

• RTOs focus on the downtime of services, applications, and processes while allocating resources in your business continuity plan. 

• RPOs determine the amount of data you can lose and define backup frequency.

You can find four other differences based on their: 

1. Priorities: RTOs focus on the time needed to restore systems, while RPOs look at the amount of data you can afford to lose. RPOs also go beyond measuring business downtime and note data loss’s risk and impact on customers.

2. Cost: Expenses increase at different rates for RTOs and RPOs as your turnaround times shorten. Low RTOs can cost more since they account for the time needed to recover your whole infrastructure, not just your data.

3. Automation: RPOs involve automated backups at scheduled intervals. Once you set a viable backup rate, automation can tackle the rest. Because RTOs involve all IT operations during recovery, you need manual oversight. 

4. Calculation simplicity: RPO calculations are more straightforward and depend on data usage. When a data breach occurs, calculating an RTO involves other factors that are difficult to predict like the time to remove an attacker from the environment and staff capabilities.

An Example of RPO

To help explain RPO, we’ll walk through an example scenario. Suppose you run a global medical supply website with unique servers for specific data and tasks. Each server gets its own recovery point objective depending on its usage. Because the website accepts sales 24/7, your data requires continuous replication.

RPOs for different aspects of your business may include: 

• One-minute continuous RPOs for payment gateways, shipping databases, inventory levels, confirmation logs, and email servers 

• One-hour RPOs for customer data, web interfaces, user password authentication, and product dashboards 

• 24-hour RPOs for customer reviews, content databases, and chat logs 

A business continuity plan should outline the RPO for different types of data. In this example, essential information needed to run the business gets updated each minute and therefore requires a shorter RPO to limit impact to the business. Less valuable information can rely on hour-long backups, and noncritical items can handle a 24-hour RPO without hurting the business.

Why RPO Is Important

A single unplanned outage or cyberattack can lead to significant data loss and impact most of a business’s operations. IBM found that the average cost of a data breach in the U.S. reached $9.44 million per incident in 2022. Between inefficient data recovery and lost data assets, one breach can spell disaster for a company. 

RPOs protect organizations from this outcome by:

• Setting the minimal backup schedule frequency

• Revealing how much data you can lose without causing major damage to your business

• Determining how far back the IT team should deploy recovery strategies without exceeding the RTO

• Improving your business continuity plan

• Protecting essential systems and apps your business needs to operate

• Determining your service-level agreement after a disruption

What Is Zero RPO?

Data with a zero RPO refers to information your organization can’t lose for even a second without grave repercussions. This is important for businesses in the financial or healthcare sector that handle transactions or medical data. Maintaining zero RPO takes constant protection and real-time replication to ensure no information gets lost. 

How to Define RPOs 

Your data update frequency plays a role in defining your RPO for cybersecurity risk management. A high update frequency ensures that restored files reflect their most up-to-date version. Frequently updated files will have a shorter RPO that can come down to mere minutes. On the other hand, files that go extended periods without updates can have a longer RPO of up to 24 hours. 

Well-set RPOs build a foundation for your business continuity strategy. Ideally, they should create optimal data loss targets for different business units and programs. These targets depend on internal and external factors shaping the value of your data. RPO-setting considers factors such as:

• Your industry: Companies operating in a field that handles sensitive information like medical or financial data will require shorter RPOs. 

• The way you store data: Whether you store data in physical appliances, the cloud, or off-site storage impacts how quickly you can retrieve it after a service disruption.

• Maintaining compliance: Many compliance frameworks have their own guidelines and requirements for data loss prevention and disaster recovery. 

• Financial tolerance: When gauging your loss tolerance, weigh the cost of your RPO against financial losses from poor data recovery. While a short RPO takes investment, it can save you money in the long run. 

Common RPO Intervals 

Setting the right RPO interval for each system or business unit takes careful planning. Each interval should reflect the importance of a system within your organization. To help you make the best choice for data security, here are some common RPO intervals:

• 0-1 hour: Certain critical business processes and systems can’t afford to lose more than an hour’s worth of data. High-volume, hard-to-recreate, dynamic data fits into this category. This may include patient info, bank transactions, and customer data. 

• 1-4 hours: Valuable business data with a small margin for loss fits in this category. This semi-critical data may include file servers, customer chat logs, and CRM data.

• 4-12 hours: Business units that only update once a day or even less frequently fall in here. Marketing info, sales data, and operational information may fall under this category. 

• 13+: Important but not critical business data can get by with an RPO of 24 hours or more. Purchase departments that buy goods each month, HR teams, and teams monitoring inventory rarely need updates at shorter intervals.

What Is Failover?

Failover occurs when switching to your backup systems during maintenance or a disruption. You need to consider your RTO to build failover solutions that enable you to recover important systems and data quickly. For example, if you use a 15-minute RTO, your failover needs to kick in within that timeframe to meet that objective. 

Common failover techniques include:

• Domain name system (DNS) services: DNS services guide traffic to an off-site server. However, a DNS service may come with time-to-live (TTL) delays or service degradation that increases recovery time. 

• Physical hardware solutions: On-site hardware can reroute traffic to backup servers. While hardware solutions avoid latency issues, they need backup sites hosted in the same locations as main servers. As a result, power grid failure and natural disasters can affect your main and fallback server at once. 

• On-edge services: Third parties can manage your failover off-site and seamlessly route traffic after a disruption. On-edge failover avoids TTL delays and additional costs from buying extra hardware. 

How Drata Can Help Maintain Protection for Your Business

No matter how prepared you are, some breaches and outages are impossible to avoid. So, when data losses occur, you need a plan to resume standard operations. Setting a realistic recovery point objective is key when introducing risk management plans. While constant vigilance will get you far, a reliable fallback plan will take you further. 

RPOs play a small role in your broader disaster response strategy. Alongside an attainable timeframe, you should consider legal compliance and industry standards to lower your risk level and protect your security, reputation, and financial health.

To help you prepare for the unexpected, Drata puts risk management on autopilot. Our platform enables you to develop treatment plans and even create risk-related tasks through our Jira integration. With the right automated tools, you can establish a custom end-to-end risk management solution to suit your organization’s needs.