Data loss can be catastrophic for businesses of all sizes. But with the right routine, frameworks, and security measures in place, it’s not a matter of if a backup will save you, but when. For today’s episode, we have Chris Marshall, a programming wizard, and CEO of Verified Backups LLC. Chris shares his expertise in backups, frameworks, and encryption, providing valuable insights for businesses of all sizes. He emphasizes the significance of establishing a solid routine and efficient frameworks to get ready for audits. Additionally, he highlights the necessity of meeting regulatory requirements through encryption and other security measures. Chris dives into the world of backup providers, introducing the largest software backup provider, Veeam software, and the impacts they are making. He shares his advice for ensuring security in backups, and addresses common misconceptions about backup testing and recovery. Tune in now and learn how to protect your business from data loss.
—
Watch the episode here
Listen to the podcast here
Backups, Frameworks, And Encryption: How To Protect Your Business From Data Loss With Chris Marshall
In this episode, we have this great guest who is an enthusiastic summit seeker. He’s a real-life programming wizard and database master, living the dream with his favorite person and having his fountain of view through his grandson. He’s also the CEO of Verified Backups LLC. Welcome, Chris Marshall.
Thank you very much for having me, John.
It’s good to see you. We’re going to jump right in here and ask you our big question, which is if cyber risk was a pizza and the crust was the framework, what’s the riskiest topping you’ve seen? What topping would you equate that to?
The riskiest topping I’ve seen on a pizza was the guy who drove up with a KFC box to a pizza place and wanted the chicken breasts put on top of the pizza before it was baked. I can’t imagine why that would be a good idea. How do you equate that to things? I don’t know. What I know is in the cyber world, there are so many holes in people’s approaches to things and a lot of people find out all too late that that’s the case.
It was KFC chicken that they wanted to put on. Was it a flavored chicken? Was it Buffalo chicken or anything?
No, these were literal bones in chicken breasts.
That’s scary. I’ve never had to pick a bone out of my pizza.
I can’t see why that would be a good idea.
You were correct in the fact that there are a lot of holes in customer cybersecurity. Tell me this. In your role as CEO, what keeps you up at night? What are those issues that you’re seeing?
Anytime you put yourself in a place to protect company data, what keeps you up at night is perhaps any report of a breach by anybody. We’ve done all the things and we have all sorts of security. We have all sorts of penetration testing but nothing is 100%. What keeps you up at night is the possibility of being on the news the next day and we work very hard to avoid that.
That is something to avoid. It’s not a matter of if. It’s a matter of when you get hacked and what’s going to happen, how are you going to deal with it and what you’ve been practicing. It’s nothing like trying to do the Super Bowl, having all of your data gone when all you’ve got is a Pee-wee squad for learning how to do things. Practice makes perfect.
It does and you hope that you do all the practice before you have to do the practice.
I’m assuming that you have some regulatory requirements in your business. You talked a little bit there about the encryptions and some of the other things that you’re doing but why are you doing those? Is there a regulatory reason for that?
I’ve gone through a NIST certification process with my business. NIST is very specific about encryption and standards for backing up and testing. I’ve also gone through HIPAA compliance. HIPAA wants everything to be transmitted securely and encrypted, almost everything. I can still call Office Depot and order a printer without having that encrypted but everything else has to be encrypted in transit and at rest. Every decision we make is mindful of those two security standards.
If you’re ordering that printer over the web, then I’m hoping it’s encrypted at least. We got to figure out how to encrypt printers. What is the solution? How do you help customers? What do you do to help people sleep at night?
We give customers a second line of defense in the backup of their most important information. What we discovered over the last years is that if a customer has a database like a payroll or construction database, accounting, CRM, ERP, that heartbeat of your business stuff, we found that the business owner has no idea if that backed up correctly. What I mean by that is was that backup successful and recoverable?
Veeam Software, one of the largest backup providers, does a big study every year and the results of their last study was that 58% of backups are unrecoverable. Fifty-eight percent of backups fail and unfortunately, people don’t know until the moment of truth. Fortunately, when we get in our cars, they stop more than 58% of the time when we have to. That’s quite a scary number.
I often wonder if the statistics are followed that closely by the service providers that the smaller businesses may use. What I found is that at least there’s a managed service provider market because they’re generating revenue. You are their revenue if you’re one of their customers so they better get it right. Ultimately, I’ve seen better backups with managed service providers in terms of backup stories like, “We backed it up and it was good.”
The customer doesn’t often recognize it necessarily as a priority if they don’t use a managed service provider. It’s like, “It’s backed up.” “Have you tested it?” “No.” I’m curious about that managed service provider community that is out there doing these backups. Are they your market to make sure that they are backing things up correctly? Are you going directly to enterprises? Is it more of a small business or a large business? Where do you see the biggest problem?
The MSP market is very interesting and like anything, there are good, bad and ugly like pizza toppings. I spoke with an MSP that has a comprehensive schedule. If you are their customer, they’re going to do full backups every day and a full restore test every quarter. Four times a year, they’re going to recreate your whole data environment somewhere else and make sure that that whole process works. I’ve been talking to MSP for years and a lot of them don’t do that.
What I find is whoever sets up your backup, whether your in-house resource or MSP, you can’t ever assume that it’s going to be flawless and that it’s something you don’t have to think about. It would be like saying, “My cardiologist checks my heart once a year so I don’t have to pay attention to what I eat or anything else.” That would be crazy because your cardiologist doesn’t follow you around and see what you’re doing. I find a lot of MSPs set up backups and don’t talk to me about recovery or restoring schedules. It’s good, bad and ugly.
You mentioned the NIST framework, which is something that we use and that is one of the questions that we ask. When was the last time you tested your backups? Where are you looking for that quarterly? There are lots of good controls and information in the NIST CSF framework to help cover those items that maybe get forgotten. They are day-to-day tasks that people don’t pay attention to.
Some of the frameworks are even looser than that. SOC 2, which everybody talks about as this proof that my company is doing everything right, requires an annual restore test on your data backups so does HIPAA. I’m thinking, “If you do a restore test in January and you have a data loss in September, you could potentially be stuck out of eight months of data if you’ve picked up a problem or ran somewhere or any number of things along the way.” To me, once a year is crazy.
Lots of standards are that way. Once a year pen test. Once a year things that you ask yourself how long it takes for those things to happen. One of the reasons that we started was because it was too long for us to come in and do an audit on a customer. Many times, what we would find is that they would make a mad rush in the last week before the audit would come in. You could tell because everything was very short-handed. During the audit, you could see that they hadn’t practiced anything. They knew what was coming but didn’t have time to prepare.
It happens in everyday life. My wife and I were getting ready for bed and she said, “Did you set the alarm?” I said, “Absolutely,” and ran over and punched the button. What you’re seeing also, John is people rushed to do it at the end but that means that’s not part of their normal routine. If they have to change their routine because they know the auditor is coming, then they don’t have a good routine.
One of the things that we’re trying to solve for customers is to make that more routine. You were talking about bedtime. One of the things that I’ve got is I have an Alexa. When I say, “Alexa, good night.” What it does is it turns on my fan, turns on my alarm, turns off my light and then starts playing music for me at night. There are some things that we might be able to automate and make a little bit better but they still need to be double-checked and make sure that everything’s happening the way that it’s supposed to.
Maybe we need an Alexa for business. “Alexa, safeguard my company,” and it turns on your backups, your NIST and all this other stuff.
One of the things that we look at though is that every company is a little bit different. That’s why the pizza and the framework is that crust but every company has its layers of topping that they put onto those pizzas. Every company is a little bit different in how they operate and make revenue. We want to be cognizant of that when they’re implementing cybersecurity. How are things now? Tell me more about your solution. You’re doing backups. Is yours the Alexa of backups where if something goes wrong or a backup doesn’t happen, it automatically fixes it or reminds me to restore it once a quarter? Tell me more about your solution.
My solution was driven by the notion that you don’t know if a backup is restorable unless you restore it but nobody has the time and overhead to restore their stuff every day. Our approach is we’re going to back up your most critical data. We’re focused on SQL databases, MySQL coming soon as Oracle, coming soon as Postgres. The stuff that’s harder to back up natively.
You can’t take your payroll database for 1,000 employees, stick it on a thumb drive and take it home. That’s how some people do backups but that doesn’t work. Veeam has pointed this out. They said, “The only way to know if a particular backup is recoverable is to recover it.” For our customers, we install a small agent on their data server that makes a database snapshot once a day, encrypts it with government-level encryption and then sends it to our server on AWS. Our server does a full restore every day. This is distinctive from so many other approaches. 365 days a year, we know that that particular backup is good.
We keep it encrypted in our vault for between 30 days and a year, depending on your preference. If there’s a ransom situation or something, we can go back in time and find a good copy. The secret sauce is daily restoration. Part of our process was we did a patent search of 120 million patents in a bunch of countries and nobody had ever registered that idea which is crazy to me. It’s not like I invented a spaceship or the Tesla car but nobody had ever registered that product or process.
We did and we got a US patent on it. Now that you know I have a patent, we can get together and have a cup of coffee or something exciting. It says that Microsoft and Veeam aren’t doing what we’re doing. In other words, these guys are pushing things out to the cloud but the receiving end is not checking to make sure it’s fully recoverable. If you have a crypto virus, a lot of your files are encrypted or compromised. That thing may copy and you may have a checksum that says, “I see the same bits on both ends but the thing’s not recoverable,” and you won’t know it.
You mentioned databases. Do you also do regular files as well?
We do have backup solutions for regular files as well. If somebody wants a full server backup, we can do that.
Without giving away your secrets, what is the secret behind successful backups if you are a business that has an IT department? Not MSP but an IT department. What should that look like?
There is the old 3-2-1 rule. You want to have multiple copies of your data in multiple locations on multiple storage media. I have seen companies that use the purse backup system. The CEO pulls a hard drive out of her purse, plugs it into the server, takes the server hard drive that was plugged in and sticks it in her purse. That theoretically happens every day.
Number one, she has no idea if the files are going on there correctly. She called us to set up a server backup because she said, “I’m out of town for a week and nobody’s swapping that out.” That hard drive backup doesn’t accomplish the 3-2-1 rule. You don’t have it on multiple media and locations. If you have a fire, you’re going to lose your backup drive.
Coming from a hardware standpoint, then you’ve got to buy the same server and hardware. There are all kinds of things that go along with it. Did you pull it out well? It was copying a file. There are so many things that were wrong with that.
I can’t tell you the number of times people have talked to me like, “We used a tape backup system.” Tape can be great but we had a fire and all of our tapes were blank. All of our tapes were at Iron Mountain. They were all secure in these locked boxes and they were blank. To me, the thing is test.
I had a CEO years ago who once told me, “Let’s think traditional brick and mortar and a factory situation. There’s not a lot of computing going on besides administrative, billing and payroll and that thing.” I remember having a discussion about disaster recovery and what happens if you have an issue, you need to back up. I remember he looked at me, picked up his pencil and showed it to me. That was his answer. “We’ll go manual.”
I don’t think you would see that happen now. Even back then, that wasn’t practical. I haven’t been around that long. This was not the ’80s. At least from the perspective of the shock factor, I was shocked because I’ve never had that happen before but not surprised at the same time. Ultimately, that was prior to digital transformation. When I think about three copies of everything, in the back of my mind, “That’s going to be expensive.” Is it expensive?
It would surprise you. Storage costs on Amazon are pretty reasonable. I have a client that sends me 30-plus gigabytes of SQL data every single day. To keep that on hand in individual daily copies going back a month is $2 a month. You can engineer it. The flip side is how costly is it if you have to start over.
I don’t know that it’s something that is thought about every single day by the CEO or even the business owner for that matter and smaller businesses because it’s in the background. “Are your backups good? Yes, as far as I know,” until they get bit.
I have a great story. I got called into a customer. They had a payroll database with 350 employees and they got a crypto virus. This wasn’t ransom but it was a virus that deleted every file on every hard drive in their whole office, servers and workstations. These people should be shot or something but what they found out is that their payroll database, SQL-based had not backed up for nine months. They didn’t know it because it was a 2-step process and step 2 was sending them a happy email every day. Step 1 had quit and they were faithfully backing up 9-month-old data every single day.
As a result, they were in the People’s Republic of Illinois. They had to have complete payroll records. They had to bring in senior management to make 42,000 manual payroll entries into their database to get all that data back. They took a daily record for 350 people. Joe worked 8 hours, George worked 3 hours and John worked 4 hours. They had to put that all in because that was how they paid people but that was also how they billed labor to their jobs. They all thought they knew and it was good. I hate when I see that people have to find that out the hard way.
Not backing up at all or not doing it properly or I feel maybe the same because you get the same result with either. You’re spending money in one area where if you hadn’t backed it up at all, you’d probably be in the same situation. That’s not the suggestion of the recommendation but that always points me toward that concept of how do you know as the executive that backups are working. Many successful CEOs will say, “Own the job until the job owns you.”
Take ownership unless you’re responsible for it. There’s a degree of trust that goes on there, whether it’s with the CIO, a director of IT or something of that nature. What is an IT lead supposed to do when they’re being told by a regulatory framework that once a year is fine and they’re just doing the minimum requirement?
You have to use your best judgment. Maybe you can analogize from other areas of life. My wife tests our alarm system every night by asking if I turned it on. Is there anything else in your life that you would only check once a year? Would you only check the oil in your car once a year? Would you only check the tire pressure once a year?
When it’s time to fly somewhere and you get on the airline and they say, “We’re happy to let you know that this plane was last serviced a year ago,” would you sit on that flight, allow it to take off and fly you somewhere? We live our lives dependent on redundancy and testing all the time. When somebody reads that in one of the standards that say once a year, you have to have a little bit of professional judgment and ask if that’s how you would run anything else in your life.
Data Loss: We live our lives dependent on redundancy and testing all the time.
I’m convinced that your patent and what you’re doing, verifying the backups are going to work every day, who wouldn’t want that? Simply stated. I can’t think of a single person that doesn’t already have that expectation with a smartphone and the pictures that they’re taking of their families every day. You’re right. It takes stories and perhaps positions of risk to justify investments in time and/or money. I would agree. I’m not aware of any backup solution that verifies that the backup will recover rather than the backup completed.
It’s a crazy thing and it’s a bit like life insurance. I have five kids. I have a very busy life. They’re all adults but I still have life insurance. I have a backup to my main policy to protect against some other contingencies because I don’t know. I think I’m going to live a long time. Today is probably not my day but I can’t say with 100% certainty so I have other things. We have all wasted money on car insurance but these are things we have to have.
I look at a good backup as insurance for the succession of your business and the jobs of your employees. Every business owner thinks about fire insurance, flood insurance and a variety of things. This needs to be in that pile because as the CEO, I have the responsibility to the people that are on my payroll to keep the doors open.
One of the things that a lot of CEOs that we’re seeing are looking for cyber insurance. For many of those, many requirements including backups and testing are part of getting that cyber insurance like life insurance. We want to make sure you’re not jumping out of airplanes or anything or you know that there’s an exclusion for that. Have those needs for cyber insurance to help cover that and ensure that the business is going to continue after something like that.
I read that the average ransomware claim is $1.33 million. That’s small potatoes compared to some of them.
Some of them are and we’ve seen because of what we do. We’re often involved in what you refer to as privileged and confidential work products. It’s attorney-client privilege. The big sticky point always, at least in those situations, is making sure that you understand what was taken in terms of data and how it happened. Speaking on what’s called the digital forensics circuit, which both John and I have spoken about at conferences in that regard, it was very common to hear people talking about the backups getting infected too. I’m curious. That’d be great to verify that it can be recovered but can you in somehow maybe add your roadmap or do you have something on your roadmap to inspect backups for malicious content? Encryption may not be easy but where’s your path on that?
That’s a fascinating thing and there are lots of players in that market. There are the anti-virus people and the anti-malware people. One thing is if your system gets compromised to a point, you’re not going to send backup files anymore. We’ll detect that. Do you remember in school when the substitute teacher would say, “Anybody who’s not here today, raise your hand?” We always thought that was funny but we’re looking for files that have not come in, then we’re looking for files that have come in but haven’t been restored because the file is compromised.
In that way, if you’re my customer, George and I suddenly stop getting your files, I may know you have ransomware before you do or if I get a file and it’s compromised and the way the files are structured, I’m not going to be subject to that infection or virus. If I’m getting something from you and it’s not opening up, I may know that you have ransomware before you do.
Chris, what events do you go to? Where can people find more information about backups, frameworks, encryption and all these things?
I probably need to get out more often. I haven’t gone to a lot of events. I’ve gone to some industry stuff that is geared for MSPs like stuff with Robin Robins and I’ve looked at storage tech and some other things. For a few years, nobody went to any events anywhere and that’s when I was getting this business off the ground. DRJ runs some good ones and there’s some other stuff on my radar.
How about books? Do you read much? If so, are there any books you would recommend for people to read?
I enjoy a good technical book. I’m looking over at my bookshelf. I read a lot of stuff on traction, positioning, business development and personal stuff. I love things like the 12 Week Year, Atomic Habits and things like that. How can you make the most out of the space and time you have in front of you without working all the time because who wants to do that?
Looking at that and trying to figure out how to get that twelve-week work year, what excites you about the future? What are you looking forward to?
It’s fun to build a business that’s a SaaS product because there is a point where the subscriptions are self-sustaining and we’re getting closer to that. Honestly, what excites me and this sounds crazy, is getting that phone call and restoring that company. Their second line of defense turned out to be the one that the football player couldn’t get through.
We have their encrypted copy and it goes on a new server. I’ve done this at a company that was struck by lightning. I restored them to within 24 hours and did it all from a beach vacation. Those kinds of things are fun. You don’t want anybody to have disaster but you want people if they’re going to anyway, which they are, to walk away clean.
If only we could plan when accidents happen.
I’d like to schedule that better but no. This company used the same process. I’d set this up for them years ago and when something hit five years after I’d installed their backup, we were current and life was good.
Tell me a little bit more about you. How does somebody become Chris and the executive of this cool backup technology with patents and everything? What journey did you get here? What schools did you go to? What previous work did you have?
I was that kid growing up that was interested in computers. I went to Radio Shack when they had the TRS-80. It’s a great little computer. It had three error messages, how, what and sorry. The Apple II came out, bought one of those with my summer job earnings and use that for the family for a while. I went off to Washington University in St. Louis to major in Computer Science. I decided I didn’t want to sit in a cubicle all day so I switched to psychology because people are so fascinating. Everything you do, no matter what tech it is, it’s with people but then I had this bent for technology and I found I was good at it. I went back and started my business programming in 1993 when John was 10 and George was 12. I have been doing that ever since.
Not quite there. I was out of high school. I had a job for a while. I was working in the career industry already. There is some gray here, believe it or not.
Every time I go to the barber, there’s more gray on the floor. I’ve done programming for companies as big as Boeing and Dollar General and as small as mom-and-pop shops and everything in the middle, all around automation and making workflows happen without all the work. This became an extension of that. I figured I was going to do that all my life and I still do some programming but I seized this opportunity when it came.
Let me ask you this. If you could go back and give your previous self or younger self advice, what would that advice be?
That’s hard and it’s not that I live this perfect life. I would say charge more and work less. A lot of entrepreneurs undercharge and because they undercharge, they have to work 70 or 80 hours a week o like make it all work out and I’ve gotten out of that mold.
That leads us to the next question. What do you do outside of work? What are your passions?
I’m going to run because it’s gorgeous in St. Louis. I love to travel. I took my daughter to Egypt years ago, planning a trip to Greece with another daughter and took my son to Iceland. That same kid and I climbed Kilimanjaro. Anything like that and maybe if it’s a little bit more extreme, my wife’s like, “You’re nuts. You’re going to climb the biggest mountain in Africa.” I’m like, “Yes, it’s not Everest. There’s no technical. There are no ice picks.” I have a real sense of adventure. John, if you called and said, “Do you want to go back to Asia for a couple of months,” and I could pull it, I’d join you.
I did some shipwreck diving while I was there, scuba diving and some other diving on some of the reefs. It’s gorgeous. I have that same passion for traveling and seeing the world. I’ve been to Europe, Australia and then Asia, all through Central and South America.
It broadens your perspectives. You meet so many fascinating people that way. I still keep in touch with people I met in Africa and different places.
Chris, how can people reach you and find you?
Probably the best way is through LinkedIn or by email. I don’t do Twitter. I don’t know why. It’s not my mold. We’ll see where that goes but those are the best ways. I have my phone number too if that’s appropriate.
Chris, I appreciate all your insight here. I look forward to the technology. We have some customers that we see that need help with their backups consistently. We look forward to introducing maybe you to some of them and having some good conversations.
It would be an honor to help.
That’s it. To our audience, thank you for reading. We hope you’ve learned something, laughed or at least had a good time. Maybe you don’t want to go traveling but tell somebody about this. We’ll give you some travel advice if nothing else and back up your stuff before you go. Chris, thank you for your time. It’s been another great episode. We’ll see you next time.
Important Links
- Verified Backups LLC
- Veeam Software
- Robin Robins
- 12 Week Year
- Atomic Habits
- LinkedIn – Chris Marshall
About Chris Marshall
After nearly 28 years of creating data warehouses, custom reports, and user automation, I started Verified Backups LLC to bring peace of mind to CEOs and company owners. We have developed PATENT-PENDING technology to test each and every database backup to ensure it’s usable and current. We help companies recover when disaster strikes.
He loves outdoor activities, especially running and hiking. He climbed Mount Kilimanjaro with his son last September, an incredible adventure for us. He loves traveling and has taken some of his kids to places like Iceland, Europe, Egypt, and Africa. He has had a programming business for 30 years helping companies automate their workflow and get the right reports more easily. In this role, he served companies of all sizes from SMBs to Boeing and Dollar General. He is very happily married with 5 adult children and a 9-year-old grandson.
