Backing up data is a workforce-wide responsibility

backup backing

Cybersecurity specialist Jon Fielding, managing director EMEA of Apricorn, looks at how to build a 360-degree backup strategy that protects information against all kinds of disruption – and why executing it must be a full team effort.

No business is immune to a cyber-attack, tech failure, or employee blunder that leaves vital data exposed to theft or rendered inaccessible. The growing realization that ‘it could (and probably will) happen to us’ has galvanized the importance of a rigorous backup strategy that involves multiple copies of data in both onsite and offsite locations.

With so many employees now regularly working outside the office environment – and moving and storing data outside the corporate network – it’s also important that all staff have a responsibility to back up the data they create and handle. However, more than 60% of respondents to a recent Apricorn Twitter poll said they’re currently not required to play any kind of role in backing up their company’s data.

Backups are still largely viewed as ‘something IT does’, but this needs to change urgently. Every individual should be required to play their own part in a layered backup procedure that covers policy, education, and technology.

Doubling down on offsite storage

For years, the time-honored advice around backups has been the 3-2-1 rule: have three copies of data, on two different media, one of which is offsite. Many businesses have turned to cloud storage as their offsite backup solution, which makes a great deal of sense, as it offers a convenient, fast, and cost-effective approach. However, headlines such as this one reporting on last month’s Amazon Web Services (AWS) outage have highlighted the massive impact a relatively minor technical malfunction can have if those affected don’t have an alternative route to recovery.

Today’s backup procedures should incorporate more than one type of offsite location – ideally one online, such as the cloud, and one offline – to avoid the vulnerability that comes with having a single point of failure. This will provide the very best chance of fast recovery of information if other copies are damaged, lost, stolen, or unavailable.

One of the most straightforward ways of creating offline backups is to store copies of critical files on high-capacity external hard drives and USBs, which can be disconnected from the network to create an air gap between information and threat. This is particularly important as a defense against the rising ransomware threat, ensuring the business can always quickly restore from a clean, protected data set.

This approach requires IT to explicitly devolve some of the responsibility for backing up information to individual employees. The requirement for staff to take personal action to back their data up locally should be enshrined formally in company policy, and communicated clearly. This alone won’t be sufficient to secure buy-in, however. Employee education is essential – and not only around ‘what to do’ but also the ‘why’.

Building a backup culture

Everyone in the workforce needs to fully understand their responsibilities around data protection, including carrying out backups. This means briefing them on all relevant security policies and processes and providing training in how to correctly and safely implement any storage devices, tools, and technologies they’re equipped with.

That’s the practical stuff. To truly engage employees in their role, and encourage accountability, they need to be made aware of the context around what they’re being asked to do: the specific threats the business faces, the risks associated with failing to back information up properly, and the potential consequences to the business if data is lost or inaccessible – in terms of operational downtime, financial cost, and reputational damage.

Encrypt everything

The encryption of all corporate data as standard – whether it’s being stored online or offline – should be mandated across the business. When information is encrypted, it is unintelligible to anyone who’s not authorized to access it, which keeps it safe and intact whatever happens around it.

Encryption is a vital compliance tool; in fact, it’s specifically recommended in Article 32 of GDPR as a method of protecting personal data. For a breached company, evidence that lost or stolen data had been encrypted removes the obligation to inform each individual affected. Article 83 suggests fines will be moderated where a company can show it has been responsible and mitigated the damage suffered by data subjects.

A company policy that allows only the use of encrypted removable storage devices that have been approved by IT is essential – not only to ensure that the tools are fit for purpose but also to guard against a rising threat that was highlighted by the FBI in January. The bureau warned that cybercriminals are mailing ‘malicious’ USBs to employees in an attempt to trick them into installing malware or even ransomware on their corporate machines. The policy can be enforced by locking down USB ports to only accept approved devices.

Test and review – regularly

Once a backup procedure has been implemented it must be routinely and tested – ideally as part of the company’s disaster recovery process. The entire process should be reviewed, and reinforced where necessary, to ensure that files can be recovered fast and that all data, applications, and systems remain intact and functional.

Backing up data regularly and securely is a key pillar of cyber resilience: the ability to prepare for, respond to, and recover from disruption. Hackers will continue to target employees using tried and tested approaches to gaining access to data, systems, and networks, including phishing, combined with new tactics such as the malicious USB exploit.

Read More:

This puts employees at the very frontline of protecting data – in particular when they’re working remotely. Furnishing them with the knowledge and tools they need to create local, offline backups is critical to maintaining a strong cybersecurity posture in the hybrid working era, and ensuring business continuity in the event of a data breach.

Click here to discover more of our podcasts

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

Jon Fielding

Cybersecurity expert Jon Fielding has specialized in data encryption and storage for the last 10 years. He is responsible for Apricorn’s EMEA sales and operations strategy, driving revenue growth, and establishing its channel network. CISSP-certified, he’s been focused on information security for 23 years, working with organizations ranging from IBM to start-ups including Valicert, Tumbleweed, and Ironkey.

Ab Initio partners with BT Group to deliver big data

Luke Conrad • 24th October 2022

AI is becoming an increasingly important element of the digital transformation of many businesses. As well as introducing new opportunities, it also poses a number of challenges for IT teams and the data teams supporting them. Ab Initio has announced a partnership with BT Group to implement its big data management solutions on BT’s internal...

WAICF – Dive into AI visiting one of the most...

Delia Salinas • 10th March 2022

Every year Cannes held an international technological event called World Artificial Intelligence Cannes Festival, better known by its acronym WAICF. One of the most luxurious cities around the world, located on the French Riviera and host of the annual Cannes Film Festival, Midem, and Cannes Lions International Festival of Creativity. 

Bouncing back from a natural disaster with resilience

Amber Donovan-Stevens • 16th December 2021

In the last decade, we’ve seen some of the most extreme weather events since records began, all driven by our human impact on the plant. Businesses are rapidly trying to implement new green policies to do their part, but climate change has also forced businesses to adapt and redefine their disaster recovery approach. Curtis Preston,...