Cybersecurity specialist Jon Fielding, managing director EMEA of Apricorn, looks at how to build a 360-degree backup strategy that protects information against all kinds of disruption – and why executing it must be a full team effort.
No business is immune to a cyber-attack, tech failure, or employee blunder that leaves vital data exposed to theft or rendered inaccessible. The growing realization that ‘it could (and probably will) happen to us’ has galvanized the importance of a rigorous backup strategy that involves multiple copies of data in both onsite and offsite locations.
With so many employees now regularly working outside the office environment – and moving and storing data outside the corporate network – it’s also important that all staff have a responsibility to back up the data they create and handle. However, more than 60% of respondents to a recent Apricorn Twitter poll said they’re currently not required to play any kind of role in backing up their company’s data.
Backups are still largely viewed as ‘something IT does’, but this needs to change urgently. Every individual should be required to play their own part in a layered backup procedure that covers policy, education, and technology.
Doubling down on offsite storage
For years, the time-honored advice around backups has been the 3-2-1 rule: have three copies of data, on two different media, one of which is offsite. Many businesses have turned to cloud storage as their offsite backup solution, which makes a great deal of sense, as it offers a convenient, fast, and cost-effective approach. However, headlines such as this one reporting on last month’s Amazon Web Services (AWS) outage have highlighted the massive impact a relatively minor technical malfunction can have if those affected don’t have an alternative route to recovery.
Today’s backup procedures should incorporate more than one type of offsite location – ideally one online, such as the cloud, and one offline – to avoid the vulnerability that comes with having a single point of failure. This will provide the very best chance of fast recovery of information if other copies are damaged, lost, stolen, or unavailable.
One of the most straightforward ways of creating offline backups is to store copies of critical files on high-capacity external hard drives and USBs, which can be disconnected from the network to create an air gap between information and threat. This is particularly important as a defense against the rising ransomware threat, ensuring the business can always quickly restore from a clean, protected data set.
This approach requires IT to explicitly devolve some of the responsibility for backing up information to individual employees. The requirement for staff to take personal action to back their data up locally should be enshrined formally in company policy, and communicated clearly. This alone won’t be sufficient to secure buy-in, however. Employee education is essential – and not only around ‘what to do’ but also the ‘why’.
Building a backup culture
Everyone in the workforce needs to fully understand their responsibilities around data protection, including carrying out backups. This means briefing them on all relevant security policies and processes and providing training in how to correctly and safely implement any storage devices, tools, and technologies they’re equipped with.
That’s the practical stuff. To truly engage employees in their role, and encourage accountability, they need to be made aware of the context around what they’re being asked to do: the specific threats the business faces, the risks associated with failing to back information up properly, and the potential consequences to the business if data is lost or inaccessible – in terms of operational downtime, financial cost, and reputational damage.
The encryption of all corporate data as standard – whether it’s being stored online or offline – should be mandated across the business. When information is encrypted, it is unintelligible to anyone who’s not authorized to access it, which keeps it safe and intact whatever happens around it.
Encryption is a vital compliance tool; in fact, it’s specifically recommended in Article 32 of GDPR as a method of protecting personal data. For a breached company, evidence that lost or stolen data had been encrypted removes the obligation to inform each individual affected. Article 83 suggests fines will be moderated where a company can show it has been responsible and mitigated the damage suffered by data subjects.
A company policy that allows only the use of encrypted removable storage devices that have been approved by IT is essential – not only to ensure that the tools are fit for purpose but also to guard against a rising threat that was highlighted by the FBI in January. The bureau warned that cybercriminals are mailing ‘malicious’ USBs to employees in an attempt to trick them into installing malware or even ransomware on their corporate machines. The policy can be enforced by locking down USB ports to only accept approved devices.
Test and review – regularly
Once a backup procedure has been implemented it must be routinely and tested – ideally as part of the company’s disaster recovery process. The entire process should be reviewed, and reinforced where necessary, to ensure that files can be recovered fast and that all data, applications, and systems remain intact and functional.
Backing up data regularly and securely is a key pillar of cyber resilience: the ability to prepare for, respond to, and recover from disruption. Hackers will continue to target employees using tried and tested approaches to gaining access to data, systems, and networks, including phishing, combined with new tactics such as the malicious USB exploit.
- Using IP analysis to secure your online business
- How legacy technology is compromising your cybersecurity
- Investing in Channel Support to Survive the Evolving Security Landscape
- What should organizations do instead of paying a ransom?
This puts employees at the very frontline of protecting data – in particular when they’re working remotely. Furnishing them with the knowledge and tools they need to create local, offline backups is critical to maintaining a strong cybersecurity posture in the hybrid working era, and ensuring business continuity in the event of a data breach.