Jon Fielding, managing director EMEA, Apricorn
Companies have comprehensively bought into the need for a solid backup strategy to protect their data in a world where a breach can simply never be off the cards. It’s a key pillar of cyber resilience: the ability to prepare for, respond to and recover from disruption. When information is backed up regularly and securely, it can be quickly restored, and critical applications got back up and running fast.
The backup ‘mantra’ for a few years now has been the need to embrace the ‘3-2-1 rule’: have three copies of data, on two different media, one of which is offsite. This appears to have been heeded, with two-thirds of respondents to Apricorn’s most recent Twitter poll stating that their company does back up to an offsite location. However, relying on one single type of offsite solution can still leave organisations vulnerable to a data breach.
Many businesses have selected cloud storage as their primary backup location: of those that have formal data backup procedures, more than half (55%) rely on the cloud. This makes a great deal of sense, as the cloud offers a convenient, fast and cost-effective way to back up critical information. It’s also ‘low maintenance’ – the provider takes care of routine tasks such as updates and patching, for instance. However, this devolution of responsibility also creates risk. When you sign the contract, you’re also signing over a chunk of the control you have over your data’s security.
Avoiding a single point of failure
With cloud as the sole backup location, if the provider suffers a cyberattack that results in data being compromised, for example, or a technical issue renders services unavailable, costly business disruption will follow whether an SLA is in place or not.
Adding an offline backup location to complement the use of the cloud will mitigate this risk – protecting corporate data against loss and theft from all potential angles. This provides the best chance of recovery if other copies of information are damaged, lost or stolen, and is particularly important as a defence against the rising ransomware threat, ensuring the organisation can always restore from a clean, protected data set.
One of the most straightforward ways to create offline backups is to store copies of critical files on high capacity external hard drives and USBs, which can be disconnected from the network to create an air gap between information and threat. These storage devices should be encrypted, ideally in hardware, to ensure absolute security for the data held on them, and provide all employees with the capability to freely and securely store and move data offline.
Make it everybody’s job
Requiring all employees to back up all the data they create and handle locally – and enshrining this in policy – will ensure everyone takes responsibility for the data they handle. Employee education is key to securing buy-in here – and not only around ‘what to do’ but also the ‘why’.
Individuals need to fully understand their role and responsibilities around data protection, including carrying out backups. This means briefing them on all relevant corporate security policies and processes and providing training in how to correctly and safely implement the devices and technologies they’ve been equipped with.
Alongside the ‘practical stuff’, education has a critical part to play in helping to engage employees in helping to strengthen the company’s security posture. They need to fully understand the context around what they’re being asked to do: the specific threats the business faces, the risks associated with mishandling information, and the potential consequences to the organisation of a breach.
Encrypt as a last line of defence
The encryption of all corporate data as standard – whether it’s being stored online or offline, and also when it’s in transit – should be mandated across the organisation. An encryption policy is part and parcel of any effective cyber-resilience strategy in the hybrid working environment. When information is encrypted, it is rendered unintelligible to anyone not authorised to access it, keeping it safe and intact whatever disruption is going on around it.
Encryption is a vital compliance tool; in fact, it’s specifically recommended in Article 32 of GDPR as a method of protecting personal data. For a breached company, evidence that lost or stolen data had been encrypted removes the obligation to inform each individual affected. Article 83 suggests fines will be moderated where a company can show it has been responsible and mitigated the damage suffered by data subjects.
Companies are increasingly embedding encryption into their ways of working. In Apricorn’s 2021 survey of IT leaders a third (31%) said their organisation now requires all data to be encrypted, and a further 24% when it’s being stored on their systems or in the cloud. Three quarters (77%) confirm their organisation has a policy of encrypting all data held on removable media.
Test and review
Once the backup procedure has been implemented and communicated across the workforce, it must be routinely and regularly tested – ideally as part of the organisation’s overall disaster recovery process. Practice should be reviewed, and reinforced where necessary, to ensure that systems and files can be recovered as quickly as required and that all applications and data remain intact and functional.
Backup strategies in this era of disparate workforces and evolving cyber threats should be multi-layered, incorporating more than one type of offsite location – ideally one online, such as the cloud, and one offline. These solutions will complement each other to protect businesses from unexpected data loss from all potential directions.
Many organisations have chosen to back information up in the cloud – and rightly so – but in 2022 we’re likely to see more instances of data being compromised, stolen or lost as a consequence of relying on cloud storage alone. The age-old, tried and tested attacks on well-known weak points will continue, alongside attacks that specifically target remote working employees. Ransomware will become the technique of choice now that organised crime is involved and it can be easily monetised. A 360-degree backup strategy that has encryption at its core will play to the strengths of each storage location incorporated into the process, to cover all eventualities.