5 Things Companies Can Do (Right Now) to Secure Their Backups
Having policies and procedures in place that outline how your organization handles backups is crucially important, especially during a time of near-universal remote work.
March 31, 2020
World Backup Day is today. The event is an annual reminder that backing up data is an essential part of data hygiene and security.
That’s doubly true this year when it hits amid an unprecedented surge in remote work because of the COVID-19 outbreak. A dispersed workforce introduces new challenges that can make backups more difficult – and more important. Among other things, communicating with employees about best practices for handling backups is now crucial.
To that end, here are five things IT leaders can do right now to ensure that they’re maintaining backup best practices both at the organizational and the individual employee level.
1: Follow the 3-2-1 Rule
The 3-2-1 rule of backups states that you should have three copies of essential data: an original and two backups, preferably in different formats and different locations. This helps minimize the likelihood that ransomware, physical loss, or malware actually lead to losing crucial data.
For remote employees storing their daily work, a good option is to combine a local NAS or USB backup with a remote cloud backup (e.g., via AWS or Google). For cloud storage, both for employee files and larger datasets and systems, choose immutable backup. This prevents data deletions and alterations, which can be crucial in the event of a ransomware attack.
One client we worked with had both local storage and immutable cloud storage. It got hit with a ransomware attack that encrypted both its primary files and its onsite backup. The attackers demanded multiple millions of dollars to restore the files. What they didn’t know was that the client had offsite immutable backup. The client was able to restore from that backup and didn’t have to pay the ransom to restore its files.
2: Back Up All the Data You Need
There are two components to consider here.
First, it’s important to make sure you’re backing up the right data – correct versions in correct formats – and that remote employees are following any best practices that are different from what they’d do in the office.
Second, it’s important to have policies and procedures in place for backing up not only data you own but also data you generate via SaaS platforms. Many people mistakenly believe that, because such data is in the cloud, it’s automatically backed up. But this isn’t the case.
Microsoft, for example, is upfront that it doesn’t do automatic backups. Salesforce is moving away from automatic data protection. Enterprise backup providers like Veeam and NetBackup offer SaaS data backup, but remember to educate remote employees about any actions they need to take to ensure these providers run as needed.
3: Always Enable Encryption
Encryption is critical to have, whether as a corporate standard or as an enabled feature on an off-the-shelf backup solution. In the latter case, though, encryption is usually an optional feature, which means many users never activate it.
Ensure that employees have clear instructions for how to enable encryption in backup software, including how to securely store passphrases to enable encryption, if necessary.
4: Confirm Backups Are Working
This may seem obvious, but we regularly see instances of teams being confident that their backups are working properly only to discover that they’re not – often at the moment, they attempt to restore backed-up data.
Again, this can be exacerbated when your workforce is remote. Employees running backup software may not realize that their laptops have to be open and “awake” for the program to complete.
Luckily, the solution is simple: communicate regularly and clearly with employees about what steps they need to take to ensure backups are completed. We’ve found success with sending regular, short communications rather than occasional longer-form updates. A weekly video or email from your CISO, for example, can both communicate important information in digestible doses and send the message that backups are a thing everyone should be thinking about on a regular basis.
5: Test Restores
Very few organizations test restores.
The typical attitude we see is, “Okay, we passed the audit. We’re good.”
In reality, this is dangerous. What happens if retention times are set incorrectly? What happens if backup data is not valid? What happens if ransomware gets into your backups and encrypts or corrupts it? A lot can go wrong, so it’s important to run regular tests.
At the corporate level, we typically recommend quarterly runbook testing. Restore a machine from backup files, return it to the employee, and ask whether the restored data is accurate. You might have them pull accounting files, sales and marketing folders, and anything else they need to do their jobs.
During a time of extensive remote work, it’s probably also wise to ask employees to run self-service restores, trying to restore individual Excel or PowerPoint files, again with the goal of making sure restored data is complete and accurate.
For Best Results, Combine Policy & Procedures with Communication
Having policies and procedures in place that outline how your organization handles backups is crucially important. Just as important – especially during a time of near-universal remote work – is adequately communicating with employees what their role is in maintaining the health of your organization’s backups.
When in doubt, clearly spell out expectations for employee behavior. When it comes to backups, it’s always best to err on the side of caution.
About the Author
You May Also Like