Backups: A Guide

Why are backups so important?
Backups contain copies of your data. You can choose what to back up depending on your network configurations, your compliance requirements, or your budget. Having a set of backups will reduce the amount of downtime you experience during a cyber-incident by having an accessible copy of critical network data available as a foundation for rebuilding post-attack. There are 2 key areas to consider: backing up systems & servers, and backing up user devices.

Why back up systems & servers?
Backing-up systems & servers ensures that central functions and information are not lost when an incident happens. These incidents don’t have to be malicious (ransomware, viruses, employee vandalism) to cause issues – even accidental incidents (a bad data migration) or just plain bad luck (a power outage, or equipment failure) can have far-reaching impact on your systems' ability to function if you don’t have a recent backup you can restore.

Why back up user devices?
While your organization may have a robust approach to backing up its central systems & servers, it’s also important to cover the files & data stored on your users' work devices. Losing a laptop, suffering a hard-drive failure, or having a computer infected with a virus will lose a significant volume of valuable work for that user. Encourage users to adopt a cloud first approach to documents and filing, and back up these cloud services regularly. Remind users that local file storage is insecure and increases chances of data loss.

How often should backups be updated?
In order to be effective and useful, backups must contain everything required to restore core infrastructure and business functions. You must be backing up comprehensively and regularly to ensure that if you need them you do not lose days, weeks, or months of updates and changes. You may not need to back up everything - as this can become cumbersome and expensive - but you should set an appropriate cadence of backups for your critical assets depending on the frequency at which they update or change.

How should backups be protected?
Backups should be stored away from the primary network to minimize their chances of compromise in an attack. The common approach is known as the "3-2-1" approach: 3 copies of data across 2 types of media, with at least 1 in a different location. Backups should also be immutable to minimize the chances of interference between the backups being made and deployed. Finally they must be encrypted to prevent the breach of data in the event that they are compromised by a threat actor.

How should backups be restored?
Your team must devise a playbook for backup restoration and run regular practice drills. By running drills, you reduce the chance of unforeseen complications or restoration errors when a real event happens. Additionally, you should be running pre-restoration checks on backups to identify any malware that may be dwelling within them. A malicious file in a set of backups can set recovery back drastically, even rendering a backup useless.

Who should access backups?
Only users with appropriate vetting and privileges should be able to access backups. They are incredibly valuable, and the more users who can access them, the greater the chance of them being compromised either intentionally by a threat actor gaining control of an account, or accidentally by an over privileged user with no training. All users who are eligible for backups access should use MFA on their access credentials to reduce the risk of threat actors gaining access.

Checklist
When setting up your backups:

1. Ensure that mission critical services are backed up regularly
2. Ensure any backups are encrypted, immutable, and tested to ensure they are malware or virus free
3. Plan for running restoration exercises to improve your recovery time
4. Identify who should have backup access, and the training and additional security measure they need to be aware of
5. Focus on backing up centralized cloud focus services for consistency and accessibility