Business Security

How robust backup practices can help drive resilience and improve cyber-hygiene in your company

Phil Muncaster

18 Oct 2023  •  , 5 min. read

Could your company survive if its most critical data stores were suddenly encrypted or wiped out by cybercriminals? This is the worst-case scenario many organizations have been plunged into as a result of ransomware. But there are also many other scenarios that could create serious business risk for companies.

To mark Cybersecurity Awareness Month (CSAM), we looked at how both individuals and companies that fail to prepare are preparing to fail. Today, we’ll dive a little deeper into one particular aspect of how companies can help drive resilience and improve cyber-hygiene.

Having a backed-up copy of that data ready to restore is a safety net that many fail to consider until it’s too late. And even those with backups may manage them in a way that continues to expose the organization to risk. Indeed, backups can be a target too.

Why do you need backups?

Ransomware has perhaps done more for awareness about data backups than any other cyberthreat. The prospect of malware designed to encrypt all corporate data – including connected backups – has driven companies to invest in mitigations en masse. And it appears to be working. According to one estimate, the share of victims who pay their extorters dropped from 85% in Q1 2019 to just 35% in Q4 2022. Given that ransomware remains disproportionally a problem for SMBs, the threat from external hackers remains a major driver for backups.

However, it’s not the only one. Consider the following risks, which backups can help to mitigate:

• Destructive data extortion attacks, partly driven by the cybercrime-as-a-service ecosystem, in which data is exfiltrated and encrypted drives before a ransom is demanded. ESET’s Threat Report for September to December 2022 found the use of increasingly destructive tactics, such as deploying wipers that mimic ransomware and encrypt the victim’s data with no intention of providing the decryption key.
• Accidental data deletion by employees is still a challenge, especially when sensitive data is saved to personal devices which don’t back it up. These devices could also be lost or stolen.
• Physical threats: floods, fires and other natural disasters can knock out offices and data centers, making it doubly important to store a separate copy of sensitive data in another geographical location.
• Compliance and auditing requirements are becoming ever more onerous. Failure to produce the information required of your business could lead to fines and other punitive action.

It’s difficult to put a price on it, but failing to backup in line with best practices could be a costly mistake. The average ransomware payment in Q4 2022 was over $400,000. But there are many other direct and indirect costs to consider, both financial and reputational.

How do I get there?

Best-practice backup strategy doesn’t need to be a black box. Consider the following 10 ways to achieve success:

• Develop a strategy

It sounds obvious, but it pays to plan carefully to ensure any backup strategy meets the requirements of the organization. Consider this as part of your disaster recovery/business continuity planning. You’ll need to consider things like the risk and impact of data loss events, and objectives for data restoration.

• Identify the data you need to backup

Data discovery and classification are a vital first step in the process. You can’t backup what you can’t see. Not all data may be deemed business critical enough to warrant backing up. It should be classified according to the potential impact on the business if made unavailable, which in turn will be informed by your corporate risk appetite.

• Follow the 3-2-1 rule

This posits that you make three copies of the data, on two different media, with one copy stored offsite and offline. The last bit is particularly important, as ransomware often hunts out backed-up data and encrypts that too, if it is on the same network.  

• Encrypt and protect your backups

Given that threat actors also seek out backed-up copies of data for extortion, it pays to keep them encrypted, so they can’t monetize the data stored within. This will add an extra layer of defence beyond the 3-2-1 mechanism (at least 3 copies, 2 different storage types, 1 copy offsite) if you use it.

• Don’t forget cloud (SaaS) data

A great deal of corporate data now resides in software-as-a-service (SaaS) applications. That can provide a false sense of security that it is safe and sound. In reality, it pays to add an extra layer of protection by backing this up too.

• Test your backups regularly

It’s pointless having a backed-up copy of your company data if it won’t restore properly when called upon. This is why you should test them regularly to ensure the data is being backed up correctly and can be retrieved as intended.

• Run backups at regular intervals

Equally, a backup is of limited use if it restores to a point in time too long ago. Exactly how regularly you should run backups will depend on the time of business you have. A busy online store will require almost continuous backing up, but a small legal practice can get away with something less frequent. Either way, consistency is key.  

• Choose your technology partner carefully

No two businesses are the same. But there are certain features which are useful to look out for. Compatibility with existing systems, ease of use, flexible scheduling and predictable costs all rank highly. Depending on the size and growth trajectory of your business, scalability may also be important.

• Don’t forget the endpoint

Backing up network drives and cloud stores is one thing. But don’t forget the wealth of data that may reside on user devices like laptops and smartphones. All should be included in a corporate backup policy/strategy.

• Look beyond backups

Don’t forget, backups are only one piece of the puzzle. You should be complementing them with security tools at the endpoint, network and server/cloud layer, detection and response tooling, and more. Also follow other cyber-hygiene best practices like continuous patching, password management and incident response.

Data is your most important asset. Don’t wait until it’s too late to formulate a corporate backup strategy.