Data backups are the last line of defense from paying a ransom or suffering the loss of criminally encrypted or otherwise destroyed data. Here are a few tips to make sure you’re getting everything you can from your backup process.
Know Your Business Data
Business data changes over time. Applications change, SaaS is adopted, users add folders, archived data gets moved around. Think of your overall data footprint, including any remote sites and multi-cloud deployments you may have. Be sure to apply your data access and security controls consistently across this data footprint.
Knowing what data is valuable to the company and where it currently resides will allow the backup administrator to make sure it’s protected. This means that IT and business managers must have a shared understanding of what data is most important to the success of the business. Revisit this topic as needed to make sure that the data protection configuration stays aligned with business needs.
Protect Your Backup
Data backups are not immune to a ransomware attack, accidental deletion, or other types of destruction. Make sure you’re keeping at least one copy of your backup offsite and safe from any disaster that may occur at the location of your business or data source. If your original data and your data backup are in the same physical location, then you have created a single-point-of-failure in your data protection process.
You could take this data protection a step further and follow the classic 3-2-1 rule:
- Make 3 copies of data
- Using 2 different formats
- And keep 1 offsite copy
Keep in mind that Windows is the operating system most prone to attack, and a Windows-based backup is more difficult to protect. You can add another layer of protection by running the backup on a different operating system.
Know Your Risk Tolerance
Data protection is business protection, so you have to consider a couple of things when deploying data backup:
- Recovery Time Objective (RTO): how long are you willing to be offline? How much downtime can your business accept?
- Recovery Point Objective (RPO): how much data are you willing to lose? How often does your critical business data change?
These two objectives should be top of mind when building your data protection strategy and then evaluated again during testing and network changes. Keep in mind that RTO and RPO may be different across different systems. You may have RTO times of 4 hours for mission-critical applications and 8 hours for all others. Your RPO may also vary between systems. You might be able to accept an 8-hour data loss on user folders, but you need near-zero loss (continuous replication) on mission-critical data. Knowing what your business can tolerate will help you determine how to prioritize your backup and how to apply the backup policies.
Focus on the Recovery
With your risk tolerance in mind, test your backups regularly. Try a few different scenarios, from a simple restore of a mission-critical file to a complete loss that requires new hardware or a new location. It’s going to be difficult for many SMBs to do a realistic practice run on a disaster scenario, but a mental run-through will be worthwhile. Visualize the scenario and your response. Take the time to challenge your assumptions. What if you can’t restore to the same type of hardware? What if it’s a regional problem and not just a local site problem? What if you can’t restore the applications that provide access to the data? Document the exercise as needed and address any unacceptable areas.
Maintain Visibility Into the Backup System
If your company does fall victim to an attack, you’ll reduce your risk by detecting that attack quickly. While that seems obvious, many companies don’t prioritize monitoring or alerting on backup systems, even though these systems can help warn you of file changes. For example, a ransomware attack will have a huge impact on your backup, because 1) incremental backups will be much larger due to all of the file changes and 2) the encrypted files cannot be compressed or deduplicated. In this example, a quick check of the capacity utilization can show you that something is seriously wrong with the file system. Monitoring your data backup metrics should be part of your daily administration tasks.
Data protection is no longer just a backup procedure that is separate from cybersecurity. Taking the time to understand your data and ensure it is properly protected is one of the best investments you can make in security and business continuity.
Originally published on the Barracuda Blog, June 3, 2019, by Anastasia Hurley.
