Cyber Tips: Backup policies
In the next post of our Cyber Tips series, we talk about what a backup policy entails and why it’s a vital part of any business’s cyber risk management solution.
Data is the most valuable part of a computer system and may be irreplaceable if lost to a ransomware attack or a hardware failure, or if it becomes corrupted. The following tips will assist you planning and preparing a backup policy for an incident in case the worst happens.
What is a backup policy?
A backup policy is a well-thought-out plan to mitigate against data loss that could happen due to a ransomware attack, hardware failure, data corruption, or some other detrimental event. If implemented well, it can help an organisation to return to business as usual more quickly and easily.
The complexity of the backup policy will depend on the size of the organisation, the number of applications and databases it uses, and the quantity of data that requires backing up. It will also depend on company policy and regulatory obligations applicable to the organisation.
How do I implement backup policy best practice?
Identify your most critical data and plan accordingly
By identifying the most critical data to your business, resources can be allocated to ensure that this data is protected and prioritized. Backups can be tailored to that particular data accordingly.
Take frequent backups
If you have mission-critical data, then attention should be paid to the frequency of the backups that are taken.
Use the 3-2-1 approach to backups
Create three copies of your data in addition to the original file, using two different backup media types stored locally and one copy stored remotely offsite.
Backups should be isolated or air-gapped from the network when not actively backing up data. Backup media should never be permanently connected physically or over the network.
Employ versioning to data
Backups should contain old versions of your data, not just current versions of files backed up most recently. This is important in case of file corruption or ransomware that may be lurking in current data backups.
Periodically test the integrity of your backups
Data should be checked regularly to ensure that it is accessible and readable.
Other considerations for your backup policy
- Data should be encrypted when backed up. This will help prevent unauthorised access.
- Consider making your backups immutable, so they cannot be altered by you or the bad actors.
- Consider using remote storage. Cloud based storage can be a cost-effective option if managed correctly.
- Automate backups where possible. This will make the practice of backing up your data a part of everyday business.
- Consider the retention period for your backups. This is especially important if you are using cloud services to back up your data. Cloud data storage costs can mount up so determine a sensible length of time for storage in your backup policy, considering legal and regulatory obligations.
- Consider your data retention policy. Do you actually need all the data that you are storing and backing up? Often data is stored unnecessarily adding an unnecessary cost and has additional security burdens if exposed.