Are Backup Files the Missing Link in Your Cyber Security?

Do you have backup files for your critical business data and software? Where are they stored? How often are they updated?

During Cyber Security Awareness Month, you should be asking these three critical questions. Too often, business leaders and employees see cyber security as an ongoing battle against phishing, business email compromise and other direct scams. While these are core concerns in cyber security, data safety is also essential. You can train your people to stop pretexting attacks, but that training is of no value when a hacker encrypts or steals all of your business data, shutting down your operations. Even the most experienced IT professionals can have a blind spot when it comes to data backups.

Cloud Backup Files Are Not Enough

The default choice for many businesses is cloud backup, which is simple to implement and easy to access. The convenience of cloud backup files can obscure a significant risk: Cloud services can be hacked. If your only backups exist on a server, and that server is compromised, your backup data are gone. You may have done enough to qualify for a cyber liability insurance or business interruption insurance claim, but you still lack the data you need to run your business.

Cloud backup files should be part of your cyber security protocols, but they should not be your only path to data recovery. Backups on a solid-state device, such as a USB drive or an external hard drive, are also necessary for the following reasons:

1. Your cloud backups can be compromised. Hackers may encrypt or steal your data from your cloud backup provider, or compromise your cloud provider's operations, preventing you from accessing data.
2.  Backup files may contain malware. Cyber criminals are more patient than most people realize. It is rare for them to gain access and immediately deploy malware or ransomware. Instead, they will lurk for weeks, sometimes months, waiting to deploy an attack. If criminals launch a ransomware attack that encrypts all your files and you attempt to restore a recent backup, there is a good chance it will fail to solve the problem.
3. Cloud backup files may be incomplete. Creating a daily cloud backup is a good practice, but daily backups typically get purged after a few weeks to make room for newer backups. If you need data that is more than a month old, it may not be available. Your cloud backups may also be limited in scope; they may save daily data, but not the software you need to access that data.

Best Practices for Backup Files

Backup files are a crucial part of your overall cyber resilience. In the event of a ransomware attack, backup files may allow you to restore systems and avoid paying a ransom. In the event of data loss or exfiltration, backups may allow you to determine exactly what data were stolen, which can help you comply with new SEC Disclosure Requirements. Backups may also help cyber security professionals identify the timeline and methods used in a cyber attack.

Here are five things every organization should do to incorporate backup files in a cyber resilience plan:

1. Employ cloud backups wherever they are offered. Even with their limitations, cloud backups offer the simplest option for daily data and system protection. Set up daily backups for your website, business data and cloud-based services that you use. Be sure that data are encrypted and take note of what is and is not backed up; for example, a website backup may include the core elements of the site and exclude add-ons, plugins and custom code. Cloud services may back up your business data but not any customizations you have made to your cloud environment. When in doubt, ask your service provider for a full list of what is and is not backed up. Ask how long data are retained as well, and make a note of that timeline. If you have to pay a little extra for daily backups or longer data storage, it may be a worthwhile investment.
2. Create solid-state backups of business data. At least once a week, essential business data should be downloaded to spreadsheets and stored on a USB device or external drive. Once the storage device is full, label it with a date and keep it in a secure area in your office under lock and key. Restrict access to these backups to IT staff and senior leadership, and allow access only if critical systems are compromised and data become unrecoverable. Note that backups containing personal information may need to be erased or destroyed to maintain compliance with the FTC Safeguards Rule.
3. Maintain a physical file of critical business data. This should include information that you need to keep your business running, including client names, phone numbers, addresses and order or delivery information. To determine what to include, imagine a situation where your  business is without power for several weeks, or where you lack access to your office due to a fire or disaster. What would you need to continue to service your clients, and what functions can you track and complete offline? The physical file can be created in a spreadsheet and printed weekly, or as you add new clients. Like data backups on external drives, information in these files are subject to the FTC Safeguards Rule, so you will need to store the physical files in a secure place, limit access to them and destroy old copies periodically.
4. Create a System Recovery Image or Recovery Drive. An IOS Recovery Drive will allow you to repair a failing Mac or reinstall your MacOS software. A Windows System Recovery Image is a complete snapshot of your current Windows installation, settings and applications. These recovery images should be created quarterly and stored on a USB or external drive. Use a separate drive for each backup to reduce the risk of malware. These backup files have a practical purpose beyond cyber security: In the event that your primary computer is lost or damaged, you can use them to rebuild your systems on a new device. They can also help you restore systems if your hard drive fails.
5. Maintain access to your passwords. If you rely on your browser to fill in stored passwords, you could find yourself locked out of critical systems. A cloud-based password manager can provide access, as long as you have a copy of the keys and passwords needed to access it. Consider keeping critical passwords on a written list or in a text file on a USB drive that you store in a secure place, such as a safe or locked drawer. Never store sensitive passwords in emails or files on your hard drive, as cyber criminals will look for these if they gain access to your systems.

Backup files, printouts and drives should be treated with the same care as digital data. They must be kept in a secure place and should be used only when necessary. These additional security measures should not deter you from creating backups. In the event of a ransomware attack, natural disaster or catastrophic damage to a computer, backup files can get you up and running in less than two hours, or provide the information you need to run your business offline until online problems can be addressed.

Large organizations should have protocols in place to create and maintain backups as part of an overall cyber resilience plan. Small businesses and sole proprietors will need to manage backups by themselves, but it is not a complex or overly time-consuming process.