Through working with a variety of businesses, the S.R. Snodgrass Technology Services Group has observed that appropriately managing data backups is just as important as backing up data. Below we’ve outlined our recommendations on how to establish a suitable backup method and the best practices for managing the solution chosen.
Companies with moderate to large IT environments should implement a mirrored site-to-site backup solution, in which data is replicated in real time or several times a day to an off-site location. Cloud-based solutions similarly exist for this type of replication and can serve the purpose of having an off-network backup copy to protect against ransomware threats. We suggest a mix of on-network and off-network backup solutions so that multiple copies of the data are available, with at least one stored off-network to avoid ransomware attacks encrypting all backup copies. For off-network backups, an encryption solution should be utilized, whenever possible, to further reduce the risk of data being compromised.
If companies elect to have data managed by a third party, they should review the party’s security documentation. Also, through vendor management reviews, businesses should certify that service providers successfully test their backups on a periodic basis. Whether using a managed third-party solution or an internal solution, businesses must define a recovery point objective (RPO) for critical data. An RPO establishes the acceptable age of the data once it’s restored. Therefore, it’s important to ensure a service provider’s backup procedures meet the RPO. Companies with both in-house and outsourced applications and data should establish a recovery time objective (RTO). In short, an RTO defines (a) the maximum amount of time that an application or data solution can be down without significant damage to the business and (b) the time it takes for the system to go from loss to recovery. Once established, the backup solution chosen must be tested to ensure these two timeframes can be met.
After determining a proper backup method, decisions must be made as to its ongoing management. Testing backups and restoration processes is crucial but can take days or even weeks to ensure the chosen solution is effective. Beginning with, when large amounts of data are being backed up, an independent hardware inventory should be matched to the backup solution’s managed device report to confirm that no key systems or data are being omitted from the backup solution. The worst time to find out that some of the company’s critical data wasn’t included in the backup solution’s copy is during a disaster. We recommend performing an inventory matchup quarterly, or at least annually. A process should be put into place to safeguard that all devices with vital data, including new devices added to the network, are added to the backup solution. Also, users should be instructed to keep important data on the network rather than on their PCs to ensure it’s included in the backup process.
Once there’s confirmation that all critical data is being backed up, the next step is to set up alerts and/or reports to be reviewed after every backup completes. If errors occurred, files were omitted, or the backup solution detailed complete backup failures, employees should be tasked with investigating the problem timely and addressing issues to affirm backups are successful.
Testing backup solution(s) should be performed quarterly, or at least yearly. This testing can be done in conjunction with annual disaster recovery testing but should include all major systems; complete server and data restorations, rather than just a few single-file restorations; and any planned failover circuits that automatically switch users over to the mirrored sites if a disaster occurs at the main location. The age of the backup data and the amount of time it takes to recover data should be compared with the company’s RPO to ensure recovery requirements can be met by the solution in place.
We recommend establishing a backup schedule and creating calendar reminders or checklists to make the process run smoothly. After completing each of the above steps a few times, the process will take less and less time to complete as backup solutions are configured properly and the nuances of new solutions are learned.
If you have questions related to backups, please reach out to Jeremy Burris, CISA, CISSP, MCP, L|PT, CPTS, C|EH, ECSA, Security+, Principal, at firstname.lastname@example.org.