Blog Post
March 29, 2023 | Cybersecurity education
Data backups: What business owners should know
Data loss is a major worry plaguing IT professionals and business owners alike. Data loss or damage can restrict access to essential files—even destroying them completely. Losing access to this data can affect or even halt daily operations.
In fact, one report surveying IT professionals found that data loss is most commonly caused by hardware or system failure (31%), followed by human error (29%), and cyber attacks (29%).
This is exactly why data backups are essential. Should an incident occur and limit access to critical files, your teams need reliable data backups to expedite the recovery process and get back to business that much faster.
But first, what does it mean to have data backups?
What is a data backup?
Data backups are basically copies of data that can be recovered later—typically after a cyber attack or another event that compromised the integrity or availability of data. Backups are a critical component of a recovery plan, making it easy to retrieve essential files and resume operations quickly after an incident.
Ways to back up your data
Ideally, backups should be kept in a secure location that’s not connected to the network, such as an external hard drive stored offsite or a cloud-based backup service. After gaining access to your network, threat actors may deliberately try to tamper with data backups to cause further damage. You can stop attackers from doing this by keeping your backups air-gapped (in other words, physically isolated and unable to establish external connections). There are many approaches to data backups, and some may be more fitting than others depending on your organization’s needs and requirements. A few of the more common ways to back up data are via:
- External hard drive. External hard drives are portable, come with a lot of storage space, and can be relatively inexpensive. However, external devices like these can fail (Backblaze, a cloud storage provider, reported a 1% annualized fail rate for hard drives). What’s more, hard drives can be hard to manage internally without the right experience and skills.
- Cloud-based storage. A good cloud storage service comes with a file management system for simplified access. However, cloud-based storage options have had cybersecurity and data privacy issues in the past. Companies also have less control over their data when using cloud-based storage, which may be good or bad depending on your circumstances.
- Backup services. Using a dedicated backup service is simpler than traditional cloud storage. If you lose access to your files due to a malware attack, it can be as easy as hitting the restore button. However, most backup services have a monthly subscription fee.
What backup strategy is best?
Every backup solution has its advantages and disadvantages. Take the time to select an approach based on your company’s unique needs; for example, saving business-critical data to an external hard drive might not make sense for remote-only organizations or for those without enough IT experience.
Be sure to ask the right questions before deciding on a backup solution. If using cloud storage, make sure the company has implemented stringent privacy controls. If you store a hard drive off-site, where do you keep it? What physical access controls are in place? What are the environmental conditions of this location?
Hot or cold backups?
Many backup vendors offer the choice between “hot” or “cold” storage options. Hot backups or storage refers to data you or your company needs access to fast or frequently—such as business-critical files or data that's vital to daily operations. Hot storage is typically more expensive but offers the convenience of easy, quick accessibility. On the flip side, you won’t need to access all data regularly or in a rush. Cold storage would be beneficial for things like archived financial documents.
The 3-2-1 backup rule
Cybersecurity departments and experts have long recommended following a 3-2-1 approach for data backups. Put simply, this rule recommends:
- Keeping three copies of files—the original and two backups.
- Using two different backup types (e.g., one hard drive and one cloud copy).
- Storing one copy offsite.
Implement a data backup policy
Start by creating and implementing a clear, direct backup policy that fits your organization. No two policies will be 100% alike because every business has its own needs and structure. Outline the scope of your backup policy. Does it apply to digital and physical data assets? Does it extend to contractors and temporary workers, or only permanent employees? Communicate how often data should be backed up, and if certain files or data sets take priority or should be backed up more often. Not every document needs restoration after data loss, depending on the data type, date, and governing regulations. Only creating necessary backups minimizes complexity and makes the task manageable.
What should a data backup policy include?
Ensuring your data backup policy will capture what’s important and help you recover faster in the event of an incident takes time and consideration. Before we dig into the exact details to include, there are three broad themes that should inform your policy:
- Frequency: As mentioned earlier, the frequency at which you back up your data can mean all the difference between losing days of business information or losing a few minutes. Organizations that rely on up-to-date data will benefit from greater frequency (once a day, for example) while others may be able to operate with backups taken at larger intervals.
- Reliability: Time is a limited resource for organizations everywhere, and ensuring backups and recovery efforts will work takes time. Testing backups (more on that below) and determining if they will succeed while ironing out the kinks ahead of time can help identify any issues well in advance so you can further refine your data capture efforts.
- Time: Data backups take time, as does the recovery process. Copying over data to a clean, secure system takes time, which must be accounted for in a backup policy. Establishing this baseline will help set expectations for an actual event.
With these themes in mind, it’s time to do to establish clear guidelines. Your data backup policy should include:
- A statement that describes the fundamental reason the policy exists and how it will help the organization.
- The purpose of the backup policy, which establishes the guiding principles for how data backups should occur and how the process fits into overall disaster recovery efforts.
- The scope of the policy, to determine what data is covered by the policy and what data is excluded. Because not all data is equal, your organization must determine what it considers critical to continued success and operations and what is an acceptable loss. This will help refine backup efforts.
- The specific policy, which articulates in detail the steps involved in backing up data, where data backups are stored, any testing processes that are required, steps for recovering backups, and additional tasks that may be required.
- Additional appendices to capture references and supporting documents that relates to the backup policy.
Test and verify your backup recovery
One survey of more than 3000 IT decision-makers found that 58% of backups fail during restoration. This shows that it’s not enough to just back up your data and hope that everything will work smoothly.
Think of how frustrating it would be to routinely backup your data only to receive a big error message during the recovery process. Take the time to test and verify your data backups properly. This way, if you come across any issues, you can fix them before it’s too late.
Data backups are only one piece of the puzzle
Backing up data is a critical component of any cybersecurity strategy—but it’s not the only one. There are many other ways to reduce cyber attacks and the likelihood you’ll need to use a backup.
Start by improving your cyber situational awareness. In other words, gain a better understanding of your network, your threats, and how to respond to those threats. You can’t protect what you don’t see, so spend time learning what computers are on your network, their configurations, and what software is on them. Pay attention to non-traditional devices that may be connected to your network, such as the HVAC system or smart office printers.
Another way to improve your cybersecurity is by investing in employee training. The employee is one cybersecurity risk found in every business—regardless of size or budget. Humans aren’t perfect and can easily fall prey to convincing phishing emails. You can proactively reduce this risk by increasing training and giving employees the right tools and information to behave securely online.
Stay ahead of cyber threats by finding and resolving security gaps and other risks before they become a real problem. Our threat detection and response platform, Covalence, combines machine automation and human intelligence to detect vulnerabilities, attacks, and risks across your entire business—networks, endpoints, and the cloud.