Data sits front and center of any business. And it’s being generated in ever greater volumes. An estimated 120 zettabytes will be created, captured, copied, and consumed worldwide this year. That presents an attractive target for would-be data thieves and digital extortionists. And an increasingly robust if fragmented global regulatory regime means potentially severe penalties for organizations which don’t put the “appropriate technical and organisational measures” in place to keep it safe.
World Backup Day on Friday should therefore provide a timely reminder for IT security teams to mitigate threats to corporate data in line with industry guidance. But backups alone are not enough. Both backed-up data and indeed data located across the enterprise must also be protected to minimize security and compliance risk.
The case for backing up has been fortified over recent years by the explosion in ransomware attacks. One recent study recorded 493 million detections in 2022, marking it down as the second highest year on record after 2021. Year-on-year volumes surged particularly high in Europe (70%) and the UK (112%). If a ransomware payload is successfully deployed on a victim’s network and data is scrambled as a result, organizations may have to rely on their backups to restore operations in a timely manner.
There are also worrying signs of an increase in destructive attacks where the threat group steals a victim’s data and destroys the original copy, increasing the pressure on them to pay. One vendor recorded a 53% increase in this activity from Q3 to Q4 2022. Once again, regular backing up can mitigate the threats.
The case for backups is made even stronger by that other major source of cyber risk: employees. One study claims 85% of breaches are down to human error. This can lead to phishing attacks which carry ransomware payloads, or other data-stealing malware. One in four employees (25%) claim to have clicked on a phishing email at work, according to the same study. In a similar way, many accidental data deletion incidents are down to mistakes made by staff.
In this context, regularly backing up business-critical corporate data is a cyber-hygiene best practice advocated by many organizations including US, UK and EU security agencies. Here’s a quick checklist for organizations:
Understand your data and requirements: Classify data according to its criticality and the potential impact of losing it. Decide how to backup and how frequently.
Test backups: Regularly run tests to make sure backups are performing as anticipated. If data can’t be restored in a usable format then it’s a waste of time and money.
Follow the 3-2-1 rule: The best practice for backups is for three copies to be made, stored on two different types of storage media and with one copy of the data sent off site (e.g., to the cloud).
Continuously monitor backups: Set up alerts to notify if backups are malfunctioning.
Protect your backed-up data: If hackers manage to access a backup vault, it could represent a major security risk. Mitigate this with strong data-centric security such as tokenization or encryption.
In fact, strong data protection shouldn’t just be applied to backups. The majority of ransomware actors now look to steal data, before scrambling or deleting the original version. Backups can mitigate the latter risk, but what about the data that’s already been stolen? It could be leaked or sold on the cybercrime underground, exposing the organization and its customers to additional cyber risk.
By applying encryption or tokenization to this data ahead of time, IT and business leaders can sleep easy that the threat actors will not be able to use it. And they get the added bonus of streamlined compliance with regulations such as PCI DSS and the GDPR. This makes data-centric security and backups a formidable double-act for first and last line cyber-defense.