As in life, the important things in business aren’t always the most exciting. You hardly get a thrill from doing the bins or making sure you lock the door behind you on the way to work. Yet, like the peace of mind these acts give, a solid backup strategy is vital for any company’s tech infrastructure.
Knowing what you are doing is the most important first step according to Lorne Chedzey, chief information officer at Ergo. The Irish IT services business, which expects turnover of €233 million this year, has more than 30 years of experience in the space. Chedzey says that finding support to guide you through a backup strategy is crucial.
“The advisory piece is so important,” says Chedzey. “When customers are working out where to start with cyber resilience, it helps to work out what the critical business processes are through to the underlying processes for that, to the infrastructure and, ultimately, the data,
“The key thing to focus on is what areas need to be covered and what is the scope for a cyber recovery service.”
This level of organisation has grown in importance in recent years as EU level regulations, such as the General Data Protection Regulation (GDPR), the Digital Operational Resilience Act (Dora), and the second Directive on Security of Network and Information Systems (NIS2), have all put greater resilience requirements on businesses of all levels.
“We work a lot with companies in highly regulated sectors. Dora and NIS2 in particular are proving big. If you look at those standards, they are broad and have a lot to them, but all of them are calling out for customers to have cyber-resilience and recovery processes,” says Chedzey.
The increasing focus on backup plans comes as tech advice has, in Chedzey’s description, gone through a process similar to the five stages of grief.
“We believe that even without regulatory requirements, all our customers should look at a resilience service. The approach used to be to keep the bad guys out, then it went to the zero trust idea. Now it’s at the point of acceptance that the bad guys will probably get in and we need to have a plan in place for when they do.”
He expects an increased focus on resilience strategies now that the acceptance stage has been reached.
“Large organisations are going big into this. They are funding big projects to cover the scope of all their infrastructure. Medium-sized businesses might not need to meet the same regulatory standards but they will still be motivated to do this because they will be the target of a cyber attacker,” says Chedzey.
[ Why are we left on our own when it comes to fraud?Opens in new window ]
“The ones that might struggle will be the smaller businesses. They are struggling to make ends meet and they need to come up with lower cost services. There are lighter services available for them that aren’t as comprehensive.”
Whatever the level, the biggest challenge to accepting the need for a comprehensive backup strategy may be companies not realising its importance until it is too late.
“Backups are one of the most boring IT processes in place but also one of the most important. Too often they get overlooked. They have become more important because of the likes of ransomware attacks,” says Brian Honan, chief executive of BH Consulting and cybersecurity specialist.
“They [hackers] compromise environments, encrypt all your data and you essentially have the option to either pay the ransom to get your data back or go to your backups instead. If you’re not managing your backups in a proactive and secure way, you may find the criminals compromise them as well or delete them.”
Honan says companies are wising up to the role backups play when it comes to protecting themselves from cyber attacks.
“Businesses have become more reliant on them due to the resilience they provide. They need to be considered as part of an overall plan. That covers how often you backup, what gets backed up and where you are backing it up,” he says.
“Within this plan, you have to be able to work out how quickly you can recover based on your backups.”
It’s not just criminals that companies need to be wary of. Natural disasters are increasingly becoming a source of risk for data storage. The regulatory environment does not provide exemptions for acts of god.
“If you are an organisation processing personal data, under GDPR you’re legally obliged to be able to make that data available regardless of what the disaster is. It doesn’t matter if it’s a ransomware attacker, an IT failure, a utility failure or a natural disaster,” says Honan.
That’s why backups need to be viewed as part of an overall resilience strategy rather than a box to be ticked.
“It all comes back to having a cyber resilience strategy in place but also doing risk assessment and management. Work out what is critical to your organisation, how you back it up, and how quickly you can get them back up and running again?” says Honan.
“The first thing you should do is identify what data you have. Rate the systems in priority of how critical they are to the business, where the data is stored and do some scenario planning.”
This view of backups as being part of an IT security and resilience strategy is relatively young. The primary role of this form of storage was long focused on innocent human error.
“Backups have always been critical for recovery of business data and supporting organisations when things go wrong. What we’re seeing now is that things are going wrong more often,” says Scott Roberts, EMEA cyber resilience director at US IT multinational Dell Technologies.
“There are more variables in how things can go wrong. Backups were traditionally in place to support things like the accidental deletion of a file or a system issue in an organisation. As we see now, with attacks on the rise, backups are now a key piece of the strategy for organisations to continue to operate and retain control of their critical operations in the face of adversity.”
Roberts says that the evolution in how backups are viewed at an IT level has improved the overall shape of security strategies.
“We’ve seen a large alignment between what would be traditional infrastructure roles and security pillars. That cross-collaboration is increasing. That’s good because it means that the focus shifts from not just backing up the data but recovering it for an organisation and securing it again,” he says.
The key advice Roberts offers is for companies to think about backups as tools in the overall resilience strategy of a business.
“I always look at things through a resilience lens, with an eye on bad actors. When it comes to backups, know your backups. Test them and test them properly. Even the simplest backup, if untested, can prove useless in a crisis,” he says.
“Make them immutable. That means they can’t be edited or changed. It makes them more resilient to attack. Still, nothing is impenetrable, so look at what can be removed from the attack surface. Should the worst happen, that way you can still have a safeguarded copy of your data.”
