The value of backups: how much do you trust yours?

Andres Jõgi

Security Engineer, Cybersecurity Department

The discussion on backups tends to focus on the necessity of having them and how some novel technical solution will surely solve all of your backup-related issues. The difficult topics are seldom discussed, so the challenges of formulating a comprehensive backup strategy and measuring its trustworthiness are mostly considered an IT problem. Most scenarios involving the use of backups tend to have business-wide implications, such as recovery from a ransomware attack or restoration of services after hardware failure. As such it is vital for the management to understand the key aspects of a company's backup strategy.

In this post, you’ll get a high level overview of which aspects of your backup strategy should be considered critically when evaluating your strategy. While this article is far from a comprehensive set of guidelines it serves as a solid basis on which specific solutions can be built.

What should be backed up

While the common "easy" answer is to back up everything, in practice the answer is more nuanced than that. The backups should be tailored according to the business requirements of the company. This means that all essential files for which replication after data loss is either impossible or costly should be backed up. This encompasses both individual files such as accounting spreadsheets, service contracts etc, but databases, configuration files and other data objects, too, which are vital for your IT-services to keep your business running. A clear individual responsibility for maintaining backups is essential, because while the IT-department is responsible for the backups of data on servers, shared drives or cloud storage, the responsibility for documents on their computers falls on the users.

Another common belief is that since most of the work takes place in different cloud environments such as Google Workspace or Microsoft Office365 there is no longer a need to worry about backups. However, there have been cases where data stored in the cloud is lost or becomes inaccessible due to the service outages. Depending on the perceived impact of such risks, having backups with different cloud providers or stored locally might just save the day.

So take a moment to consider this:

  • If you were to spill a cup of coffee on your laptop right now, what would be the consequences?
  • If the contents of your accountant's computer were to be encrypted by ransomware, what would be the course of action?
  • What would be the impact of losing internet connectivity in your offices for the whole day?

How often should I back up my data?

The frequency for backing up important data varies, depending on how fresh the data must be to be still usable for your activities. For example, if you write a new document or a spreadsheet on Monday and experience a disk failure on Tuesday, the weekly backup scheduled on Friday 5PM will not save your data. Thus, if your backup strategy does not fulfil operational requirements you might as well not have any backups at all. Same principle holds true for backing up IT-services as : if you have 1000+ clients using a vital service, telling them that on top of disruptions days’ worth of work is lost simply will not fly.

This leads us to recovery and recovery times:

  • When was the last time you backed up your work?
  • How long would the recovery time be to your current progress?

Testing recovery

One often overlooked vital step of implementing a successful backup strategy is testing the recovery procedures. Recovery should be routinely tested to ensure that restoring from backups works as intended. Routine testing also serves as training for your technical personnel to keep any downtime to minimum. An added benefit of routine recovery testing is the possibility to record recovery times, which helps to predict the actual recovery time when a real crisis hits. Managers that know their recovery times, can decide quickly if restoring from backup is the best approach or if manual recovery should be attempted instead.

Think about this:

  • How long would it take to recover the contents of your file server to a working state?
  • If the server hosting your company's homepage were hit by a lightning strike, how long would it take to get it back up and running?

Your first steps on the road to reliable backups

Now that you’ve read through this post, can you provide answers to all the questions we asked with certainty? It’s OK not to have all the answers, too, provided that you know now what to ask on the road to prepare for security incidents. Just keep in mind that the incidents will come, and they don’t always need to be connected to malicious activity – it can also be a simple human error or the abovementioned lightning strike. As long as you’re aware and prepared, however, any real damage can easily be avoided.