Security Bytes – October, 2016 – Backups? Cross your fingers and pray?....
This month I wanted to come back to a topic that I have already talked about but countless times I have seen clients that do setup a backup procedure, but never test the backup procedure to see if the data backed up can be recovered successfully in case of a failure.
The best backup strategy is to backup in 3’s: One onsite, one you can keep with you when you leave the location, and one that is in a secure location in the cloud. The reason for this is that if your business location suffers a catastrophic loss due to fire / flood, etc., it is a good bet that the onsite backup might not survive. That is why one needs to also take a backup offsite. Another good reason to keep a 3rd backup in the cloud is to ensure that even if you done have access to your onsite backup and you lose the backup you carry with you, you have a 3rd
one that you can always get to. With this being said, one should also periodically test these backups for viability! I have had people that claim to have backed up their data find out that the backup itself was corrupt from the beginning so that the data they needed was not viable. Another important reason that one backup in 3’s is that today’s hard drives do fail from time to time and in many cases people don’t realize that a drive they are backing up to is failing.
No matter where one backs up their data it is always a good plan to follow these steps:
1. Identity the data that is critical to business or personal need.
2. Determine how often one needs to backup! One should ask what is the maximum time period one can go without a backup and still recover from a loss!
3. Perform the backup and test the recovery of the data to ensure you can read it when you need it
4. When backing up data to the cloud it is also highly advisable to encrypt your data before it leaves your computer and gets stored in the cloud. This ensures that the data which is backed up is only retrievable by you when you need it.
5. In cases where one does encrypt data, make sure to also test the decryption of the data and safe storage of the decryption keys so that they are available when needed.
6. Remember the old adage that an ounce of prevention is worth more than a pound of cure!
Many times people know that they should test backups for viability but forget to do so due to busy lifestyles and business stress. Backups need to become part of a daily routine and time must be allotted to allow for success. Another benefit of offline backups is that if you get hit by crypto malware that I have talked about in previous articles, you might not need to pay any ransom, if you have a good offsite copy that is recent! Just reformat your machine and restore from the backup and you will be up and running with minimal downtime!
-Paul Mavrovic, CISSP