Most cybersecurity professionals will have spotted right away that this is a trick question. It’s not an either/or situation; both have a crucial role to play as part of the 360-degree, multi-layered backup strategy that’s necessary to protect data in the current threat landscape. The online and offline solutions complement each other, and the power comes with knowing when and how best to use them.
Organizations have already bought into the need to hold an offsite copy of their corporate data. The OVH datacenter fire earlier this year highlighted the danger of relying on a single storage location. When disaster hit, because OVH’s customer data was backed up in the same place, both sets of data were destroyed with no means of recovery.
In addition to a secondary location, best practice backup strategies should incorporate more than one type of offsite location — ideally one online and one offline.
The Cloud Attraction
Cloud storage offers instant appeal as a secure, convenient and cost-effective way of storing and safeguarding files. When information is in the cloud, employees can have it at their fingertips at all times, wherever they go, as long as they have connectivity.
Backing up to the cloud is also typically a low-maintenance solution that is easy and fast. The provider often takes ownership of services such as automatic updates, patching and encryption. All a business really needs is internet connectivity and logins for authorized users.
However, it’s this devolution of responsibility that creates potential risk. When you sign a contract with a cloud provider, you’re also signing over a chunk of the control you have over your data. You may have what you believe is a watertight service level agreement in place, but whether the provider can and will deliver to this is another matter.
Ensure No Single Point of Failure
One fundamental principle of cybersecurity best practice is that no single solution can guarantee security – and adopting cloud storage on its own is likely to expose the organization to an unacceptable level of risk.
Storing copies of essential files offline, on removable hard drives, USBs and other external devices will mitigate many of the problems associated with backing up to the cloud. An offline backup is particularly important to defend against ransomware attacks, ensuring the organization can always restore from a clean, protected data set.
"One fundamental principle of cybersecurity best practice is that no single solution can guarantee security..."
Devices that automatically hardware-encrypt all data written to them will offer the highest level of protection, rendering information illegible to anyone not authorized to access it. Removable devices can also be quickly unplugged to disconnect them from the network — creating a firebreak between the information and any cybercriminal who successfully managed to make it onto the corporate network. However, relying solely on this type of solution also has its downsides.
Physical devices can easily be lost or stolen — hugely inconvenient if the missing device carries the only remaining copy of critical documentation, even if the device itself cannot be cracked to reveal stored information. While accurate figures on mobile device loss are difficult to ascertain, a Ponemon study of just 329 organizations found that they had lost 86,455 laptops within a year — equating to 263 laptops on average per organization.
In short, neither cloud nor offline storage can defend against all threats on their own.
Play to Their Strengths
An approach that layers different solutions, including both cloud and offline storage backups, gives the best protection. It also provides the best chance of recovery if other copies of information or physical devices fall prey to malfunction, damage, loss or theft.
Cloud can do a great job as the first line of defense and as an additional alternative if other backup methods should fail. Adding a policy requiring all employees to back up all data locally to encrypted storage devices enables you to retain an element of control should something go amiss in the cloud. Importantly, the encryption of all data as standard — whether at rest or on the move and wherever it’s being held — should be mandated across the organization.
The final step is to develop a backup frequency that works for your organization and enforce it through policies and procedures, either by fully automating updates or setting reminders for staff.
A thoroughly reliable backup process will protect corporate data against loss and theft from all potential angles. While the concept of backing up information is simple, the approach needs to go beyond copying files to another folder on your computer, or another server on the company network, or even to the cloud. The smartest move is a multi-layered, multi-location approach that covers maximum eventualities — both online and offline.