Data is expensive. Hardware is cheap. Even as far back as a decade ago, now-defunct Mozy did an experiment: ask people on the street if they would permit their laptops to be destroyed immediately, in exchange for a brand-new MacBook Pro. There were surprisingly few takers, as most people recognize that the value of the data on a computer far exceeds the cost of the hardware on which it resides.
Now, of course, a considerable amount of business production data – possibly even most of it – is stored in the cloud. The adoption of cloud-based data storage has obligated many businesses to learn, yet again, that where data is kept matters less than having the means to protect it.
Given the ever-evolving threat landscape and attack methods, businesses must ensure they develop and implement proper backup and recovery strategies. The key to developing the right approach is understanding the current threat landscape and eliminating common misconceptions when it comes to backup and recovery.
Office 365 is a key example. In a span of seven years, Office 365 has gone from less than 10% market share to over 70%. Unfortunately, data protection has not kept pace with adoption, with new research showing that over two-thirds of organizations rely only on native Office 365 capabilities to recover and backup its data.
The Increased Relevance of Backup in Today’s Threat Landscape
As businesses have tried to optimize IT budgets and reduce spending during the COVID pandemic, backup and security are often first on the chopping block – largely in part due to their value coming from events (like security breaches) that haven't happened. But today’s threat landscape is compounding the need for comprehensive backup solutions.
Microsoft 365 administrative credentials are now the most-phished credential set as the value of ransomware demands rise. And with pandemic-related internal changes and re-orgs impacting most businesses, organizations must acknowledge that threats are just as likely to surface on the inside of their firewall as on the outside. All this is further exacerbated by the rise of state-sponsored organizations like Hafnium or REvil, which possess both significant social engineering skills and substantial distributed compute resources.
More than half of small businesses that suffer a breach eventually fold, despite many claiming to have a business continuity plan. The disconnect here reflects the unfortunate reality that business continuity and disaster recovery (BCDR) plans are all too often a tick-box exercise for organizations. Recovery plans that appear thorough on paper do not survive long in the crucible of coordinated, intelligent and multi-vector attacks.
BCDR Planning and Testing: Do’s and Don’ts
If businesses do have a backup solution in place it is often part of a dated or untested BCDR plan. Common misconceptions or wrong steps regarding backup and BCDR planning leave organizations vulnerable to data loss when incidents do occur. As there are few things more impressive than a flawlessly executed recovery plan in the face of additional stress for the team asked with dealing with it – its imperative businesses understand key BDCR considerations as outlined below.
Failures do not happen in a vacuum – multiple applications can fail simultaneously. Even mundane things, like who to call or email in the event communications software fails, are often overlooked or unknown by systems administrators.
Many BCDR tests are conducted under optimal circumstances – on a slow day, where administrators are sitting next to each other and the test is conducted with advance notice. Try introducing even simple stressors to the plan – for example, a key decision maker is unavailable or that the company phone system is down.
Another important consideration is to evaluate where BDCR plans live since many businesses keep BCDR plans on the very infrastructure that could be impacted by a data loss event, denying access when the business needs it most. An easy test for whether a business is properly equipped to handle a disaster is to ask: is a hard copy of the BCDR plan available and stored somewhere the requisite IT staff can reach it (including their homes)? If not, why not?
Ultimately, the implications for businesses of not regularly testing their backup and disaster recovery strategy can be wide-ranging and devastating: from losing critically important files, to the heavy cost of replacing machines, or the large amount of manual time and effort spent recovering data.
Included below is a checklist for IT organizations this World Backup Day to help enact or revisit important data protection strategies and BCDR planning.
World Backup Day Checklist
As World Backup Day rolls around, IT organizations must ask:
- Has data been properly categorized?
- Is the data necessary for critical business operations properly identified?
- Does a process exist for classifying data in the future as new applications are added or current applications are updated?
- Is data being protected in an immutable environment with backup operators independent of application administrators?
- Is a recovery plan in place? Has it been tested in a non-synthetic environment?
- What happens if someone integral to the plan is on leave?
- Is the business properly addressing the possibility of both malicious insiders and motivated outsiders?