Introduction

31 March is World Backup Day, and it is a good occasion to take a look at the current state of the organization’s backup system. The proper design of a backup system is a critical success factor for an organization to ensure the availability and, indirectly, the integrity of the data stored. Without backups, an incident can render an organization’s operations impossible.

Security backup requirements

Standards and recommendations, as well as Information Security legislation, include controls for backups.

Several ISO standards contain details on backups, such as ISO/IEC 27040:2024 – Storage security, ISO 22301:2019 – Business continuity management systems.

ISO/IEC 27001:2022 Information Security Management System specifies the requirements for backups in Annex A, clause 8.13, which covers the existence of backups and their regular testing.

In NIST SP 800-53 r5 Recommendation, the National Institute of Standards and Technology sets out the requirements in a little more detail in CP-9. It is important that an organization design its backup system with the appropriate RTO and RPO in mind, taking into account business continuity needs. Testing requirements for backup security (cryptography and other security solutions) are also detailed in NIST.

Various Information Security legislation also requires the proper design of backup systems. It is important to take these requirements into account and put them into practice.

Trends in backups

In 2024, many organizations faced cyber attackers. According to a survey by Sophos, malicious actors have turned to backups because they know that if they destroy backups, they can cause more damage. The survey found that 94 percent of organizations attacked by ransomware detected cybercriminals attempting to destroy their backups. Unfortunately, 57 percent of attempts to compromise backups were successful.

This survey highlights that the question is when will our organization be in the crosshairs. Attackers know that if backups are not compromised, they can demand less ransom from victims.

Many organizations have already recognized the importance of backups, but in many places where they are involved, the backup system is not properly organized. Unfortunately, there are also misconceptions that data stored in the cloud does not need to be backed up because it is available there, or the cloud service provider handles the backups.

It is very important that not only backups are important, but also a number of related, system-oriented activities, such as license management (one could mention a number of related things), whereby if license management is not in place and the backup system is not working after expiry, this can create further problems.

Trends show that one backup is not being a backup. In any case, it is necessary to operate with a combined solution where the threat is considered. According to the Unitrends study, 44% of the organizations that completed the survey store their backups in the cloud. This number is likely to increase in the future.

How to set up a proper backup system?

It is very important to have a proper regulatory system for backups, in which roles and responsibilities are defined, together with exact tasks, and a well-defined system of control.

An effective backup is not just about a single backup site. It makes sense to combine multiple methods to protect data. The best-known strategy is the so-called 3-2-1 rule:

• Keep 3 copies of your data (the original and two backups).
• 2 different devices (e.g. external hard drive and cloud service).
• 1 copy physically away from the original data (e.g. in the cloud or another location).

The strategy should consider what data is legally required to be stored and for how long the organization can keep it. The GDPR requirements should be taken into account, because if the organization stores the data longer than the purpose for which it was collected is achieved, this could lead to non-compliance.

The risks associated with backups need to be assessed, identified, evaluated, analyzed and, where necessary, managed. Risk management processes should precede the design of the backup system.

It is necessary to know who is responsible for taking backups in the cloud based on the Shared Responsibility Model and to know the backup system of the cloud service, where the data is stored to ensure legal compliance, to comply with GDPR and relevant legal requirements.

We need to see what data and what systems we want to back up, what legal requirements we want to meet and how we want to backup that data.

If the organization knows which data and systems it needs to backup, then capacity planning (whether incremental or differential backup) and cost allocation will be necessary.

It should be established that the organization performs backups in a regular and automated manner. When designing the process, it is necessary to consider that the backup should be performed to the expected quality and not run to failure, as then there will be no relevant and usable backup in case of an incident. It should be established that the failure of backup should be alerted to the responsible department, and a process should be established to ensure the adequacy of the backup in such a case.

In relation to the backups established, it is necessary to ensure that regular backups are made by the organization, considering the relevant RTO and RPO values.

Access management should also be established when backups are created. We need to know the minimum privileges required to configure the backup systems, to access the backups in case of incident management. The internal threat can also have a decisive impact on the backup system. The establishment of the Zero Trust principle is very important.

The physical and logical security of backups must also be ensured in addition to access management. If backups are on tape, external disk, they should be located where humidity, temperature and other external factors cannot damage the backup or the physical device that holds the backup. Logically, encryption may also be relevant, depending on the needs of the business and what the compliance area defines.

Once backups have been successfully run, they need to be subjected to a recovery test at certain intervals to make sure that they can be done in an emergency. Testing should also be planned and carried out in a way that does not disrupt normal business operations. It is worth recording the testing to see what was appropriate and what was inappropriate in the process. Non-compliances should be corrected.

Archiving should also be planned so that it is done in accordance with the legal requirements. A policy for deleting backup should also be developed, in line with what was described earlier.

Summary

A backup system is a complex thing, but one without which an organization cannot exist today. It is also resource intensive to develop an adequate backup system, both in terms of human resources, physical and logical storage space and cost. The proper design of a backup system is now a must. If you have not yet set up the right backup system, contact our consultants!