Best Practices for Secure Backups and Archives
A focus on data backups and archiving is critical for successfully navigating a rapidly changing cybersecurity environment.
- Data backup and archiving requirements are growing, with the rise of collaborative work and new network architectures.
- It’s critical to establish a strategy and a technology framework for managing and protecting data across its lifecycle.
Backing up and archiving data are essential business requirements. There are both legal and practical reasons for data retention — ranging from regulatory compliance to the risk of a cyberattack that could lead to downtime or even business failure. The challenges are on the rise in today’s increasingly complex business environment, as increased data sharing and collaboration elevate already significant concerns about cyberattacks and business continuity.
It’s critical to examine whether your organization’s data retention strategy has kept up with all the changes in today’s IT and cybersecurity environments. Beyond collaboration platforms, trends including multi-cloud frameworks, microservices, edge computing, and software-as-a-service (SaaS) are also altering the data protection landscape. As they do, they are changing the way attackers assault organizations.
Consider, for example, how cybercriminals and ransomware gangs are expanding their focus on data stored in the cloud. This includes techniques like redirecting cloud accounts from the targeted company to the attacker. If successful, an attacker can make it appear that users are saving data to a legitimate account, though it’s being redirected to an attacker’s account.
The upshot? It’s wise to conduct a thorough inventory of your current data backup and archiving systems and procedures to ensure that they (a) deliver the required level of business continuity in the event of a cyberattack and (b) are themselves protected against an attack or other outage.
Protections should be in place for everything from legacy databases and enterprise applications to email systems and collaboration platforms, which may contain sensitive data, intellectual property, and even trade secrets. With Mimecast’s email backup solutions, for example, companies can protect the treasure trove of critical information in their email systems and rapidly recover email files, folders, contacts, tasks, and notes in the event of an outage.
The Value of Data Management and Protection
The value of data backups and archiving is increasingly well understood.
- Backups: Business continuity can be preserved in the event of a cyberattack or other outage, if a company routinely backs up data that is currently in use.
- Archiving: Compliance, legal, cost-cutting, and security objectives can be met by moving long-term storage of essential business records off the main network to an archive, where it’s available on an “as needed” basis.
Several factors complicate data retention and protection. First is the nature of data today. As the IDC market research firm pointed out: “Data is spread across the core, cloud, and edge, with the potential for mission-critical data in each repository requiring organizations to address each repository fully.” Then comes the current state of security. “With data spread across the organization, data may be in silos with multiple data protection tools, processes, and policies opening risks and attack vulnerabilities,” IDC adds.
Building Better Backup and Archiving
How can a business begin to build better data backup and archiving frameworks? Best practices include:
- Focus on data discovery. You can’t determine how to design and engineer a data retention framework without knowing exactly what exists and where it exists. Specialized e-discovery applications can crawl through a network and identify data, devices, and people.
- Determine the value of data. All data is not created equal. Not only does the value of data have direct ramifications for the type of storage that’s used — and how an organization devises a retention and restoration strategy — it also touches on compliance and cybersecurity. It’s critical to assign the right level of protection to data.
- Understand your current framework. As more and more data streams into the cloud, it’s vital to know how internal departments and cloud providers manage, archive, and delete data. Consider that some cloud services back up data for only 60 to 90 days, which may be insufficient for your organization.
- Architect a data retention plan. Design a framework that matches your organization’s needs and optimizes “restartability” — while removing potential problem points, such as silos. This includes assigning the right security controls, including multi-factor authentication (MFA).
- Deploy the right technology framework. The right backup and archiving systems are essential, including cloud archiving along with a framework for managing, storing, and protecting email data. At the same time, it’s critical to build a security framework based on a “zero trust” approach, requiring continuous validation of access privileges to data stores.
- Train employees. Various groups must understand their role in protecting data and avoiding breaches. Security awareness training can help companies avoid phishing attacks that can enter a network and even invade backup sets.
The Bottom Line
Data retention and protection have become remarkably complex as clouds, collaboration platforms, edge systems, and microservices frameworks have appeared. It’s nothing like the backup and archive landscape of only a decade ago. Today, an organization must understand the business and security risks associated with its data, use effective e-discovery processes, and design a strategy that includes the right technology to effectively manage backups and archives — while establishing zero trust protection. Read an Osterman Research report about new archiving and data protection requirements in today’s collaborative work environment.
 “Protect data backups from malicious attacks and theft,” Sophos
 “You Think Ransomware Is Your Only Problem? Think Again,” IDC
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!