The prevalence of cyber-attacks has had a devastating impact on businesses over the past couple of years. As a result, insurance companies are now asking businesses to implement certain cybersecurity measures to qualify for Cyber coverage. As we discussed in the Multi-Factor Authentication blog, one of these requirements entails installing Multi-Factor Authentication (MFA) software to add an extra layer of security to your business. I sat down again with Chad Quarles, Senior CISO Advisor from Hartman Executive Advisors, to discuss data backup this time – another protection measure most insurers are increasingly requiring.
PSA: What is data backup?
Hartman: Backup and recovery describes the process of creating and storing copies of data that can be used to protect organizations against data loss. Recovery from a backup typically involves restoring the data to the original location so employees can continue to work, or, depending on the scale of the incident, potentially to an alternate location where it can be used in place of the lost or damaged data.
There are a variety of different backup and recovery strategies, and it is up to each organization to select the strategy that works best for them. When choosing a backup and recovery strategy consider some of these best practices:
- Identify your critical business processes and the different technologies those processes depend on. This exercise will help you ensure that your backup and recovery strategy protects all the systems and data your business needs to run.
- Decide how long your business can go without performing business critical processes. This determines the recovery time objective (RTO), or how quickly you need to recover from backup. Similarly, the business will need to determine how much data loss is acceptable. This defines the recovery point objective (RPO), or how recent the restored backups must be to be successful.
- Don’t rely on a single backup. Duplicate your backups to another physical location or a secure cloud location so you can be confident you will have a copy of your backups when you need them. This is called redundant backup.
- Consider requiring MFA or other security controls to protect access to your backup data. Backups are an attractive target often held hostage by cybercriminals during a ransomware attack.
- Perform regular tests of backups and recovery. Don’t wait until it’s a true emergency to test your recovery plans. Regular testing ensures that restoring your backup runs smoothly when you need it most. I’d recommend performing a restore test at least quarterly to ensure everything is working as expected.
PSA: We often get questions from our clients regarding the difference between cloud backup and cloud storage. Can you please clarify, so businesses can have a better understanding when selecting a data backup platform?
Hartman:
Cloud storage means that your data is stored (automatically or on-demand) on remote servers hosted by a cloud service provider of your choosing and accessed easily from almost anywhere you have an internet connection. Some popular cloud storage providers for small businesses include:
- Microsoft OneDrive
- Dropbox
- Google Drive
- Box
Cloud backup is a service that stores backup copies of your business’s data on remote servers that you can access from almost anywhere you have an internet connection. Some backup solutions, such as Datto Backupify, BackBlaze, and Veeam, specialize in cloud-to-cloud backups that allow you to restore your data from one cloud storage provider to another. This is an important consideration if your business uses Microsoft 365 or Google Workspace and you’re uncertain whether the Microsoft or Google data retention tools alone will meet your needs.
[psa_cta id=”19102″]PSA: How frequently should data be backed up?
Hartman: In most cases, I recommend backing up your data at least daily. However, your business requirements may call for more frequent backups throughout the day.
PSA: What are the most frequently used data backup platforms for small and mid-size businesses?
Hartman: There are many possible backup solutions to consider; however, I recommend a backup technology capable of storing copies of your backups in the cloud, so they are off site in case of a disaster and less likely to be corrupted or destroyed as part of a ransomware attack. Some examples of effective cloud backup solutions for small to mid-size businesses include:
- Veeam
- Datto
- Barracuda
While each of these, or even others, may be a good fit, it is important to understand your unique backup and recovery needs to select the right solution for your business.
PSA: What should businesses consider when selecting the right data backup option?
Hartman: With many data backup options to choose from, it may be overwhelming when deciding which platform is best for your business. Here are some things to consider when evaluating if a platform is right for you:
- Storage Cost – Cost can be an important consideration when evaluating backup solutions. Understand the size of the data you will need to backup, usually measured in gigabytes. Compare providers to ensure you have a competitive cost per gigabyte of storage that will allow you to set up the retention policy (how long you keep copies of your backups) right for your organization.
- Security Capabilities – Make sure you select the platform that offers the appropriate security controls for the type of data you will be backing up. Things to consider here are multi-factor authentication, encryption in transit (be sure the data is encrypted as it is transmitted over the internet), encryption at rest (ensure the data is encrypted where it is stored in the cloud to ensure only your organization has access to the data), etc.
- User Requirements – If you are planning to have multiple employees access the backup solution, you should choose a data backup service that allows the necessary number of user connections. Some platforms charge per user while others offer unlimited connections.
- Storage Location – When you store your data in the cloud, it is important to remember that you are transferring your data to a hosted datacenter or likely replicated between multiple datacenters with a physical address. If you work in a regulated industry such as healthcare or financial services, you may want to consider whether your data could be stored outside of the United States. This has the potential to introduce legal complexities and potential compliance concerns.
- Identify Integration Requirements – Data backup services are most effective if they interact well with your current software platforms. Make sure that your backup solution works well with your most important data sources to help ensure the success of your backup and recovery strategy.
PSA: These practices should help you get started to qualify for Cyber insurance, but if you need any technical assistance, consider Hartman Executive Advisors as a resource, or feel free to contact at acramer@psafinancial.com for all your Cyber insurance needs.