Lessons from the Field, Part I: Backup and Disaster Recovery
By James Keiser, Director of Secured Managed Services Southeast, CISO Global, Inc.
In the ongoing battle to protect corporate data, you can’t afford to miss a step. I’ve seen, first-hand, what can happen when organizations do miss steps. We are always happy to help them remediate going forward, but there’s a lingering wish that we’d met them sooner.
How realistic is it, though, to expect your teams to design and configure everything in your entire environment perfectly, all at once? You’re likely dealing with inherited processes, outdated policies, untested response plans, ongoing digital transformation initiatives, and replacement of old technology. In fact, many businesses inadvertently neglect their IT needs due to lack of awareness, limited resources, a reactive approach, perceived costs of IT investments, lack of expertise, or overconfidence.
The fact remains, prioritizing security by design for your IT infrastructure and data protection is non-optional.
In the financial industry, for example, backup solutions must comply with data protection regulations that require controls around disaster recovery and business continuity, data retention and archiving, redundancy and replication, audit trails and monitoring, access control and authorization, testing and validation, vendor due diligence, and cyber incident response preparedness.
These are known principles. Yet, in 98% of the incidents CISO Global sees, backups have simply been deleted by attackers.
How can this be?
My team and I regularly draw on our working knowledge about cyber incident response and remediation to help our clients design environments that will shield backups from being deleted or compromised. To help you be proactive, I’d like to share some of that knowledge, so you can do the same. Feel free to use this list in your next conversation with your IT provider or team. Find out how each measure is being implemented and the last time it was tested or validated.
Essential backup protection measures include:
- Air gapping
- Access control and authentication
- Role-based access control
- Separation of duties
- Regular backup verification
- Offline or offsite backups
- Immutable backups
- Backup encryption
- Regular monitoring and audit logs
- Offsite backup replication
- Employee security awareness training
- Tabletop Exercises for your DR plan
Finally, make sure your IT provider can furnish you with documentation of security validation measures, like formal cybersecurity risk assessments and penetration tests, to ensure they are not an accidental conduit for attack that could cause your backups to be compromised. Reputable providers will have these conducted on a regular basis. Especially for organizations who manage highly sensitive client data that is protected under compliance frameworks, this will be important. You work incredibly hard to demonstrate your commitment to data protection; make sure your partners and providers do too.
If you need help assessing or remediating issues in your environment, we’d like to hear from you. Request a consultation here.