Security on Screen were treated to a Q&A with John Michael, CEO of iStorage, on the importance of backing up data and why businesses should be looking at ways to better secure data in the face of mounting threat
It’s the annual World Backup Day event on March 31st – What has changed for business?
Cyber threats continue to put business on red alert. Heightened geo-political tensions persist, such as the war in Ukraine, which means those threats are now more frequent, more targeted and more intense.
On World Backup Day businesses are reminded of the critical need to secure information and the perils associated with failing to do so. It’s surprising that organisations are still taking risks with their data at a time when cyber attacks – and state-sponsored hacktivism – are so commonplace and so prevalent.
In addition to the threat presented by malicious actors, the top causes of data loss are also commonly human error and hardware failure.
Why is backing up data so critical?
When we consider hard drive failures, lost and stolen devices, and the rapid growth of ransomware attacks, the need to back up data has never been greater.
In fact, the alarming professionalisation of methods of attack used by cyber criminals, such as Ransomware-as-a-Service (RaaS), means that backing up is no longer ‘optional’ – it is a fundamental operational requirement of business in the 21st century.
World Backup Day is important because it creates greater awareness of the need to protect information and serves as a reminder for those that have not yet taken the steps to do so.
How should businesses implement a back-up strategy?
Having a plan in place to back up data produced within an organisation is one of the most important processes to protect it in the event of a cyber attack. Firstly, data security should be a shared responsibility.
HR and FM departments should be ensuring everyone is aware and acting on a company policy around data backups.
Backing up data using a 3-2-1 strategy, as advised by the National Cyber Security Centre, means having at least three total copies of the data, two of which are local but on different mediums, and at least one copy stored off site.
This ensures that businesses and the individuals within it always have an up-to-date record of their valuable information.
Does backing up guarantee that company data remains secure?
While backing up is absolutely critical, in isolation it sadly will not protect your data from the complexities of modern threat. Here, the methods of protection must be carefully considered.
Robust security measures are necessary, and this is where encryption will enhance the security of corporate files as well as any communications that take place between client apps and servers.
What should businesses be looking for when deciding to encrypt their valuable data?
Backing up valuable data onto an encrypted hard drive can prevent organisations from losing access to their important information during, for example, a ransomware attack.
The regular use of a PIN-authenticated, encrypted USB flash drive or HDD/SSD with an on-device crypto-chip and AES-XTS 256-bit hardware encryption offers the highest levels of protection for sensitive company data.
Adding a secure microprocessor that is Common Criteria EAL5+ Certified brings into play built-in physical protection mechanisms which have been designed to prevent a wide array of cyber-attacks.
For ultra-secure encryption, data should preferably be encrypted with a FIPS PUB 197 certified randomly generated AES 256-bit encrypted encryption key.
Are there considerations for those operating a hybrid / remote-working model?
The increase in flexible working means a corresponding increase in the number of devices that are potentially on the move rather than kept at a permanent desk within a fixed office.
The likelihood of a device being lost or stolen, therefore dramatically increases. To minimise risk and maximise protection it’s essential to consider encrypting files both in transit and at rest, so that if a device does fall into the wrong hands, the data it contains cannot be accessed and data integrity is guaranteed.
Can a managed storage service in the cloud offer the same degree of data security?
Cloud providers will often offer encryption as part of their service. However, the encrypted data, and the encryption key required to unlock the data, are both stored in the cloud. This presents a degree of risk.
Keeping the encryption key, which is itself encrypted within a secure microprocessor stored on a hardware encrypted security module, away from the cloud increases the number of security measures from just one layer of authentication – the cloud account login – to up to a five-factor authentication.
How can taking a Zero Trust approach to cybersecurity complement the backing-up of data?
Adoption of a Zero Trust approach ensures that any long-term access to information is revoked. This helps companies place tighter controls on their networks and requires access only to be granted as and when it is needed.
As lingering permissions are not permitted, attackers are denied the opportunity to spread widely around a network, which vastly improves cyber defences. The US Government’s National Institute for Science and Technology (NIST) has set out guidelines that are regularly reviewed and have now been adopted by the UK Government, among others.
Do you have any closing thoughts or suggestions this World Backup Day?
Backing up and encrypting data will go a long way towards eliminating security risks and helping managers gain assurance as to the integrity of their vital information.
Retaining full responsibility for data encryption and information management will contribute to maintaining business continuity, and following a Zero Trust approach will be instrumental in helping to uphold compliance to data protection regulations, providing peace of mind and safer data for all.