How to Set up a Successful Backup Strategy

Restoring IT systems from backups is not as simple as clicking a few buttons.

In our recently released report on data backups, we show that a well-structured backup strategy can thwart a ransomware attack. But in order for that to happen, organizations must take steps to ensure their backups work when they are most needed. A good plan should assess what backup technology works for an organization’s unique IT portfolio, take into account associated recovery work to return to a normal state of operations, and designate specific roles amongst the company’s workforce to ensure minimal downtime.  

We asked two experts from At-Bay’s Digital Forensics and Incident Response (DFIR) team for advice on how SMBs should construct their backup strategy to avoid a failed restoration. Larry Crocker, Head of Incident Response, and Brian Walsh, a senior member of our DFIR team, pulled from their decades of experience in restoring systems to give advice on the best ways to back up business systems.    

Why Restorations Fail 

According to At-Bay’s DFIR experts, restorations fail because so many organizations do not thoroughly plan for all of the associated tasks or secondary measures that need to be carried out. Some ways in which our experts have seen backups fail include: 

• Lack of asset knowledge: One of the hardest things about an organization’s network is understanding what is owned and where it resides. SMBs struggle to understand what they have, where those assets sit in the network, and how they should be backed up.

“One of the hardest things about your network is understanding what you have and what you own,” says Walsh. “That goes to endpoints, assets, data, admin accounts, etc. Discovery of assets on the network is very, very difficult.”

• Poor testing and configuration: Indiscriminately dumping data into any kind of backup often leads to trouble in the restoration process. Without knowing what data is being backed up and what applications interact with that data, organizations set themselves up for extra work during the restoration process, which means a longer path back to normal business operations.

“If you’re not testing and checking configurations, you can back up the data you think you’re supposed to be backing up, but not actually do it in a way that the system admins can use it,” warns Walsh. 

• Bandwidth issues: If an organization has terabytes of data stored in a cloud-based backup but has a slow internet connection, it will severely impede the speed by which the organization can resume normal operations. 

According to Crocker, “Pulling down terabytes of data from a possible cloud backup could take weeks.” 

Given that businesses that successfully restored from backups were 3X less likely to pay ransom by successfully restoring from backups, planning for these secondary issues is vital. By developing simple steps to optimize effectiveness, organizations can ensure that data is not only stored correctly, but is readily accessible and recoverable during crisis situations.

Best Practices for Backups 

Regularly testing backups is similar to running emergency evacuation drills. If a physical disaster strikes, organizations rely on a practiced escape plan to respond to major hazards in a methodical and organized manner. 

Restorations in the wake of a cyber attack should follow the same logic: A tested plan can help organizations accurately and completely restore their critical data in functionally usable form, ensuring that the recovery process will be as swift and smooth as possible.

Crocker says that if an organization builds and executes a restoration strategy that’s centered on regular maintenance, any type of backup will grant it more resiliency.

“If the cloud or on-premise backups are configured correctly and tested correctly, they serve as efficient ways to back up your system,” Crocker says. 

Our team has some strategic suggestions when it comes to building backups into an IT environment:

• Follow the 3-2-1 rule: This industry-standard strategy suggests having at least three copies of your data, stored on two different types of media, with one of those copies kept offsite and disconnected from the internet. For example, you could have data on a primary server, a secondary backup on an external hard drive, and a tertiary backup in a cloud-based service.

• Verify backup integrity: It is vital to regularly verify the integrity of backups by performing restoration tests. This ensures that the backup files are complete and can be successfully recovered, providing confidence in the backup process and the ability to restore data to business-critical applications when needed.

“No matter what type of technology an organization uses, the biggest challenge is testing your backups on a regular basis to ensure that what you are backing up will actually work,” says Crocker.

• Understand how your IT network works together: It’s not good enough to haphazardly copy data or other assets and back them up in one or two repositories. Cataloging and categorizing how your system works together is essential for a successful restoration. 

“Understanding the data you have, how you protect it, whether it can be used, and how you are going to get it back and reinstall it, are the most important things you can do,” says Walsh. 

• Implement a substantial password protection policy: Service accounts — accounts run by applications to carry out automated tasks — are often used for backups, which can be prey for attackers. An organization should go above and beyond to protect these passwords, as they could be targeted in a ransomware attack.  

“Having a specific account for backups is absolutely needed,” says Crocker, adding that it “should have the same or a more stringent password to protect from credential theft.” 

A Backup Strategy Can Save Your Organization 

Similar to an insurance policy, a robust backup strategy serves as a lifeline, enabling business continuity in the wake of a cyber attack. Ensuring the availability, integrity, and security of data means an organization can quickly restore its operations, return to its normal state of affairs, and guard the data from unauthorized access or further attacks. Having such a strategy ultimately translates to enhanced resilience and less downtime, preserving both the valuable trust of clients and the stability of the organization.