Answer yes if your organisation takes regular backups of its production data that cannot be altered, deleted or tampered with for a specified time period. Backups must be taken in line with best practice guidelines, for example by following the '3-2-1' rule and segregating the backups from your main environment. Please describe your backup processes including segregation, frequency, and any other controls in place.
Backups are copies of your production data, which means they become an attractive target for attackers and need to be at least as secure as your main production site. The security and usability of your backups is vital to ensure you are able to respond effectively to a cyber attack or any other incident that has affected your data.
In particular, you should consider how your backups are protected from ransomware infection. If your organisation is hit with ransomware, you will need to rely heavily on your backups to restore operations. You need to ensure your backups are not also infected by the same ransomware.
You should use a combination of controls to protect your backups. As a minimum, this should include:
- Encryption. Backups should be encrypted to prevent unauthorised access and to protect their confidentiality. Many tools used to take backups of systems include a feature that encrypts the backups for you. If your IT team take backups manually, they can also implement encryption tools to protect them. Encryption algorithms vary in strength, and many older algorithms that used to be secure have now been broken. It is important to ensure you utilise a strong encryption algorithm such as AES (Advanced Encryption Standard), with a suitable length encryption key (e.g. AES-256).
- Multiple copies. You should store multiple copies of your backups in different locations. One method for this is to follow the ‘3-2-1’ rule: keep at least 3 copies, on at least 2 devices, with at least 1 kept offsite.
- Segregation. Devices or services containing backups should be kept separate from your network so that a malicious actor or software cannot move easily from your main network to your backups, and vice versa.
- Retention. Keep your backups for long enough (at least a month) to reduce the risk of a clean backup being overwritten by an infected / damaged backup before the infection was detected. Avoid having a single rolling backup.
- Testing. Regularly practise restoring from your different backup locations. You do not want to be doing this for the first time in the midst of an incident when the stakes are very high.
- Cyber hygiene. All people, processes and technology used to create and manage your backups should follow the same cyber security policies you have in place across the organisation. For example, devices and software should be patched regularly, and regularly scanned for malware. All backups should be given an appropriate level of digital, physical and environmental protection consistent with the standards applied at the main site.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.