Backup Security Is as Important as Backup Resiliency

Current events have demonstrated the value of an effective data backup system. The COVID-19 pandemic underscored the importance of resilience for businesses, and ongoing ransomware attacks show the value of a data backup when recovering from an attack. This year, when designing, implementing, and auditing backup systems, consider their security as well.

Data Backups Are Just as Sensitive As Originals

Many organizations have implemented strong protections for their “crown jewel” databases and other repositories of sensitive information. These protections are designed to comply with data protection regulations and corporate security policy.

When designing protections for sensitive and valuable data, it is important to consider an organization’s data backup policy as well. Implementing data backups is important for resiliency, but it is important to consider that these data backups contain the same sensitive data as the original database.

As a result, these backups must be secured at the same level as the original systems. Many organizations place their backups at off-site locations for resiliency, but it is also important to ensure that these remote backup repositories can appropriately protect the data that they contain.

Insecure Backups Are A Common Source of Data Breaches

Cybercrime is a business, and efficiency is a core component of any business. For a cyber attacker attempting to carry out a data breach, this means looking for the least protected location where they can gain access to an organization’s data.

Most of the types of sensitive data that organizations store do not have an expiration date. This means that gaining access to a backup is as good as gaining access to the original because even “stale” backups contain a great deal of valuable information.

Data backups are a common source of data breaches for several different reasons:

Offsite Storage: Backup systems are commonly located offsite to protect against power outages, flooding, and similar localized events. However, these remote storage locations may lack the same defenses as onsite storage.
Lack of Visibility: Often backups are “out of sight out of mind” until an organization needs them. This increases the probability that backup data will be exposed because an organization has forgotten that it exists.
Insecure Cloud Backups: Many organizations use the cloud to store backups, and many devices and services will automatically back up to the cloud. However, these cloud-based backups are often configured insecurely, which has led to a number of data breaches. In these cases, an organization likely has no idea if anyone has accessed these cloud-based backups.
Unofficial Backups: Employees within an organization may make unofficial copies of data for remote work, testing software, and other reasons. These backups are outside of an organization’s control, increasing the probability of exposure.