Since the start of the Covid-19 pandemic, the world has seen a massive increase in cyber-crime. Attacks against banks and financial institutions, for example, are up 238%. No one is immune. Cyber-attacks against schools, hospitals and other public institutions have skyrocketed. Just one-hour’s downtime can cost the average medium-sized business over £60,000. The ability to recover business data following a cyber-attack has never been more important. In the remainder of this article, we ask is your data backup creating a false sense of security? We look at data backup solutions, the importance of data recovery testing, legal responsibilities and disaster recovery planning.
Whether it’s a cyber-attack, power outage, hard drive failure, burst pipe or electrical fire, there are numerous good reasons to have your data backed up and a disaster recovery (DR) plan in place. Incredibly, 17% of UK businesses have no backup systems whatsoever while 50% fail to follow best practice1. Backing up your data to an on-site server might seem like a good idea until your office burns down or floods, leaving you with no way to recover your data. Sometimes your data backup solution creates a false sense of security.
Testing, testing, testing
Many organisations rely on outdated or unreliable backup systems and never run data recovery tests. If you are one of these organisations, you could be in for a nasty surprise. According to Sherweb, 23% of organisations with a backup solution found they were unable to recover any data when required. The reality is that data backup solutions fail because of problems with the storage media, software errors, network failures, misconfiguration and human error. The best way to tackle these difficulties is to back up your data frequently; run regular data recovery tests; and ensure your backup systems are managed by a competent professional2.
Under EU GDPR legislation and UK Data Protection Act (2018) every business is legally responsible for the data it holds. Organisations should be able to demonstrate that they have robust data backup and disaster recovery plans appropriate to the risks under GDPR, Article 32; Security of Processing:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
The Information Commissioner’s Office (ICO) provides guidance for businesses on data backup and recovery. It also warns that organisations who do not comply with the regulations will be subject to severe monetary penalties. For example, Welcome Financial Services Limited was fined £150,000 for its failure to backup customer data properly. The National Cyber Security Centre (NCSC) also provides information for small businesses on the best ways to backup and secure data.
The Rule of Three
Modern Networks follows the ‘Rule of Three’ for data backup: have three copies of your data; backup two on different media; and backup one off-site in the Cloud. It’s important you create a robust disaster recovery plan based on a full risk assessment. Of course, not all data is created equal. You might want to adopt different backup and retention policies for business critical and non-critical data. Create a schedule for data recovery testing, and document the process. Ensure you test your people as well as your systems. Review and update your recovery plan regularly.
Working from home
Today, we all talk about working from home as the new normal. That means lots of company data is sitting on laptops, tablets and smartphones. However, mobile devices are vulnerable to theft, damage and malware. Adopting an automated, secure Cloud backup can help ensure the integrity of your data, wherever it resides.
Counting the costs
If the Covid-19 pandemic has taught us anything, it’s you never know when disaster will strike. The reputational damage and financial losses caused by a cyber-attack or data breach can be staggering. There is the initial period of business interruption and lost productivity. Next, your firm has the remedial costs of fixing the damage. You will also have to work hard to win back the confidence of lost customers. Finally, your business is likely to see a hike in insurance premiums, legal fees and a substantial fine from the ICO. However, good governance of all your IT systems, the right security precautions and disaster recovery plans can make all the difference. They can help mitigate the risks to your organisation, minimise the impact of any unforeseen event, ensure you meet your compliance obligations, and demonstrate best practice.
At Modern Networks, we understand the importance of having a secure, fully integrated data backup and recovery strategy. We are always happy to discuss your business needs, provide expert advice and practical solutions.