The critical role of backups in cybersecurity

Backups are the last resort for protecting information if all else fails. The main reason we use backups is to make sure we are able to restore valuable files if they are lost when something unexpected happens. Whenever the main system fails and information is lost or (intentionally) damaged, we turn to backups to recover the original data. In these critical moments, having reliable backups is what makes it possible to move forward without major setbacks.

In this article, we will dive into the common challenges observed when organizations attempt data recovery, focusing especially on misconceptions about the most critical moments. Drawing on real scenarios, this article highlights key recommendations and pitfalls, preparing you to answer the following question confidently: Can your backups truly be relied upon when you need them the most?

Recovering from an incident is when backup strategies are truly tested. This section outlines the four most common pitfalls that we have observed blocking a secure and efficient recovery.

1. No regular backup restoration testing routine

Surprisingly, the most common pitfall is not forgetting about a proper configuration for creating backups, but rather the act of testing whether you are actually able to restore them! Too often, organizations assume that restoring backups will be a simple matter when needed, only to discover that it takes weeks, or that their backups are corrupted.

2. Backup strategy not aligned with the risk profile of the data

Many organizations treat backups as a generic IT task rather than a risk-driven decision. Organizations often configure a single backup cycle without considering the business criticality of systems or the acceptable impact of data loss and downtime. As a result, backup frequency, retention and recovery capabilities do not align with required RPO and RTO targets. The mismatch usually only becomes apparent during an incident, when it turns out that too much data is lost or restoration takes far longer than the business can tolerate.

3. Insufficient frequency and retention

Organizations are at risk of missing critical data and losing their known ‘clean copy’ from before an attack occurred when their backup schedules are too infrequent or retention periods are too short. Without a clean copy, they are running risks and also losing time in rebuilding an entire system. Often, there is no clear strategy on how often backups are created and what their retention should be.

4. No off-site and offline storage

Storing backups on-site only puts them at risk from the same threats that endanger the primary systems. Without offline and off-site copies, you may have lost all your backups in the same event that you lost your primary systems. Such an event need not be in the digital space, but might also result from a fire or data corruption in case of a local power outage.

5. Insufficient access control and segmentation

Insufficient access restrictions leave backups vulnerable to accidental deletion, theft, or sabotage. Without proper segmentation and monitoring, attackers or careless insiders can compromise your recovery data just as easily as your live systems, rendering your backups useless.

Backup plans may fail without proper practices. Knowing common pitfalls is crucial for effective disaster recovery. Therefore, as a start, follow these practical first steps.

1. Review your backup plans with RPO and RTO

Understand how your backup strategy fits your business needs by defining your Recovery Point Objective (RPO) and Recovery Time Objective (RTO). The RPO sets the maximum amount of data you can afford to lose, while the RTO defines how quickly you need systems restored to resume normal operations. Evaluate whether your current backup schedule and retention align with these targets.

2. Keep copies safe and separate from your network

Ensure a robust separation between your network and your backups, by using technologies such as air-gapped backups, cloud-based repositories with restricted connectivity, or even better: physical media stored in a secure location. Additionally, do not forget the impact of a physical event: ensure your backups are stored in sufficiently distant geographical locations. This strategy helps to ensure that a single event, digital or physical, cannot simultaneously compromise your primary data and your backups.

3. Use immutable storage

Maintain your backup integrity by introducing a WORM (Write Once, Read Many) or immutable storage solution. Such a storage solution acts as a final line of defence against ransomware and cyberattacks, ensuring that your recovery data cannot be altered or encrypted. When configuring immutable storage, ensure that the storage itself is adequately safeguarded against deletion or modification, to prevent attackers from shortening the immutability period.

4. Be careful about who can access your backups

When securing your backups from unauthorized access, Identity and Access Management (IAM) plays an important role. Use the principle of least privilege and define roles such as backup administrator, auditor and general user. Moreover, enforce multifactor authentication for all privileged accounts and regularly review and audit the IAM policies to ensure appropriate rights and authorizations are in place.

5. Monitor your backups as you would monitor your security logs

Regularly monitor backup job status, error logs, and the success of scheduled tasks. Automated alerting systems can notify you of failures or anomalies (such as backup size) in real time, reducing the risk of unnoticed problems undermining your recovery posture. Integrate backup monitoring with your broader security information and event management (SIEM) systems to gain a unified view of both operational health and potential threats.

6. Test your restoration procedures regularly

Regularly test your restoration procedures and backup integrity, to verify your ability to restore backups during disaster recovery. Additionally, keep track of the time it takes to perform a restoration, so you can make informed decisions about recovery efforts during an incident, and you are aware whether you meet your set RPO. Document lessons learned whilst putting your procedures to the test and follow up on them to ensure a streamlined recovery process.

7. Determine your backup scope

Creating a backup of all systems is not your best way to go in all cases: sometimes it is quicker to rebuild a system and restore only a database, rather than restoring the entire system. Examples could be dockerized environments, or your Active Directory, where only the underlying data is of importance. Define a strategy on what to restore and what to rebuild, in case that disaster happens.

8. Test full and integrated restores, not just individual components

Restoration testing should extend beyond individual files or databases. Organizations should regularly test full restores of complete systems and, where feasible, entire environments consisting of multiple applications and datasets. These tests must explicitly validate dependencies and the required restore sequence. Define the restore scope, document the exact order of recovery, and measure time required end to end. Without tested, integrated restore scenarios, recovery risks remain unknown.

In summary, a strong backup strategy goes beyond simply copying data to another location. It blends strict access controls, continuous monitoring, regular testing and robust defences. By implementing measures such as immutability and meticulous access management, and by regularly validating recovery, you ensure that you can truly rely on your backups when it matters the most.

Setting up your backups correctly is vital for a successful recovery under pressure.