4.57 min branjaStoritve v oblaku

NIS2 compliance brings data into the game: Are you ready?

Iveta-sablikova-contact
Iveta SáblíkováInformation Security Consultant
5-nejcastejsich-duvodu-proc-nejde-zavest-multifakto-getty-1292337423-blog-hero

When we ask our customers about backups, we are usually assured that all important data is stored safely and that everything is taken care of. However, a subsequent deeper discussion often reveals that the data is not quite safe after all.

Data backup is an obvious task of the IT department, and a company or organization should rely on backups in case of any incident – whether it is the accidental deletion of important files, hardware failure, loss of a laptop or phone or, increasingly nowadays, a ransomware attack. The requirement for backup and, above all, the ability to restore data is also brought by the NIS2 directive and the related new Cyber Security Act, where a solution for backing up and restoring data is also required as an integral part of cyber security measures. As it turns out very often in practice, some backups are kept practically everywhere.

However, they are far from always in such a state that in the event of an error, crash or cyber-attack, they can really be used for the fastest possible correction. Why is this so and what are the most common errors and mistakes when backing up?

1. Only backup is handled, but not data recovery

Many companies and organizations have well-developed data backup strategies in principle, but no plans for restoring them when needed . At the same time, the backup plan necessarily includes a recovery plan - i.e. a precise description of how and where the backups are stored, what time it takes to restore various systems and data, where there are bottlenecks in the recovery process, and what procedures should be followed in the event of a crash. As a result, it is only now of the crash that the decision is made as to what can be restored, from where and for how long. However, this only prolongs downtime and increases losses.

2. Data backup isn´t continuously checked

An existing data backup does not necessarily mean that it will be possible to successfully restore data from such a backup. For each backup, it is therefore necessary to check its functionality at regular intervals - i.e. the possibility of successful data recovery. Backup checking functions are often part of backup solutions, but they are often forgotten – it's extra work for IT, and in most organizations backup functionality, like the actual time it takes to restore key systems, is only sporadically tested.

3. Unclear architecture or faulty backup implementation

Some future problems with data recovery, if necessary, have their cause already at the very beginning - in an inappropriately designed backup strategy and its overall perception at the management level. A robust and reliable backup solution cannot be considered only as an investment, as management often sees it, but as a form of insurance.

Backup alone will not protect the business from a crash and cannot generate any profit - just like insurance in case of fire or flood. However, if an accident occurs, the role of the advance is to ensure the fastest possible remedy with the least possible consequences - again like insurance.

Since backup is not an investment that directly generates profit, its return cannot be calculated. However, most businesses should be able to calculate the costs and losses if they don't have the backup or it becomes unusable. Accordingly, it is then necessary to design a backup strategy that must reflect different levels of data importance in terms of their availability and recovery speed. It often turns out that it is far from necessary to use a large capacity of the fastest (most expensive) storage, but by appropriate classification of data and combination of storage, the organization can significantly reduce the costs of reliable backup.

4. Open ransomware gateway

Functional backups represent the only really effective defense against the effects of ransomware attacks, the intensity of which increases every year. But Veeam 2023 Ransomware Trends Report found that "in almost all (93%) cyber incidents, criminals attempt to attack backup storage, resulting in 75% of organizations losing at least some of their backup storage during an attack, and more than a third (39 %) of backup storage is completely lost”.

Unfortunately, this means that with an inappropriately designed backup strategy and architecture, even backups that were supposed to be used for quick recovery after the attack are attacked and destroyed by the attacker during a ransomware attack (again, we are talking about insurance and impact minimization, not defense against a cyber-attack).

The most common cause is the inclusion of a backup server in the enterprise Active Directory structure, which represents an invitation and an open door for attackers. An effective backup in case of ransomware must be maintained separately from the corporate network in the form of a so-called immutable backup that cannot be destroyed or encrypted.

Cloud data is not automatically backed up

Today, corporate data is found in so many places and carriers that it is often difficult to find all of them (ideally, an organization should have an overview and classify its data, which is sometimes a real challenge). It is important to note that saving data to an external drive, flash drive or even to the cloud is not a backup. Sure, in a crisis, a disk forgotten in a desk drawer can be a lifesaver - but who can rely on the fact that such a disk just happens to be lying around somewhere?

Likewise, we cannot rely on data storage within cloud services. After all, all serious cloud service providers state in their terms and conditions that data stored within services such as Microsoft 365 are not backed up, and that the data owner must take care of backing them up (perhaps to another dedicated cloud service). The same applies to the subsequent long-term archiving of these backups (either for legislative reasons or as a "golden backup" when all else fails).

If the organization does not take care of data classification and data backup and the subsequent archiving of these backups, an employee may, for example, completely delete his e-mail box and data on the company's SharePoint or OneDrive when leaving the company, irreversibly destroying important documents. However, data stored in the cloud can also be lost due to carelessness or a crash on the part of the data center.

Backup is certainly not an easy discipline, but its importance in keeping a business or organization running is crucial. After all, the creators of the NIS2 directive are also aware of this and require clear Disaster Recovery Plans (DRP) and Business Continuity Management (BCM) from companies and organizations. Of course, data backup and archiving must be addressed not only regarding NIS2, but if your organization is among the obligated persons according to the new cyber security law, which is very likely due to the scope of the directive, it is high time to start working on DRP and BCM plans.

How can we help you?

We'll be happy to help you design an effective backup strategy and make sure you avoid the most common mistakes to protect your data and your business

Contact us and we'll talk about it!

Why SoftwareOne?

  • We are experts in organizational and technical security.
  • We help you with process security and recommend suitable technologies to your organization.
  • Our portfolio considers the Cyber Security Law, NIS2, DORA, GDPR, ISO standards, cloud standards and others.
  • We know what's coming – be it legislation updates or latest technology trends.
  • No one-trick pony! We deliver solutions you´ll benefit from for a long time.
  • We provide services in easy-to-understand manner tailored to your team´s needs.

Discover our services for comprehensive cyber security solutions.

A blurry image of a computer screen with numbers on it.

Do not hesitate to contact us

We will be happy to help you.

Do not hesitate to contact us

We will be happy to help you.

Avtor

Iveta-sablikova-contact

Iveta Sáblíková
Information Security Consultant