Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Hey everyone, welcome back to Cash in the Cyber Sheets, where we tackle the biggest challenges businesses face and other actionable insights to help you navigate the ever-evolving world of risk management, compliance, and security.
I'm your host, James Bowers, Chief Security and Compliance Architect here at Input Output, and very happy to have you here today to continue talking about our Dirty 13 series, which is where we break down all the top audit findings we find with working with financial firms and other firms in regulated spaces. If you missed our last episode or episodes, don't worry, you can still always catch up later, but today's topic is one you won't want to skip because we're going to discuss backups, the unsung hero of business continuity and disaster recovery, or at least that's what they should be. In reality, many organizations are still getting critical practice wrong, and the consequences can be devastating.
So let's dive into the most common backup failures we see during our audits, why they matter, and most importantly, different ways that you can work to fix them. Let's start with the basics. Why are backups so important? We've talked about it before, we will definitely talk about it again, but backups serve as your safety net, the last line of defense against everything from ransomware attacks to accidental deletions to hardware failures.
They're also essential for meeting regulatory requirements, especially in highly regulated industries like finance, legal, medical, and other highly regulated industries. But here's the problem. While most organizations have some form of backup process in place, their execution is typically flawed, which is what we're finding in our audits.
In these flaws, they show up in our audits and they show up in the worst way when something goes wrong. So let's walk through some of the most common failures we see, why they're so critical, and some different things that you can do to address them. First up on our list of backup failures is poor distribution.
This happens when backups are stored on the same systems that they're meant to protect or in the same physical location. Imagine a fire or a flood in your data center. If your backups are sitting right next to your primary system, they're going down too.
You're not going to have anything to back up. The whole point of your backups is to ensure that you can recover your data no matter what. Backups need to be stored in separate locations and on separate systems to protect against localized disasters.
The best ways to fix this. Implement geographically distributed backups. These can be cloud-based.
These can be off-site. But make sure that your backups are not in the same location as your primary systems. And if you can, have additional backups in even other locations.
Also ensure that all of those backups are stored on completely different systems and media independent of the primary data. Next up, let's talk about scheduling or rather the lack of proper scheduling. This is a pretty big one that can hit in pretty serious ways as it relates to compliance requirements, regulatory requirements.
What we see a lot is backups running on schedules that don't match their operational or regulatory requirements. An example is where an organization is required to retain data for, let's say, seven years. But the backup schedule is only retaining the backups for 30, 60, or 90 days.
So while there are rolling backups, realistically we can only restore 30, 60, or 90 days out. That's a pretty big mismatch. It's a compliance violation waiting to happen.
The best way to address this is make sure that you work with your compliance teams, your IT department, and management to align all of your backup schedules with your retention requirements and business requirements. Don't forget those RTOs and RPOs. Also, leverage automation tools to ensure backups are running consistently and on appropriate schedules.
Another common issue we find is incomplete system coverage. This happens when certain systems or types of data are excluded from the backup process, either intentionally, because it seems like they're not important, or completely by oversight. What makes this such an important issue is that if critical systems or data aren't being backed up, recovery from a disaster or cyber attack becomes impossible.
The way that we normally see this within firms is that the critical systems are backed up, but supporting databases aren't being backed up, or supporting systems aren't being properly backed up, say like software versions is one of the big ones. The best way to address this is to perform a comprehensive audit of all of your systems to identify gaps in backup coverage. Also, use a centralized backup management tool or tools to ensure that nothing's falling through the cracks.
Let's move on to the encryption. It's great to have all of these backups, but they have to be encrypted. Storing unencrypted backups is a significant risk, especially in today's landscape of breaches and ransomware.
If a malicious actor, unauthorized party, gains access to your backups, and they're not encrypted, they're going to have access to everything. It's kind of like coming in the back door through a back screen door. Make sure those backups are encrypted.
The best way to address this is when you're auditing that encryption, make sure they're encrypted both in transit and at rest. Additionally, use strong encryption protocols and ensure your encryption keys are also properly maintained. It doesn't do any good if your backups are encrypted, but the keys are easy to get to.
Number five, let's jump in and talk about backup testing. Now, we've had entire podcast episodes on this. We've talked about it a lot, but we can't talk about backup issues without talking about backup testing.
This is one of the most overlooked yet essential steps in any backup strategy. Far too often, firms assume their backups are working only to find out during a crisis that their data is corrupt, incomplete, or simply not recoverable. This ties into what we talked about before of some data not being backed up that's needed.
We find this during our backup test. The best way to address this, simply do it. Schedule routine backup tests to verify both the integrity and usability of your data.
Also, create a disaster recovery playbook that includes regular mock recovery scenarios. So don't just walk through the test, but actually recover the data like you were really going through an attack. All right, so we've covered a lot of ground.
Let's recap with some of the actionable insights you can take to strengthen your backup strategy. Number one, distribute your backups. Store your backups in separate systems in geographically different locations.
Number two, align your backup schedules with your compliance requirements. Ensure your backup schedules meet both operational, your business, and regulatory retention requirements. Number three, audit coverage.
Regularly audit your systems to make sure that all critical data and all supporting data in systems is being backed up properly. Number four, check your retention periods. I'll say this one again, but match those retention schedules to make sure the compliance requirements meet what you're actually backing up.
Number five, encrypt everything. Protect backups with strong encryption protocols, both at rest and while the data's in transit. And finally, test your backups regularly.
Make backup testing a routine part of your IT operations. And make sure that you're not just restoring the data, that you're just testing the mechanism, but all the way through to the usability of what you're restoring. Remember, a robust backup strategy isn't just about having backups.
It's about being able to ensure the work when you actually need them. So, that's all for today's episode of Cache in the Cyber Sheets. Thank you very much for listening to our eighth, ninth installment of the Dirty 13.
Backups might not seem glamorous, but they're absolutely essential for protecting your business and staying compliant. It's why they're so important. So, take a moment to evaluate your organization's backup strategy and make sure that you're addressing all of the issues that we talked about today.
Thank you for listening, and don't forget to subscribe, hit that like button, and don't miss our next episodes where we discuss the final parts of the Dirty 13. If you found today's episode helpful, please share it with your colleagues, and let's work together to build a more resilient and secure business. Thank you for listening, and until next time, goodbye for now.
Thanks for joining us today. Don't forget, click that subscribe button, leave us a review, and share it with your network. Remember, security and compliance aren't just about avoiding risk. They're about unlocking your business's full potential. So stay secure, stay compliant, and we'll catch you next week on Cash in the Cyber Sheets. Goodbye for now.