CIO Handbook – Health Check for Your Data Backup Regime

Observations

In the modern ICT environment, your approach to data backups is your last line of defence against a disaster event. Is your data backup regime fit for purpose? This IBRS advisory assesses why your organisation needs a sound data backup regime and what IT should do to manage the risks and costs.

IBRS has observed that many organisations have not conducted regular reviews of their backup regimes – in some cases for many years – adopting an ‘if it’s not broken, don’t fix it’ approach. Unfortunately, this approach often leads to a ‘we have always done it this way’ outcome, which leads to ignorance of business exposure to risks such as:

• Data loss.
• Prolonged downtime leading to operational disruption.
• Vulnerability to cyber attacks.
• Loss of customer trust and reputation.

Failure to address these risks will potentially lead to an inability to recover from disasters, resulting in lost productivity and excessive costs associated with storing unnecessary data.

Why Do You Need Data Backups?

In the first instance, organisations need to know what it is they need to back up. The data backup regime is a critical component of an organisation’s business continuity plan (BCP), and regular testing of mean time to restore and mean time to recover objectives is integral to DR plans. A data backup is used to mitigate the business risk of losing records and information. That is, the purpose of data backups is to address four key business risks:

• Accidental deletion of files in the event of a user or system error.
• Restoration of a business service and associated data in the event of an incident.
• Recovery of all services and data in the event of an IT disaster event.
• Using immutable data backups to restore data after a cyber incident.

Immutable data backup (preferably offline and/or encrypted) that is read-only and is available to use in the event of a cyber incident where your organisation has lost access to all other data holdings.

What Are the Risks?

With the growth of hybrid Cloud environments and Software-as-a-Service (SaaS), organisations often entrust their backup regimes to the service provider. While this is an accepted practice, your organisation still carries the risk associated with system and/or data loss. In addition to maintaining an in-house managed data backup for systems and services directly managed by internal resources, IBRS recommends that organisations conduct regular audits of their suppliers. These audits should include a periodic test of the vendor through a restoration test, provided the supplier’s terms and conditions permit. This should be a vendor obligation in terms of their contractual business continuity undertakings, with indemnities and material breach consequences for failure.

In reality, many, if not most, terms and conditions for Cloud and SaaS providers are scant or silent on liability for the conduct of annual testing. At a minimum, the purpose of the audit is to gain certification from each supplier, in most extant of the contractual obligation, that provides comfort against risk. That data backups are completed in line with your organisation’s business needs, and that recovery from the backup is tested regularly.

The data backup regime for your organisation must focus on reducing risk to the business and be aligned with the multitude of obligations related to data for your business. Examples of such obligations include the Archives Act, the Privacy Act, the FOI Act, and the requirements for business governance, such as audit and taxation, as well as customer contracts. Importantly, your data backup strategy must be simple, easy to manage, and cost-effective.

When considering immutable data backups, look to ensure the priority is for backup of data that defines the intellectual property of your business, unique as the priority. These are your crown jewels. For example, customer data, business workflows, key supplier data, records management data, financial data, and HR data. It may not be possible or cost-effective to have an offline immutable data backup of all data. If this is your business reality, protect the crown jewels first.

IBRS has observed that many organisations keep backups in some cases for years, at great cost in either Cloud or ‘on-premise’ storage platforms and potential excessive costs for data retrieval. The value of keeping backups for longer than six months is questioned. Retaining backups for too long is not only inefficient but can also increase the risk of data breaches or unauthorised access, potentially resulting in compliance and legal risks. The corporate memory of most organisations is short, so any request to recover an individual’s deleted or corrupted file, after more than a few days or weeks, is highly unlikely. Your organisation’s archive or records management platforms should cater for information older than a few months.

In the restoration of services following an incident or as part of a DR, data backups older than a few days represent a significant productivity loss for businesses and are, therefore, essentially useless. The only logical reason for keeping data backups for an extended period is to address potential corruption and maintain multiple copies in the event of a cyber attack. For example:

• If a segment of the data backup is corrupted, it may be recoverable from an older backup.
• In a ransomware cyber attack, your organisation can use older versions of the immutable data backup to conduct a forensic examination and cleansing, prior to applying the fix to the more recent immutable backup for the restoration of services.

Some examples of poor data backup management observed by IBRS are:

• Not aligning data backups with the records management disposal schedule.
• Storage of backups for multiple years (as an archive) for limited or no business value at great cost.
• Complex data storage regimes where the organisation develops a single person dependency, where only one person really understands how it all fits together.

Data backups are not an archive. If an archive is deemed necessary by the business, it should be included in the data backup, not the backup itself. Storing data backups for longer than 6 months will incur additional costs for no perceived business value. If the data is considered of value after six months, it should be in the records management platform or a purpose-designed archive.

How Can Your Organisation Contain Costs?

To overcome these challenges at a reasonable cost, IBRS recommends that organisations regularly review their data backup regime. The focus is on maintaining the alignment of data backups with the business model. In doing so, refrain from maintaining unnecessary data backups for longer than necessary. In your review of data backups, understand the business need by:

• Identify risks associated with business processes that require mitigation through data holdings that necessitate data backup.
• Determine backup requirements for each holding, considering business, legal, technical and the ‘whole of life’ cost aspects.
• Analyse the options to minimise the ‘whole of life’ cost associated with the conduct, storage, and retrieval of data backups.
• Design, document, and implement data backup regimes, keeping the processes as simple as possible to reduce the risk of single-person dependency.
• Monitor backup routines.
• Regularly test viability for disaster recovery and recovery from a cyber incident.

IBRS suggests that the design of your data backup regime consider the following framework as a reference for requirements definition and planning purposes:

• System Data
  • Weekly backups of system configuration (virtual machine, physical machine, networking, storage configuration and system logs).
  • Weekly backups of source code.
  • Weekly copy of system configuration and source code backup moved to the immutable store fortnightly.
  • Age out all backups after 6 months.
• Structured Data
  • Incremental backup online every 30 minutes or better.
  • Incremental backup is stored daily offline.
  • Full backup is stored weekly offline.
  • Complete backup copies are transferred to an immutable storage system on a weekly basis.
  • Age out all backups after 6 months.
• Unstructured Data
  • Incremental backup online every 60 minutes or better.
  • Incremental backup is stored daily offline.
  • Full backup is stored weekly offline.
  • The full daily copy is moved to the immutable store on a weekly basis.
  • Age out all backups after 6 months.
• All Data
  • Maintain data backups in at least two (preferably three) geographically separate locations, taking into account known risks. For example, copies of data backups are held in geographically dispersed data centres, with a copy offline (air-gapped), using a mix of on-premise and Cloud, or utilising a hybrid Cloud ecosystem.
  • Ensure any requirements for archive data are included in the backup – do not use the backup as an archive.
  • Ensure the disposal schedule for records is aligned with the backup. That is, if your disposal schedule requires deletion of data in production, align the backup and disposal schedule such that the oldest backup does not hold the specified data that is required to be deleted.
  • Regular testing of data restoration from data backups supports both accidental loss, system errors, disaster recovery, and cyber incidents.

Next Steps

• Review the current data backup regime to assess costs and complexity of backup design.
• Assess the need to mitigate data loss in relation to risks to business outcomes, productivity, and costs.
• Consider the value proposition of simplifying the data backup regime.
• Develop a program to implement the changes needed for your organisation to simplify data backups, improve the risk profile of the business, reduce costs, and reduce complexity to reduce the IT exposure to single-person dependency.