Backing up business data is one of the most basic, yet effective, cybersecurity controls one can implement. Some sort of cyber incident is bound to happen to any online user at some point, and proactive measures need to be implemented to lessen the damage done when an incident does occur. For businesses, having a reliable backup strategy can be the difference between being able to recalibrate from a crisis and going out of business permanently.

A backup strategy should start with the drafting and publication of a Backup Policy. This issue-specific policy outlines the need for backups in the greater information security program, as well as standards for their creation, storage, and use. Start by identifying the business drivers for backing up data. In addition to being an overall good part of cyber hygiene, backups may be required by any of the following:

  • Legal requirements
  • Regulatory requirements
  • Contractual requirements
  • Mission requirements
  • Pre-established policies and guidelines

Understanding potential sources for backup mandates will allow you to narrow down specific technical and admin requirements for creation and storage.

A backup policy should follow a structure similar to the following:

  • Purpose of the policy
  • Stakeholders in the policy
  • Scope of the policy
  • Key terms, mainly technical and legal
  • Required frequency of backups
  • Requirements for backup storage and protection
  • Requirements for validating the integrity of backups
  • Requirements for destruction or archival of backups
  • Roles and responsibilities for the backup creation, storage, retention, and destruction processes
  • Retention period for each category of backup
  • Points of contact for issues relating to backups

Backup solutions are an issue that is an inch wide and a mile deep. There are thousands of different proprietary and open-source solutions that automate much of the backup process for the organization. For extremely small businesses with just a few desktop devices, old-fashioned methods such as burning data to Blu-Ray discs may suffice. Many vendors of cloud infrastructure and software offer built-in backup functionalities, such as OneDrive’s ability to sync user directories to Microsoft’s servers.

It is best to start small by identifying the basic types of backup:

  1. Full: Every piece of data stored on a specific device or platform is backed up. Essentially, a full backup freezes the data in time, allowing it to be easily restored to the state it was in at the time of capture.
  2. Incremental: Backs up ONLY the data that has changed since the last full backup OR the last incremental backup.
  3. Differential: Backs up all data that has changed since the last full backup. The more time passes since the last full backup, the larger the next differential backup will be.
  4. Snapshot: Snapshots are much like full backups in that they capture a resource as it exists at the point in time of the backup. Snapshots are specifically tailored to virtualized environments, with the idea being that users managing a hypervisor can take literal “snapshots” of the Guest VMS. The snapshots will include all settings, configurations, and data at the time of the snapshot.
  5. Cloud: A cloud backup stores data off-site in a third-party vendor’s infrastructure. The backups specifically can be configured in several ways, but the overarching idea is that they are stored in a “vault” of sorts on the selected cloud infrastructure. Think of the “sync” features present in programs like OneDrive.

There are several different strategies that determine how any of the above backup types will be utilized.

  • 3-2-1 Rule: This is a general and widely accepted standard for creating backups. In this strategy, 3 different copies of the backup are created on at least 2 different platforms, with at least 1 copy stored outside of your main facility. This could be implemented in several ways. A common approach would be to have one copy stored on a network server, a second copy burned to a Blu-Ray disc, and a third sent securely over the Internet to a cloud storage bucket. However, cloud storage is not necessarily required for the off-site component (although it's recommended). Instead, a second Blu-Ray disc could be created and taken to a secondary facility and placed in a locked safe.
  • 3-2-1-1-0 Rule: This backup strategy expands upon the previous rule. It offers better protection for situations such as a ransomware attack or backup media corruption. The same backbone is used: 3 different backups, 2 different backup media, 1 copy off-site. However, a fourth copy must be added with the immutable attribute turned on. The Immutable attribute is available on many cloud data storage and it prevents any sort of change to the selected data. This way, ransomware cannot seize the backup copy and modify it. If a platform with the Immutable attribute is not available, you can still comply with this rule by having the fourth copy always kept offline.
  • 4-3-2 Rule: If your business relies primarily on Managed Security Service Providers (MSSPs) or other third-party IT vendors, then this rule may be the preferred route. In this strategy, 4 individual backup copies are created. They must be divided amongst 3 different locations, with 2 of them being outside your facility. For example, one copy could be stored on a hardened file server on your company network, a second stored on your IT provider’s network, a third synced out to a cloud storage solution, and a fourth stored on a local Blu-Ray disc.

The backup solution you decide to implement for your organization will take a fair bit of planning, and you should ensure that senior management, IT staff, and any third party IT services are involved in the discussion. Nailing down a strategy should be a top priority control, as there is no excuse for any organization not having a backup solution implemented.

Below are some basic procedures for creating backups using commonly implemented technology solutions. These basic procedures can be implemented into the larger backup strategy.

Backup to Removable Media

If your organization has only a few computers in place, then making backups to removable media is a good, straightforward approach. You can pick up external hard drives from your local Walmart or purchase them online. USB flash drives can also be used, depending on the type of data being processed and the size of the file. Shoot for a 1TB external hard drive if you want ample storage for a decent period of time.

Once you have media to back up to, you must configure your operating system to backup your data. Windows has the Windows Backup program built into Windows 11. Linux has a variety of tools, such as rsync and dd. Make sure to consult your OS documentation to find the correct steps for backing up to removable media.

Backup to File Storage Software

OneDrive, Google Drive, and Dropbox are Software as a Service cloud storage solutions found in many organizations. All three programs offer a backup solution that allows you to use their software to automatically backup your local data.

OneDrive has a backup and sync feature that allows you to easily configure automatic backups of the local folders and files stored on your Windows PC. If your organization consists of a handful of Windows PCs and Microsoft 365 subscriptions, then this solution may be the quickest and easiest way to go.

Google Drive offers a desktop deployment that can be used for the same purpose. If your organization does not utilize any professional Microsoft 365 solution, then Google Drive for Desktop may be the better approach for automatically storing backups. Drive for Desktop has a macOS version, making it a viable solution if your organization uses Mac computers.

Dropbox Backup is yet another cloud storage option for storing backups. Like the previous two, it simply involves downloading the desktop app and configuring the software to backup and sync select files.

For a small network, storing one backup on external media and one backup on one of these cloud storage platforms might be the easiest way to meet the proper standards for backups.

Backup to Network Attached Storage (NAS)

In a larger network, it may not be convenient to go around managing backups to multiple different removable storage drives. Configuring machines to automatically backup to a central Network Attached Storage device is a good alternative for networks with ten or more machines.

There are several options for NAS solutions. They can be purchased from online vendors for a reasonable price. Before purchasing a NAS, make sure to survey your network and determine how much storage space you will need to support backups for several years.

A NAS device can also be built from scratch. If your organization has an extra desktop computer with ample storage, you can use the open source operating system TrueNAS to build a network backup server from scratch.

Backup to Cloud Storage

While using Software as a Service platforms like OneDrive can do the job for cloud backups, purchasing and configuring your own cloud storage space through a provider like AWS or Azure offers you more granular control over your backups. Cloud vendors provide various specifications for storage space on an Infrastructure as a Service basis. Vendors offer different storage tiers for different prices and different storage purposes. An added benefit of cloud storage is the Pay as you Go feature, which allows you to pay only for the space you use.

Azure Blob Storage and AWS Backup are two solid solutions for building custom storage for backing up your business data.

File History

A useful tool that can be implemented alongside your backup solutions is Windows File History. This program will save separate versions of data during its lifetime, allowing users to revert to an earlier version of the data if the need arises. Configuring File History requires you to have a separate drive or partition on your current drive to store the copies of data. By provisioning this feature on your Windows workstations, you can ensure employees have recovery options if work on a project goes haywire.