Do attackers benefit more from your backup strategy than you do?

March 31, 2023, is the 12^th annual World Backup Day. A dozen years of warnings about the importance of backing up data. In that time a lot has changed, but many organizations still struggle to restore data from backups in the wake of a crisis, whether that’s accidental data loss through human error or a full-blown ransomware attack.

Our latest research shows that just 52% of ransomware victims restored encrypted data through backups in 2022. Around a third (34%) paid a ransom. For some that would have been the only way of getting their data back, either because they didn’t have adequate backups to restore from, or because the attackers were able to access their backups and delete the files. 

Discovering, disabling, or deleting backup data is now an integral part of a ransomware attack. If your backup plan has any security gaps, attackers will find and exploit them.

Backup strategies that attackers like

• High levels of access to backup software — The more people with access rights to your backup software, the greater the risk that attackers can use stolen credentials with domain admin or other privileged access rights to break in.
• Network-connected backup systems — If your backup system is connected to your corporate network, intruders can move laterally from an infected endpoint to discover and gain access to your backup software and either turn off, wipe, or delete the backup files.
• Remote access to backup systems — If your backup systems need to connect remotely to servers for backup or administration, then a lax approach to password authentication can open a channel to protected systems if these passwords are guessed or stolen.
• Infrequent backups — Even if you have an effective backup, if you back up infrequently you may still lose days, weeks, or even months of data if you suddenly need to restore data following a crisis.
• Untested backups — It seems obvious, but you won’t know your backup-and-restore process works unless you test it. 

Anything that makes your backup unreliable will increase attackers’ chances of getting you to give in to their demands. Securing backup software and appliances is critical. Robust protection will minimize and mitigate the risk of attackers discovering and wiping backup data before an attack takes place to prevent the victim from restoring their systems after an attack.

A backup strategy that attackers won’t like

If you want to build a robust backup strategy that is focused on security as well as business continuity, the following best practices should help:

• Back up everything, not just business data. A full system backup will enable you to recover systems faster after an incident.
• Try to avoid running your backup manager on the Windows operating system as attackers can breach these relatively easily. A Linux or other operating system may be more secure.
• Make sure your backup server is running anti-malware software.
• Consider implementing an automated backup service that will ensure all data is regularly backed up, so you have minimal data loss when restoring.
• Ensure your backup systems are not connected to your corporate domain, where an attacker with a compromised domain admin account can gain access.
• Implement multifactor authentication (MFA) and role-based access control (RBAC) to ensure that only a small number of authorized users can access your backup. The ability to purge backup files should only be given to a very small number of users.
  
• Replicate your backups off-site to a remote location or a cloud provider that offers an air-gapped layer of security between your local, on-premises backup server and the off-site location.
• If you are backing up data in the cloud, it makes sense to keep the backup in the cloud as this is more secure.
• Ensure that all backup data is encrypted, both while at rest and in motion.
• Apply the gold standard of 3:2:1 — three backup copies, using two different media, one of which is kept offline.

Good intentions can be undone by poor implementation. Do everything with care and then test it.

For every story of a local backup server that was attacked but the business was saved by the copy of data held off-site, there’ll likely be a story about how attackers were able to delete both the primary and secondary copies of backup data simply because they shared the same security access.

There’s lots of advice and support available if you don’t know where to start, including our latest guide on how use backups to effectively address the risk of ransomware to Microsoft 365 data.

Here’s to a happy World Backup Day!