Data Backup Best Practices: 4 Things You Need to Know

by Sarah Harvey / February 12th, 2020

Data Backups and Recovery Go Hand-in-Hand

When a data breach happens at your organization – whether you’re hit by a ransomware attack, an advanced DoS attack, or an internal actor mistakenly deletes company records – you need to ensure that your data is properly backed up. A data backup is an updated copy of your company’s data that is stored in a separate system or medium (i.e. file, hard drive, cloud, etc.) and is used to protect your organization’s assets in the event of data loss, including data breaches, accidental loss, theft, or natural disasters. In other words, data backups and recovery should go hand-in-hand.

4 Data Backup Best Practices

The concept of data backups is quite simple, but it’s one that many organizations have trouble implementing whether due to lack of resources, personnel, or time. For those questioning how to back up data, consider using these four data backup best practices.

1. Use Remote Storage

Storing backups on-site can pose imminent danger. If your entire system is compromised or if there is a natural disaster that compromises your entire facility, the data backup will likely also be compromised. Because of this, data backup best practices include storing data backups in an off-site location, whether that is at another physical location or in the cloud. However, Lead Practitioner at KirkpatrickPrice, Richard Rieben, explains, “Just because you’re in the cloud, it doesn’t mean you don’t need offline backups. The bottom line is, all organizations need to back up their data online and offline.”

2. Schedule Frequent Backups

Having current, up-to-date backups is essential to the continuity of your business. When establishing a data backup program, consider utilizing built-in backup programs, like those provided in Microsoft and Apple products, or create time-based solutions, such as updating every day, week, or month. To ensure that data backups aren’t neglected, it’s a best practice to automate backups.

3. Encrypt Backups

If your data backups are not encrypted, they could easily be compromised if the data is stolen, misplaced, or compromised in some way. For this reason, encrypted backups are one of the top data backup best practices. It adds an extra layer of security to your backups and can give you peace of mind that your data is secure in the event that you have to use your disaster recovery plan.

4. Determine and Comply with Retention Requirements

Are you aware of the data backup retention requirements that your organization must comply with? In this new age of data privacy laws, like GDPR and CCPA, you must know which data backup retention requirements apply to your business. These laws make data backup retention requirements a bit ambiguous because of the “right to erasure” requirements that entities must comply with – organizations must know which data they are required to backup, which data they must delete, and more. This is also the case when dealing with highly sensitive data, like protected health information or payment card data.

Knowing data backup retention requirements also helps limit the amount of data you must store. Older, out-of-date backups should be deleted, data that is no longer in use should be deleted, or data that no longer supports the activities of your organization should be deleted.

Common Framework and Legal Requirements for Data Backups

Data is now the world’s most valuable asset, and many information security frameworks address securing such assets by requiring robust data backup practices. Take a look at some of the common framework and legal requirements for data backups.

  • SOC 2: According to Availability Criteria 1.2, service organizations must “authorize, design, develop or acquire, implement, operate, approve, maintain, and monitor environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.” It also reiterates that entities should have “procedures … in place for backing up data, monitoring to detect back-up failures, and initiate corrective action when such failures occur.”
  • PCI DSS: PCI Requirement 9 says that entities must restrict physical access to cardholder data. Elaborating on this, PCI Requirement 9.5.1 says, “Store media backups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. Review the location’s security at least annually.”
  • HIPAA: Under the HIPAA Security Rule, 45 CFR § 164.308(a)(7)(ii)(A), business associates and covered entities must establish a contingency plan, including a data backup plan, that details a response to any emergency situation that damages systems that contain ePHI.

In today’s threat climate, data breaches are inevitable. Are your data backup retention policies up-to-date with the current framework and legal requirements? Are your data backups and recovery processes aligned? Let us help you ensure the security of your data backups by evaluating if your organization has implemented these four data backup best practices. Contact us today to get started.

More Information Security Resources

Encrypted Backups: What They Are and Why to Use Them

Auditor Insights: Business Continuity and Disaster Recovery Plans for the Cloud

Incident Response Planning: 6 Steps to Prepare Your Organization