A recent report revealed that across the globe, backup habits of businesses and their employees alike aren’t that great. For example, even though 42% of workers have needed to access a backed-up file since the pandemic began, only 26% actually back up their data to ensure it’s recoverable in the event of a cyberattack. Additionally, only 54% of companies back up Microsoft 365 data, even though the global pandemic has really brought the need for these types of filesharing and collaboration tools in the workplace to the forefront.
According to Jamie Zajac, VP of Product Management, backup is the backbone of cyber resilience, and shouldn’t be taken for granted. For this post, I asked for her take on some of these numbers and what businesses can do to shore up their backup strategies and become more resilient against cyberattacks.
Why do you think there seem to be discrepancies between businesses knowing they should back up their data and actually doing it?
First, we have to remember that most people don’t seek out a backup solution until after they’ve experienced a data loss event. Some of these numbers may be coming from businesses that just haven’t personally felt that pain yet. Second, we should consider that problems don’t just happen because you don’t back up at all; they also happen when you don’t back up the right things. For example, a business may only backup up one or two servers, or something they identified as critical a few years ago. But they may not be accounting for how their business environments have changed as they’ve hired new people or adopted new services. They haven’t necessarily revisited their cyber resilience plan or the data protection/backup component of it.
What’s a common scenario you’ve see where a business sorely needed to update their cyber resilience plan?
A really common example is with the rise in laptop use vs. desktops. Just five years ago, a lot of people still worked on desktops. A company might have had a server in their office that they backed up and that was all. Or they might tell their employees to save all their work to a particular shared drive or other network location. But now that more people are remote – not just due to the pandemic but also because of the way the world and work continue to evolve – that’s just not effective anymore. Plenty of corporate data lives exclusively on the endpoint devices your workers use. If you haven’t updated your backup strategy to account for that critical data, then you’re taking some pretty big risks.
As businesses balance their resources against their needs, many are relying on tools like the Microsoft® 365 suite. Is that a good strategy?
Yes, but there are a couple things to keep in mind. Even if you’re using Microsoft 365, your data is still your responsibility. Microsoft 365 has no way of knowing the difference between an accidental deletion, a malicious deletion, or a truly intentional deletion, like in cases where you just don’t need a file anymore. A person could easily delete whole folders, accidentally, intentionally, or maliciously, and even empty the Recycle Bin. If that happens, the data is basically gone. So while the Microsoft 365 suite is very robust and it’s good to see more businesses using these tools, I’d caution them to carefully consider and plan for the gaps in the type of data protection and recovery that Microsoft can provide. That means engaging a third party backup service.
Another issue that a lot of people forget about happens when someone leaves the organization. If a person on your team leaves, you’re not going to just keep paying for that license, right? So if you offboard a former employee and stop paying for that license, Microsoft will only keep the data for 30 days before it gets deleted. That includes anything the ex-employee shared in Teams, OneDrive, as well as anything in their Outlook… all of that stuff is gone. You don’t want to hit day 31, realize you actually need some of that data, and find out it no longer exists.
Right. Hence the importance of a robust data protection strategy that’s not just about tools, but also about processes.
Absolutely. But you should never rely solely on process. For example, if your process is to have all employees save their data to one of those shared network drives, you still can’t guarantee people will actually do it. You could send 100 reminder emails and there will still be someone who didn’t get the memo, has to call IT, and maybe learns the hard way that they’ve lost everything. So process, alone, isn’t enough to solve the problem. You have to have the right tools in place too.
What are your thoughts on the fact that a full 40% of employees worldwide either think their company isn’t resilient against attacks, or don’t know if it is or isn’t?
Well, I think a lot of employees consider cybersecurity and data protection to be IT’s job. So, in effect, they’re trusting IT to have that handled. Unfortunately, IT teams are often overworked, and there are still plenty of businesses that don’t even have dedicated IT resources. All it takes is one bad experience with IT to damage that trust and shake your faith in your company’s overall resilience. If you’ve lost data for whatever reason and IT couldn’t retrieve it, or if you’ve watched the company go through a cybersecurity breach, then you’re not going to think very highly of your employer’s security posture.
It’s interesting that you bring up people believing security is solely an IT responsibility. Only 18% of people in our survey think of cyber resilience as a responsibility all employees share.
That makes sense. That’s part of why programs like Security Awareness Training are critical. If your job isn’t directly related to security, then that’s not necessarily on your radar as something you need to worry about. But with a Security Awareness Training program, you could keep security practices top-of-mind for people, and anything we can do to educate employees about the risks is going to help companies become more resilient overall. It’s also important to empower workers to feel like what they’re doing is important. Making someone do the same work over and over because they lost their data is the antithesis of that. You can generate a lot of positive morale by reinforcing to people that their work is important; having strong data protection strategies in place are one way to do that.
If you had three major procedural steps that you think that companies should take to lock down their backup strategy, how would you narrow it down?
- Know where your data is. Are you storing data in Microsoft 365 applications? Google? Dropbox? Saving locally on endpoints? You can’t protect your business data if you don’t know exactly where it lives.
- Prioritize your systems into different categories based on backup needs, such as the type of backup, the restore speed, and whether data is stored locally, in the cloud, or both. Your backup deployment needs will vary depending on the type of system. You might have Tier 1 servers that are mission critical, so you’ll need a really fast recovery point objective (RPO) and recovery time objective (RTO). But other systems may be the type where, if they’re down for four hours, it’s inconvenient but not a big deal. And you might have other systems, such as long-term storage, where everything is fine as long as you can get the data back within a week or two. Your backup plan should account for all of these.
- Review and re-review your backup plan. Business IT infrastructure is changing so fast that reviewing your strategy anything less than once a year is going to lead to you missing something. I recommend at least twice a year, if not once a quarter. Ask yourself these kinds of questions:
- Have I added a new application or new data?
- Are my new employees backed up?
- Are my backups working? When was the last time I tested them?
- Do I have a new server, or did an existing server move from Tier 2 to Tier 1 categorization?
As more employees work remotely and businesses rely more heavily on collaboration and filesharing applications, it’s critical to continually re-examine your backup and disaster recovery plan to ensure there are no gaps in your data protection. Invest in tools that can back up the Microsoft 365 suite and ensure that data saved on endpoints is always recoverable, no matter where your endpoints may be. Additionally, to empower your employees to become more cyber resilient, we highly recommend implementing cybersecurity education and awareness training.