Secure Backups

Irrespective of the root cause, the company should be able to recover its information within a desirable time period. The exact technology employed (sophisticated dedicated software, simple scripts or manual backups) remains at the choice of the organization. In every case, the following rules should apply:

- backup is regular and automated whenever possible,

- backup is held separately from the SME’s production environment, i.e. the network that employees directly interact with,

- backups are encrypted, especially if they are going to be moved between locations,

- the ability to regularly restore data from the backups is tested. Ideally, a regular test of a full restore from start to finish should be done.

To ensure an SME has an effective backup strategy the SME should consider employing the common easy-to-remember so-called 3-2-1 rule approach to safeguard data against most failure scenarios:

3-2-1 rule to safeguard data

• Three: Keep 3 copies of any important files.
• Two: Store those copies on 2 different storage media to protect them against different risks.
• One: Have at least 1 off-site backup, outside of the SME core ICT environment, be it in a remote location or cloud.

A retention period should be set and implemented based on the specific circumstances of the organization. In other words, backup iterations should be set according to business reality of each company, so the cost of lost data in a given timespan is acceptable. Backup practices need to be tailored according to the SME infrastructure (on-premise vs cloud).