White House: Data backups critical part of cyber strategy
Security experts and vendors support the White House's suggestions, such as offline data backups, to promote cyber resilience.
The Biden administration warned American businesses to strengthen their cyber resilience and data backup protocols against potential malicious attacks by Russian hackers or other criminal organizations.
Last week, the Biden administration issued a fact sheet urging companies to be on their guard for cyber attacks due to the Ukraine war and the escalation of sanctions against Russia.
"The reality is that much of the Nation's critical infrastructure is owned and operated by the private sector and the private sector must act to protect the critical services on which all Americans rely," the administration's statement said.
Companies should place data backups high on the security priority list, said Johnny Yu, research manager at IDC. Backups, both those connected to company infrastructure for immediate retrieval and those offline in cold storage, are the best recourse in the event of an attack, which remains a likely scenario even if companies take every precaution to protect themselves, he said.
"You have to think about [data] as an asset," he said. "These are assets you want to protect."
The Biden administration's suggestions echoed best practices for cybersecurity. The federal government included more advanced concepts of keeping offline backups available and off site, as well as building security features into products -- exemplified by the cliche "bake it in, don't bolt it on," according to Christophe Bertrand, practice director at Enterprise Strategy Group, a division of TechTarget.
"If organizations aren't doing all of this, they need to up their game," Bertrand said. "Backup was once considered boring -- now look at how mission-critical it has become."
Modern cyber attacks aren't just seeking to encrypt data for ransomware, Bertrand noted, but to attack the technology infrastructure itself, thereby harming an organization's ability to operate.
"The fact the White House is spelling it out is because it's very similar to the anatomies of attack we've seen out there," Bertrand said.
To wit: Russian criminals and state-supported bad actors participated in a series of major cyber attacks last year, including the SolarWinds security breach.
Executives at Veritas, a data protection and automation vendor, agreed that infrastructure attacks have become increasingly more common.
Simon JelleyGeneral manager and vice president of product, Veritas
"It's something we've been warning our customers [about] for a year-plus now," said Simon Jelley, general manager and vice president of product at Veritas. "You should absolutely have preventative policies in place. The reality is it's a continually escalating game. It's not a matter of if it's going to happen, but when."
Veritas suggests customers follow the 3-2-1 backup strategy, where three copies of data are saved, with two copies on different media and one copy stored off site, according to Jelley. But, he added, Veritas' strategy includes the added step of keeping an immutable backup copy disconnected from any internet connection.
Veritas refers to the strategy as 3-2-1-1, where the added "one" refers to an additional copy of data kept in immutable cloud or on-premises storage, but separated from the internet. This helps mitigate other vectors for failure, including cyber attacks against on-premises infrastructure or cloud data center outages.
"The offline [backup] really secures that data from an online threat," Jelley said.
Veritas' added "one" may be pushing against the ubiquity of the 3-2-1 backup strategy, which is well known among hackers, said Krista Macomber, senior analyst at Evaluator Group. Attacks on infrastructure are likely to increase the importance of up-to-date physical backups.
"Attackers are privy to this, so they are targeting backup environments," Macomber said. "This is why it is important to have a retention storage environment that is disconnected from the production and the main backup environment."
Taking the time to back up data and work in proper security protocols can slow down production environments, which emphasize speed, particularly if they handle workloads core to a business's profit.
"It often comes back to a budget conversation," Jelley said. "Data management and protection people need to be tied to their legal and compliance folks. That's the calculation. What's our business need and what's our risk of exposure."
Brace for impact
While every layer of protection helps, the need for recovery is almost inevitable as attacks grow in sophistication and focus on social engineering.
The Biden administration's announcement is exhaustive, but organizations are unlikely to implement every suggestion, according to IDC's Yu.
"The idea is you have all of these things you can implement [based on] what makes sense for your business and your budget," he said. "You're not going to implement [the entire list] for everything."
Regardless of the budget, Yu said attacks will continue even against the most cyber-resilient companies and that data backups should be on the must-implement list, providing a path to recovery.
"If someone wants to hack you, they will," he said.
Tim McCarthy is a journalist living on the North Shore of Massachusetts. He covers cloud and data storage news.