It started as a Reddit post in 2011: World Backup Day. Every March 31, the importance of having a backup is emphasized, both for individuals and organizations. But having a backup is not enough, says Hans Ten Hove, Area Vice President Continentel Europe at Kaseya.
The need for a day like this is clear, Ten Hove believes. He concludes that organizations aren’t focused enough on backups, not to mention the ability to prevent downtime. And just as important: whether their backups, if they have any, actually work. Since ransomware attacks target backups in 98 percent of cases, protecting this digital coverage is crucial. This alone is insufficient to check off one’s backup strategy; what if your backup does not actually restore everything? “More than half of all backups do not work,” says Ten Hove.
Testing backups
First things first: a backup does not protect you against downtime. We have already spoken at length with Ten Hove about the importance of business continuity, which goes far beyond a copy of your data. You want to prevent downtime. This requires a solution that allows organizations to switch over immediately if the system is down. Incidentally, it doesn’t have to be ransomware that’s causing the issue: a system failure can also cost an organization days.
Ten Hove’s dentist recently told him that they had a server on their own premises, but that their organization wasn’t too worried about it. “Who would want to get us?” was the stated motivation, a common attitude among smaller businesses. “Precisely these types of customers are enticing ransomware targets. If someone demands 10,000 euros from you, the police don’t have time to help you, and the incident won’t make headlines. It happens all the time. As an attacker, it is better to shut down a hundred smaller companies than one large company.” Hackers also make no distinction between large and small victims, so obscurity is no excuse.
It also makes no sense to trust in the reliability of the public cloud. Ten Hove: “People will simply think: ‘the data is safe there, it’s already backed up, right?’ Neither of these is true. As a user, you are responsible for having a good backup and arranging a good security solution.” This can be purchased through MSPs, but “not something the average person knows”.
A practical example: Microsoft 365 in Azure
Supposing you store your data in the cloud, then you must rely on an external solution for your backups. “A cloud solution is nothing more than someone else’s computer,” says Ten Hove. Like with one’s own systems, the end user is responsible for their recovery options. Kaseya offers one such option. It’s possible to purchase a service known as SaaS Protection, which puts the data directly into a backup to the Kaseya cloud. Here, user data is stored in an encrypted form. “If something goes wrong in your Microsoft 365 instance, you can recover from our cloud.” This way, your organization can continue working immediately with this restored data created three times a day. You can agree on a retention period with your MSP from one year to infinity.
To return to the dentist: they have a local server, which is also regularly the case with industrial parties. Given the large size of the data and/or performance, it is sometimes better to opt for local storage. Kaseya can add a machine here. This makes a complete image-based backup every 15 minutes, every hour or every day (as desired). This data is then stored in encrypted form in a data center in Germany. If desired, a copy can be made to a data center in Iceland. This means that the data is actually stored in four places: your own device, the backup machine, and two cloud instances. On top of that, the Kaseya solution is not visible in the network. “This means a hacker cannot remove or block these backups or our solution,” Ten Hove explains.
Organizations affected can simply continue working at the additional locations, but that is far from the norm. For example, Ten Hove knows that MSP customers are sometimes shocked by the recovery time when the backup data has to be deployed from the data center. “That can sometimes take weeks.”
NIS2: not to be underestimated
Mr. Ten Hove considers it a good thing that Europe’s NIS2 legislation forces organizations to develop a mature business continuity strategy. The number of companies that fall under this category should not be underestimated. Organizations subject to NIS2 may have 100 suppliers, several of which are important enough to determine the continued existence of the critical infrastructure. The end result is that these parties must also get to work on backup (and backup planning) and more.
“Even though many companies think or say that they are not subject to NIS2, there is a good chance that your major clients will expect more resilience,” says Ten Hove. This is important as an obligation and for the well-being of one’s own organization. Many smaller parties are exempt from NIS2 legislation because they have an annual turnover of less than 10 million and fewer than 50 employees. But what if your largest customer, from whom you receive most of your turnover, is subject to NIS2 legislation? And for which reason is an organization considered a crucial supplier? Then, the chain care obligation applies, covering more than 50,000 SMEs. Those who do not happen to be on that list should still ask themselves whether the spirit of the law also applies to them.
Ten Hove notes that MSPs, who serve these SMEs, have a significant role to play in this. According to him, they must act in an advisory capacity and recommend solutions. “The impact of NIS2 is underestimated.” Your organization of five people can be brought down without warning if you do not have reliable backups due to the disproportionate dependence on some large NIS2-mandated clients. This is also becoming a requirement for large clients, says Ten Hove.
There is a split between NIS2 entities and SME companies as suppliers. The former are obliged to check their supply chain for cyber security and the SMEs must comply with the upcoming requirements. Ten Hove notes that one of the objectives is to encourage SMEs to contact their MSP. Tough questions can be asked about backup quality, sometimes with surprising, good and bad answers. “I don’t think there is any MSP or SME that can meet NIS2.” But, perhaps more importantly: “NIS2 is just a law. The motivation behind it is already the call to action. People should talk less about the law and more about why the law is there.”
In other words, backing up, checking backups, and conducting a security check with MSPs, customers, and suppliers—it’s quite a list to fulfill, but it doesn’t stop there. On World Backup Day, it is, therefore, important to look beyond the backups themselves. Otherwise, all your good intentions may not be enough to make your backup work. The ultimate goal, the spirit of the law behind NIS2 and the list of best practices for cybersecurity are to guarantee your organization’s survival.
Also read: Kaseya secures SafeLogic partnership for FIPS compliance