Essential Eight Best Practice Guide: Regular Backups

Introduction

In recent years the humble backup has moved from a means to prevent accidental data loss to one of the key pillars of cybersecurity. While backups do not provide any active defence, they are an extremely effective recovery strategy against ransomware attacks, which have grown exponentially in popularity with cybercriminals. Effective backups help businesses keep valuable data safe, reduce downtime, and facilitate a faster recovery from cybersecurity incidents.

This guide provides an overview of best practices for implementing backups aligned with the Essential Eight cybersecurity framework. It begins by describing the business continuity plan and how it defines and flows into the backup requirements and specifications. It then covers considerations such as the scope of backups, selecting a backup solution, testing, and monitoring and access controls.

Business Continuity Requirements

The first step in implementing an Essential Eight–aligned backup strategy is defining continuity requirements, usually in a business continuity plan (BCP). Even the first level of maturity calls for backups of important data to be performed and retained with a frequency and retention timeframe in accordance with business’s continuity requirements.

This means the BCP needs to define what data is important to the business, how frequently it should be backed up, and how long backups will be retained. These assessments will vary from business to business and between different types of data.

For example, one business may define user chat history as unimportant, and therefore unnecessary to back up; however, in certain regulated industries, maintaining chat history is fundamental to meeting compliance obligations and backups are essential.

Similarly, a marketing database may be important and backed up, but if the BCP indicates that 24 hours’ worth of lost data would have a low impact on the business, the backup frequency may be set to daily. Alternatively, losing details of customer transactions would likely have a more severe impact, thus requiring such data to be backed up near- instantaneously. The maximum amount of data that can be lost during a disaster or cybersecurity incident is called the recovery point objective (RPO).

Finally, the business continuity plan will define the retention periods for each type of data. For example, compliance with regulations, including tax law, may require certain data to be held for many years. Other data, however, will lose its value over time, and the business can easily reduce costs by implementing a reduced retention period for that data.

In short, the business continuity requirements and plan will inform and create the specifications to which a business’ backup solution is configured.

Defining Backup Score

The next step in implementing an effective backup strategy is defining the scope of the backups. As above, the Essential Eight calls for all ’important’ data to be backed up; however, the determination of what is important and what is not is left up to the business and will change from business to business.

As cloud storage has become less expensive, so has the overall cost of backing up data. As a result, most modern businesses opt to back up most or all of their data. However, businesses with large data footprints should consider the cost – and the opportunity cost – of regenerating data. This will help define what data is important to the business.

Selecting Backup Solutions

Businesses should consider several factors to ensure they choose a solution that meets their needs.

The most important factor is the level of protection the business requires for its data. This includes the number and location of copies, the types and amounts of data, and the retention and frequency requirements from the BCP.

The next important consideration is the recovery time objective (RTO). The RTO is the maximum acceptable amount of time a business can afford to be without access to its data – in other words, how long it takes to restore data in the event of a disaster or cybersecurity incident.

Other things to think about include the scalability of the backup solution, the cost of the solution, the level of automation and ease of use, and the level of support and service provided by the vendor.

Last but not least, businesses must ensure that their backup solution can comply with relevant regulations, industry standards and local laws. Compliance requirements may include data retention policies, encryption standards, and access controls.

The Essential Eight places importance on storing backups in a ‘secure and resilient’ manner, but it leaves the definition of these terms to the business. In general, security encompasses both the cybersecurity controls that protect backed-up data, such as encryption, and the physical security of the storage medium. Resiliency looks at the backup’s ability to tolerate corruption, disaster and attack. Most modern businesses use the ‘3-2-1 principle’ to ensure resiliency: 3 copies of data, on 2 different storage mediums, with 1 copy offsite. This protects against corruption, media failure and physical events at the site of the backups, such as fire or flood.

Testing and Monitoring Backups

Regular testing and monitoring of backups is essential to ensure they are working as intended and can be relied upon in the event of an incident. Monitoring backups includes regularly reviewing logs or dashboards to check for successful completion of backups. Backups can be tested by periodically restoring them to ensure the data is available and uncorrupted.

Another aspect of testing backups is verifying their compatibility. If backups across different integrated systems or data are completed at different frequencies and restored from different time points, then issues may arise within those integrations.

Maturity level one of the Essential Eight requires synchronised backups that can be restored to the same point in time and are tested as part of disaster recovery exercises.

Access to Backups

An effective, robust backup solution must ensure access to backups is limited. Many modern ransomware variants will actively target backups in an attempt to render them ineffective for recovery. Empowering users to restore their own data can greatly improve response and resolution time, as well as increase the efficiency of the IT team. However, users should not be able to modify or delete any backups. The more privileges are afforded to users, the more privileges can be hijacked by malware.

To achieve maturity level one, businesses must prevent unprivileged accounts from accessing other users’ backups, and from modifying or deleting their own. As the maturity level increases, these precautions need to be applied to privileged accounts as well, such as general administrators and administrators of the backup solution. Maturity level three, only break-glass accounts should be able to delete backups that are still within their retention period.

Break-Glass Accounts

Once a business reaches maturity level three, even backup administrators are prevented from accessing and deleting backups, including their own. However, from time to time, legal or privacy issues may require that backups be deleted. For these special circumstances, the Essential Eight model introduces the concept of ‘break-glass’ accounts. These are accounts that have a higher level of privilege than even administrators and are only used in extraordinary circumstances. Break-glass accounts usually come with protocols that govern how administrators request and gain access to them, and logging to ensure their greater level of privilege is only used for exceptional, approved reasons. They are never used during day-to-day activities.

Essential Eight Regular Backups at a Glance

Maturity Level One:

To achieve maturity level one, businesses must perform and retain backups of important data, software and configuration settings with a frequency and retention period in accordance with their business continuity requirements. Backups must be synchronised to enable a common restoration point, and stored in a secure and resilient manner.

Backups must be tested as part of disaster recovery exercises, and unprivileged accounts must be prevented from accessing backups belonging to other accounts and prevented from modifying or deleting their own backups.

Maturity Level Two:

To advance the maturity level of the backup solution within the Essential Eight framework, the only changes required are to the access controls. Maturity level two requires that privileged accounts, such as administrators (but not including backup administrators) are prevented from accessing backups belonging to other accounts and prevented from modifying or deleting their own backups.

Maturity Level Three:

To reach maturity level three, both privileged and unprivileged accounts must be prevented from accessing even their own backups, and privileged accounts, including backup administrators, must be prevented from modifying or deleting any backups which are still within their retention period.

Conclusion

Implementing an effective backup strategy aligned to the Essential Eight framework requires careful planning and consideration. Businesses should start with their business continuity requirements, which will inform the specification and configuration of the backup solution. Once these are known, it becomes far simpler to define the scope of backups and select the best backup solution.

After implementation, monitoring, testing and appropriate access controls must be in place for ongoing security.

By following these best practices, businesses can align their backup service with the Essential Eight maturity model – protecting against data loss, reducing downtime, and ensuring faster recovery in the event of a cybersecurity incident.