Discover how to successfully implement the Australian Government’s Essential Eight Framework with simple articles and guides that you can work through to achieve level 3 maturity in your organisation
This article will cover Maturity 1 Control 8: Daily Backups
What is “Daily Backups” according to the ACSC
“Daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes.
Why: To ensure information can be accessed following a cybersecurity incident (e.g. a ransomware incident).”
Maturity level 1 of this control aims for the following level of security:
- Backups of important information, software and configuration settings are performed monthly.
- Backups are stored for between one to three months.
- Partial restoration of backups is tested on an annual or more frequent basis.
How to Implement Daily Backups
We have to caveat this article by letting you know that successfully implementing daily backups are very dependent on your business and environment, so in this article, we will cover some of the basics. However, if you want to implement this control thoroughly we recommend getting in touch with us for a free consultation here.
Before you even start making your way down the backups rabbit hole, you need to figure out 3 main things:
- What – what to back up
- When – how long to store the backups
- Where – where to put them
There are other considerations, like disaster recovery, though this is difficult to cover without having in-depth knowledge of how your systems/business operates. For now, we’ll keep it light and focus on a quick, easy win that most businesses can achieve.
This part can be easy or difficult, and it depends on which platform is at the core of your business.
If you’re using a cloud platform like Google Workspaces or Office 365, then there are a multitude of solutions available that will back up everything in the platform for little cost. Just make sure you have everything important saved there and you’re good to go.
Where it can get messy is when you’re still stuck in server land and your data is spread across multiple places. Generally speaking though, the things you’d want to focus on, to begin with, are:
- File data – shared drives and the like
- Databases – that SQL database that no one knows what it’s for
- Email – mailboxes and other mail-like objects
- Active Directory – yep, you need that
- Network & software configuration settings
If you already have that covered and still have some backup storage space left, add in Bare Metal Recovery into the mix. No, it is not a support group for people who like listening to heavy metal music while naked.
That all depends on what it is, and what the legal/regulatory requirements are for your business.
For emails, you might need to keep those for up to 7 years if you’re an accountant or legal professional. Other data like files and such, may not need to be kept longer than a year or even a few months.
Knowing how long the business needs to keep its records can be the basis for which you can start to narrow down the solution you will use for backing up your data.
If you need 7-year retention for email, then many of the contenders are now out of the running. The choice is then much easier: go with the one that matches your retention requirements.
And if you don’t have any retention requirements, go with what you think is appropriate for your type of business. Just make sure it’s longer than 3 months so you meet the requirements of this control :)
This is a good question and probably one that gets easily overlooked. There is a term used in the industry called “air-gapping” and it’s probably the most crucial part of your backup strategy.
While having a local backup strategy is great for when you need to recover large amounts of data in a short time, having that as your only source of recovery is a recipe for disaster.
If you know what ransomware is and the devastating effects it can have on a business (one fine example), then you should take air gapping very seriously. The term essentially means you should have a separate backup in a secure location with zero connectivity to your internal network.
A secure location could be a separate data centre, in the cloud or on removable media like backup tapes. Aside from things like ransomware, the primary reason for having your backups in an offsite location is for disaster recovery.
There is an old saying, “don’t put all your eggs in the one basket” and the same applies to your data. If your backup consists of an external hard drive that never gets unplugged from the server it’s connected to, just think what will happen if your office goes up in flames.
Once again, we recommend getting in touch for a free consultation here as implementing this control is very dependent on your business.
In the meantime, if you have reached this point in our series you have now reached the end of Level 1 Maturity level in our Essential Eight series. Next up will be reaching Maturity Level 2, so head back to our Essential Eight main page here and keep levelling up!