Data loss is a pervasive issue that affects individuals and businesses alike, leading to significant financial and informational losses. Many assume that their data is automatically backed up and safe, but this often isn't the case. Here are four surprising facts about backups that might change the way you think about data protection:
Microsoft is not responsible for backing up your Microsoft 365 (Office 365) data. Ever
It's a common misconception that cloud services like Microsoft 365 (formerly Office 365) fully back up your data as part of their subscription services. However, Microsoft's primary focus is on managing infrastructure and maintaining uptime; they ensure that their services are available and that they can restore their services in case of a major disruption, not necessarily your data after accidental deletion or corruption.
What Microsoft Does
Microsoft provides what is known as the Shared Responsibility Model1. According to this model, Microsoft is responsible for the infrastructure and ensures that their services are available and resilient to issues. They also take care of data replication within the service, which means they have backups of the service data to handle their own emergencies.
What Microsoft Doesn't Do
On the other hand, the responsibility of backing up the data you create and manage (like emails, contacts, and files) lies with you, the user. This means if an employee accidentally deletes important emails or files, Microsoft will not be able to recover those for you, unless it's within a very short window using features like the Recycle Bin in SharePoint or Outlook.
Many users and even IT administrators are not aware of this and assume that their cloud data is automatically backed up. In reality, without a third-party backup solution specifically designed for Microsoft 365, your data is at risk for the following reasons:
- Accidental Deletions: If you delete a file, it may only reside in the Recycle Bin for a limited time.
- External Security Threats: Ransomware and other malware can corrupt your saved files and data.
- Internal Security Threats: Disgruntled employees can delete important files which can go unnoticed until it is too late.
- Legal and Compliance Requirements: Sometimes, having backups is necessary to comply with legal or regulatory standards.
The Solution
To protect your Microsoft 365 data from these risks, it’s crucial to use third-party backup solutions that can provide regular backups and the ability to restore data to a point in time before the disruption occurred. This not only protects your data from accidental loss but also from malicious attacks and compliance issues.
31% of businesses fail to restore data from a backup after a ransomware attack2
Ransomware attacks present a severe risk to businesses, often crippling their ability to operate and access crucial data. Interestingly, even with backups in place, a significant portion of businesses cannot retrieve their data when it matters most. This failure rate highlights critical vulnerabilities in how backups are managed and deployed.
Reasons for Backup Failures
- Encrypted Backups
- A staggering 95% of ransomware attacks aim to compromise backup repositories, with 71% succeeding in encrypting the stored data3. This makes the data unrecoverable and defeats the purpose of having backups in the first place.
- Poor Backup Management:
- Failed Backups: Many organizations do not regularly monitor their backup processes. Failed backups often go unnoticed until an attempt is made to restore the data, which, by then, is too late.
- Misconfigured Backups: Backups that are not configured properly may not capture all necessary data or might be set up in a way that doesn't align with the recovery needs of the business.
- Outdated Repositories: If changes to data storage practices are made but the backup configuration isn't updated accordingly, backups may become obsolete and not reflective of the current data environment.
Solutions to Enhance Backup Security
- Strict Monitoring and Maintenance Regime: Implementing rigorous monitoring of backup processes ensures that failures are identified and rectified promptly. Regular reviews and updates to the backup configuration are essential to cope with changes in the IT environment and data storage practices. Ask your backup provider or MSP how they monitor backups and what they do if a failure is detected.
- Immutable Backups: Immutable backups are read-only versions of data that cannot be modified or deleted within their retention period. This type of backup prevents ransomware from encrypting or altering the saved data. Check with your backup provider whether you have immutable backups and don't be afraid to ask questions around how they are made immutable.
Critical Questions to Consider
- Are your backups immutable?
- How frequently are backup processes and configurations reviewed?
- What happens if a backup fails?
Understanding these aspects can significantly mitigate the risks associated with ransomware and improve the chances of successful data recovery. The adoption of immutable backups is becoming a best practice in the industry but in practice these are still relatively uncommon.
It's not all bad news though, the percentage of businesses that do recover data from backups is far far higher than those who just pay the ransom. Sophos found that for those that paid the ransom, only 8% recovered all their data4.
About 50% of tape backups fail to restore5
Despite the popular belief that magnetic tape storage is obsolete, the reality is quite different. Tape has not only persisted in the digital age but is experiencing an increase in sales, proving its ongoing relevance, particularly in large-scale, long-term data storage scenarios.
The Persistence of Tape
- Market Trends: According to the IMARC Group, the tape storage market is expected to continue growing6, with increasing sales each year up to 2032. This trend contradicts the common perception that tape is a dying technology.
- Cost-Effectiveness: One of the strongest arguments for using tape is cost. A Fujitsu study7 highlights that the cost of long-term storage on tape can be three to four times less expensive than disk-based storage . This significant cost difference makes tape an attractive option for large organizations that need to store vast amounts of data for extended periods.
Challenges with Tape Backups
- High Failure Rates: Despite its cost benefits, tape backups suffer from a high failure rate, with about 50% not restoring successfully. This reliability issue is a major drawback for businesses that cannot afford to lose critical data.
- Specialized Hardware and Software Requirements: For smaller organizations, the overhead costs associated with maintaining tape systems (including specialized hardware and the need for specific expertise) often negate the cost benefits. These systems can be underutilized, adding to inefficiency.
Tape vs. Cloud Solutions
- Scalability and Accessibility: Cloud storage solutions offer scalability and accessibility that tape systems generally cannot match. For small and medium-sized businesses (SMBs), the cloud provides a more practical and cost-effective solution due to lower upfront investments and pay-as-you-go models.
- Long-Term Considerations: While tape is suitable for very long-term data retention in large volumes, it is less practical for businesses that need regular, easy access to their data or that do not have the infrastructure to manage tape effectively.
Check with your provider
It's important that you understand what backup mechanisms are in place to protect your data. Check with your provider whether tape is used anywhere in your backup regime and consider what the risk is to your data in the event of a failure. Discuss with your provider moving to a more robust solution if tape is relied upon currently.
40% of cybercrimes occur within the supply chain.
I know that this doesn't sound like it has anything to do with backups, but read on!
The interconnectedness of today’s business ecosystems allows for efficiency and expanded capabilities through partnerships, but it also introduces significant risks, particularly when it comes to cyber security. A striking 40% of cybercrimes exploit vulnerabilities within the supply chain8, affecting not just the direct operations of a company but also those of its partners, including backup service providers.
Vulnerabilities in the Supply Chain
- Broad Attack Surface: The supply chain can include countless entities such as third-party vendors, service providers, contractors, and associated businesses. Each node in this chain potentially offers a point of attack for cybercriminals, making it crucial for companies to secure not only their own infrastructures but also to ensure their partners uphold strong security standards.
- Implications for Backups: When backup solutions are provided by third-party vendors, they become part of the supply chain and inherit these vulnerabilities. The integrity and security of backup data are only as strong as the weakest link in this chain, which could be compromised by cyber attacks directed at less secure partners.
Evaluating Backup Service Providers
Given the critical role of backups in business continuity and data integrity, it is essential to meticulously evaluate potential backup service providers based on their security practices:
- Security Practices and Protocols:
- Ask potential backup providers about their security protocols, data encryption methods, and how they manage and monitor access to the stored data.
- Certifications and Compliance:
- Certifications can serve as a benchmark for security practices. Providers that adhere to recognized standards (such as ISO 27001, SOC 2, or GDPR compliance) are generally more reliable. These standards ensure that the provider takes data security seriously and adheres to strict data protection regulations.
- Third-Party Audits:
- Check if the provider undergoes independent third-party security audits. These audits are critical as they provide an unbiased review of the provider’s security posture.
- Continuous Improvement:
- Cyber threats evolve rapidly; hence, a static security approach will quickly become obsolete. Ask providers about their policies for updating their security measures and practices. Continuous improvement should be part of their security strategy.
Critical Questions to Ask Your Backup Provider
- What certifications do you hold that demonstrate your commitment to security?
- How do you encrypt data, both in transit and at rest?
- How often do you audit your security practices and by whom?
- What has been your history with data breaches or other security incidents?
Ensuring that your backup service providers take these aspects seriously can significantly mitigate risks associated with cybercrimes facilitated through the supply chain. Given the substantial percentage of these crimes that involve the supply chain, rigorous evaluation and continuous scrutiny of backup services are not just beneficial but necessary for safeguarding your data.
Next steps
Sentrian have been providing Backup as a Service for a number of years now and have a wealth of knowledge on how to implement and run backup best practice. We welcome the chance to have a conversation with you about your backups so please get in touch!
References
1 Shared responsibility in the cloud - Microsoft Azure | Microsoft Learn
2 63% of organizations restore data after a ransomware attack | Security Magazine
3 veeam-ransomware-trends-executive-brief-2022-americas_wpp.pdf
4 https://secure2.sophos.com/en-us/content/state-of-ransomware
5 15+ Key Backup Statistics to Know in 2023 (techreport.com)
6 Tape Storage Market Size, Share, Growth Forecast, 2032 (imarcgroup.com)
7 Tape Secures its Place in the Future of Enterprise Storage - Fujifilm Data Storage
8 The Latest Cyber Crime Statistics (updated April 2024) | AAG IT Support (aag-it.com)
