CERT NZ’s Quarter Three Report provides an overview of the cyber security events reported between 1 July and 30 September 2018. It also gives advice on how to prevent or mitigate these events.
If your business experienced a security incident, restoring your data from backups would be the best, and fastest, way to get back to business as usual. You need to make sure all the data your business holds is backed up. That means:
- the data provided to you by your customers or staff, like personal employee or customer details, and customer account credentials
- data that’s generated by the organisation, such as financials, operational data, documentation and manuals
- system-based data, like your log files.
Identifying the different characteristics of your data will affect the decisions you make about how and when it’s backed up. For example, some data will be:
- updated and used more often than other data you hold
- business-critical — the kind you can’t afford to lose
- difficult to recreate if you do lose it.
As the business owner, you hold responsibility for both managing your data, and ensuring it’s backed up effectively.
Know who’s responsible for doing your backups
Regardless of who does your backups — whether it’s someone in your IT team or an external IT service provider — you need to:
- understand what’s being backed up
- know how often the data is backed up
- decide how long to keep backups for, and
- know where, and how, offline copies of the backups are being stored.
If you have a publicly available website, your web hosting provider may provide a service where they do backups of your website on your behalf. If that’s the case, talk to them about who’s responsible for backing up:
- the servers that support your website, and
- the data collected through the website.
If your hosting provider is responsible, check if they’ll charge you for restoring your website and data from backups if something goes wrong. Some do charge for this service, and it’s better to know up front. Ask how often they’ll do backups, and how long they keep them for — this will help you understand how much data may be lost if your website is affected by a security incident.
Set your backups to happen automatically
If you do your own backups, set them to happen automatically. That way you don’t have to think too much about them. How often you do them depends on how important the data is. For example:
- if you have new customer data coming in every day that would be impossible to recreate, set your backups to happen a few times a day
- if you don’t update your website much, you can set your backups to happen less often — you could back it up once a week or once a month instead.
If possible, set the backups to email you if they fail. This will let you know that something’s wrong and needs to be looked into.
Test them regularly
When you back up your data a new file is created, which holds a copy of the data. Sometimes the copy fails, and it’s important to know this so you can fix it before you need to use it. Check your backups on a regular basis, by:
- restoring your system from a backup to test the entire backup, or
- restoring the data from a single database to test part of your backup.
Your IT service provider can help you with this if need be.
Store them somewhere safe
Backups should be stored in a safe location that’s easy to get to — and not on your own server. Ideally, you need to store your backups somewhere offline. Keep them somewhere secure where only you, or authorised employees, can access them. This could be a locked drawer or cupboard, for example.
If you use a memory stick or external hard drive to store your backups, make sure you disconnect it from your network every day.
If possible, keep a separate copy of your backups offsite. That way, if anything happens to one copy, you’ll have another to hand. Storing your backups in the cloud can be a good option for businesses too. But, it’s important to note that restoring your data from a cloud backup may be a slow process. It could take a while to get back up and running again, and that may not work for you.
Talk to your IT provider
If you're unsure how your back-ups work, talk to your IT provider. We have implementation advice for setting up back-up programs for IT providers.