CyberSec Update#23 Backup Not for Special Occasions
CyberSec Update #23 – Backup Not Just for Special Occasions
I must admit that one date slipped my attention. I am referring to World Backup Day, observed on 31 March. However, the topic is important enough that it should not be postponed until next year. This is a good moment to revisit the basic principles of creating backups that should apply in organisations not only on special occasions.
Backup in the Context of NIS2 and the Polish KSC Act
The amendment to the Polish Act on the National Cybersecurity System, implementing the NIS2 Directive, does not explicitly refer to backup creation as a standalone measure that should be taken into account when implementing an Information Security Management System (ISMS).
Nevertheless, backups should be viewed as part of a broader requirement related to business continuity plans. Their implementation is expressly provided for in the Act and constitutes one of the key organisational areas within the ISMS.
The National Cybersecurity Authority (UKSC) refers to backups in the context of ISMS requirements applicable to important entities that are public sector bodies. In this respect, a recommendation is formulated to create backup copies of data that are logically and physically separated from the data processed in information systems used to perform public tasks.
Backup in the Recommendations of the Government Plenipotentiary for Cybersecurity
In a recent communication addressed to entities covered by the National Cybersecurity System, with particular emphasis on the healthcare sector, the Government Plenipotentiary for Cybersecurity presented a set of recommendations aimed at reducing the risk of incidents and minimising their impact on business continuity.
In the area of backups, the recommendations include, among other things, the need to separate privileges. In practice, this means preventing the use of domain accounts to log in to backup systems.
The recommended approach is to use only local accounts for backup servers (for example, accounts created directly on the server) and management systems. Such a solution significantly reduces the risk of privilege escalation in the event of a domain account compromise.
WORM (Write Once, Read Many)
In the context of backups, it is also worth highlighting the WORM (Write Once, Read Many) principle, under which data, once written, cannot be modified or deleted and can only be read.
Compliance with the WORM principle constitutes an important safeguard against ransomware attacks. Blocking the possibility of modifying data after it has been written means that an existing backup cannot be overwritten with its encrypted version.
Other Good Backup Practices
One of the fundamental principles is to maintain at least three copies of data. Two of these copies should be stored on different media, while one copy should be kept in a different location than the data it relates to (so-called off-site backup).
Equally important is the automation of the backup process, which helps reduce the risk of human error. A third principle that is often overlooked is testing, meaning regular verification of the ability to restore data from backups.
Document the Backup Process
A practical approach to backups is essential; however, one should not forget the general principle of documenting organisational processes.
The backup process, in order to allow for full accountability, should be properly documented. Such documentation should also include the identification of persons and roles responsible for carrying out backup procedures.
