A recent report revealed that across the globe, the backup habits of businesses and their employees alike aren’t that great. For example, even though 42% of workers have needed to access a backed-up file since the pandemic began, only 26% actually back up their data to ensure it’s recoverable in the event of a cyberattack. Additionally, only 54% of companies back up Microsoft 365 data, even though the global pandemic has really brought the need for these types of filesharing and collaboration tools in the workplace to the forefront.
According to Jamie Zajac, VP of Product Management, backup is the backbone of cyber resilience, and shouldn’t be taken for granted. In this post, she covers what businesses can do to shore up their backup strategies and become more resilient against cyberattacks.
First, we have to remember that most people don’t seek out a backup solution until after they’ve experienced a data loss event. Some of these numbers may be coming from businesses that just haven’t personally felt that pain yet. Secondly, consider that problems don’t just happen because you don’t back up at all; they also happen when the right things are not backed up. For example, a business may only backup up one or two servers or something they identified as critical a few years ago. But they may not be accounting for how their business environments have changed as they’ve hired new people or adopted new services. They haven’t necessarily revisited their cyber resilience plan or the data protection/backup component of it.
A really common example is the rise in laptop use vs. desktops. Just five years ago, a lot of people still worked on desktops. A company might have had a server in their office that they backed up and that was all. Or they might tell their employees to save all their work to a particular shared drive or other network location. But now that more people are remote – not just due to the pandemic but also because of the way the world and work continue to evolve – that’s just not effective anymore. Plenty of corporate data lives exclusively on the endpoint devices your workers use.
Yes, but there are a couple of things to keep in mind. Even when using Microsoft 365, data is still the owner’s responsibility. Microsoft 365 has no way of knowing the difference between an accidental deletion, a malicious deletion, or a truly intentional deletion, like in cases where a file is no longer needed. A person could easily delete whole folders, accidentally, intentionally, or maliciously, and even empty the Recycle Bin. If that happens, the data is basically gone. So while the Microsoft 365 suite is very robust and it’s good to see more businesses using these tools, I’d caution them to carefully consider and plan for the gaps in the type of data protection and recovery that Microsoft can provide. That means engaging a third-party backup service.
Another issue that a lot of people forget about happens when someone leaves the organisation. If an employee leaves, the company is likely to stop paying for that license, Microsoft will only keep the data for 30 days before it gets deleted. That includes anything the ex-employee shared in Teams, OneDrive, as well as anything in their Outlook… all of that stuff is gone.
Never ever rely solely on the process. For example, if the process is to have all employees save their data to a shared network drive, it isn’t guaranteed employees will actually do it. Comoanies could send many reminders, but there will still be the odd employee who didn’t get the memo, has to call IT, and maybe learns the hard way that they’ve lost everything. So the process, alone, isn’t enough to solve the problem. The right tools have to be in place too.
A lot of employees consider cybersecurity and data protection to be IT’s job. So, in effect, they’re trusting IT to have that handled. Unfortunately, IT teams are often overworked, and there are still plenty of businesses that don’t even have dedicated IT resources. All it takes is one bad experience with IT to damage that trust and shake your faith in a company’s overall resilience. If they’velost data for whatever reason and IT couldn’t retrieve it, or if a company has gone through a cybersecurity breach, the company will lose a lot of credibility.
If an employee isn’t directly related to security, then that’s not necessarily on their radar as something they need to worry about. However, with a Security Awareness Training program,employers could keep security practices top-of-mind for their employees. Educating employees about the risks is going to help companies become more resilient overall. It’s also important to empower workers to feel like what they’re doing is important. Making someone do the same work over and over because they lost their data is the antithesis of that.
3. Review and re-review the backup plan. Business IT infrastructure is changing so fast that reviewing a strategy anything less than once a year is going to lead to missing something.
As more employees work remotely and businesses rely more heavily on collaboration and filesharing applications, it’s critical to continually re-examine backup and disaster recovery plan to ensure there are no gaps in data protection. Invest in tools that can back up the Microsoft 365 suite and ensure that data saved on endpoints is always recoverable, no matter where endpoints may be. Additionally, to empower your customers to become more cyber resilient, we highly recommend implementing cybersecurity education and awareness training.