A few organisations I’ve worked with assume that because they use advanced cloud services for office automation that they don’t need to worry about how they backup and restore cloud resident data. Their assumption is that the cloud provider’s data resiliency features, checks and processes will always ensure a copy of the data is available come what may…even if the means to restore it isn’t a straightforward process. Microsoft, a major provider, state in their Shared Responsibility model (see https://learn.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility) that the customer always retains responsibility for information and data.
This week, the NCSC have issued some useful guidance around ransomware resistant cloud backups (https://www.ncsc.gov.uk/guidance/principles-for-ransomware-resistant-cloud-backups). Whilst they recommend considering ‘a breadth of technologies’ for backups, one of the key messages is to regularly test.
The IASME Cyber Assurance Standard states three copies of information should be kept (the day-to-day working original, an off-site main backup, a local backup for easy retrieval). Crucially, the Standard also requires that the backups be tested, at least monthly.
If you’re based in Somerset, Devon, Gloucestershire or the Bristol area and are interested in learning more about the IASME Cyber Assurance Standard, please get in touch.