In my last blog, I talked about cyber security considerations around preparing your law firm for GDPR. Since then, several of you have been in touch asking for more information, so today I wanted to expand a little on some of the points I made in that article. In particular in this blog I wanted to focus on effective and secure data backup, something which forms a critical factor in protecting your data in readiness for GDPR.
Since article 32 of the GDPR obliges firms to ‘implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’, it is very important that law firms ensure that they have effective policies and controls around data backup. This is important because sometimes, even with the best laid plans, the unforeseen does happen and you need to retrieve data from backup. The reasons you may need to do this vary from minor day-to-day issues, such as a staff member accidentally deleting a file, through to major issues that affect the whole firm, such as a ransomware attack, a server failure, or an incident such as a fire, flood or other disaster.
However, effective backup is a more complex issue than you may first think. It’s not just about having a copy of your data somewhere, there are different types of backup, and they do not all provide protection against every eventuality.
For example, tools that provide real-time online backup are very useful if your computer or device breaks and you need to recover the data that was on it; however in the scenario that say a file corrupts and becomes unreadable, the problem is that the corrupted version will immediately replicate in real-time to the online backup, leaving you with a live and backup version that are both corrupted.
If you are relying solely on this form of backup, there is also a significant danger around ransomware – the type of cyber-attack we are seeing so commonly now – which encrypts the contents of your drive and demands payment of a ransom in return for unlocking your data. Because online backup systems are permanently attached to your live system, there is a danger that the ransomware can also encrypt the backup files, effectively rendering your backup useless.
With online backup there are also considerations over where your backup data is residing. Most UK law firms I speak to have a preference that all their confidential data, whether that is “live” files/emails or backup data, is stored within the UK. However, many providers of “cloud” or “online” backup services optimise their costs by leveraging hardware resources throughout the world, and as such may not be able to make such guarantees regarding where your backup data is actually being stored.
Another common way of making backups is using removable media (such as disks or tapes) that can be taken off-site. These are a useful way of ensuring that you always have an offline copy of your data that can’t be accessed by ransomware. The downside of this approach is that typically such backups are taken daily, overnight, and as such you could lose up to a day’s work if you have to restore from backup. Depending on how you manage the off-siting of your removable media there can also be issues to consider around timeliness of restoration (i.e. how long would it take to retrieve your backups from wherever you store them). If you rely on a member of staff taking backups home for safekeeping, you also need to consider how you manage the process if, for example, that person is on holiday or uncontactable. And as with physical files, transporting backup disks also exposes the firm to a risk of data leakage should those get accidentally lost, dropped or indeed stolen, particularly if data is not encrypted.
Whatever backup system you use, storing multiple versions of your data is vital, so that if necessary you can restore your data back to a “point in time” in the past, before a problem occurred.
A further important consideration is realising there is a difference between backups of data alone, and backups of your whole system. Servers and computers contain much more than just data – they run operating systems and software applications, and contain configuration settings, user and security information and much more. So in the event of a whole server failing or being destroyed, you need to be able to not only restore your data, but also recover all these other parts of your system in order to get your firm’s IT systems back up and running. Your backup strategy therefore needs to incorporate ways to backup not just your data, but the underlying server architecture too. Many basic data backup tools do not do this.
In determining your firm’s backup strategy, there are important conversations to be had and decisions to be reached over how much downtime your firm could tolerate in the event of a major problem, and this in turn will help to define the backup strategy that is required. In a future blog I will talk more about full disaster recovery, as this is another topic in its own right.
Finally, it may sound obvious, but it is paramount that your firm has in place processes that ensure that the backup is actually working successfully at all times, and that your backups are actually restorable. Throughout my many years working in IT, I have seen numerous cases where, when the backup needed to be used “in anger” to restore a customer’s data, they found that it actually hadn’t run successfully, or that the backup was incomplete or not recoverable.
As I hope this article has highlighted, data backup strategy is actually a complex issue that needs to be carefully thought through, and methodically managed on a day-to-day basis.
At Stonegate IT we are working with law firms to implement effective and highly secure backup solutions that overcome just these types of challenges. If, having read this article, you have questions or concerns over your firm’s current data backup strategy, please do not hesitate to contact me on 020 3761 3520 or email firstname.lastname@example.org when I will be happy to chat through the issues and discuss ways we can help.