Data Backup Security: How to Secure Your Backup Data

Jason Reid Blogs

Data Backup Security Blog

All organisations should consider their data backup security, although many don’t. In fact, your toner cartridges may be more secure than your backup data.

It is critical that your organisation protects its data, both in flight and at rest. You have probably implemented data protection measures – such as firewalls and antivirus – to protect your live system data. But what about your data backup security? Could this be a back door for cybercriminals to access your confidential, business critical data?

The Toner Cartridge Test

We’re going to start this blog with a strange question: do you know how many toner cartridges you have, and where they are stored? Most organisations will know this information, as it will be tracked on some form of stock control system or spreadsheet. The toner cartridges are probably stored in a locked store room.

Okay, so next question: how do you get access to the toner cartridges?
For many organisations, the standard process involves making a request to the IT team or office manager. They will get the toner cartridge from the (locked) store room or cupboard. They will then update their spreadsheet or stock control system to note that a toner cartridge has been used.

Now ask yourself where all the company data that you backup is stored.
For many, the answer will be ‘on backup tapes’. This leads us to the next important questions: where do you store your backup media? What data backup security is in place? And do you know who has accessed the data that you backup?

Data Loss Prevention

IT solutions for Data Loss Prevention (DLP) typically focus on protecting company data from leaking. This can be through direct external links, such as email and firewalls, or through the protection and encryption of data on mobile and other roaming devices. However, backup data is seen as one of the most vulnerable forms of data storage.

Do you know where all of your backup media is located?
For many organisations, the answer is typically that the tapes are stored in a box near the servers (which may or may not be in a secure location). Someone often takes the tapes off-site (at home or in the car boot) to protect against something happening to the building.

Do you track the location of every tape for its entire lifecycle? 
Where is last month’s backup tape? How about last year’s? If you can’t locate and track all of your backup media until its destruction, then you potentially have a situation where your data backup security is not sufficient. You may be exposing your company data (which likely includes confidential and personal data) to loss or theft.

If data on a backup tape is a year or more old, it can still be damaging to your company if lost. If you hold confidential or personal information on individuals (which includes your staff members), you have a legal obligation under the Data Protection Act to ensure that this data is protected from falling into unauthorised hands.

Backup Data Loss Incidents

There have been a number of data loss incidents related to backups that have occurred recently, affecting some high profile organisations: –

  • Zurich were fined £2.3m by the FCA over the loss of a backup tape.
    The Financial Conduct Authority (FCA) fined Zurich Insurance £2,275,000 after a backup tape containing unencrypted personal details on 46,000 policy holders went missing in transit. The FSA said that Zurich had inadequate systems and controls in place.
  • The US Secret Service left backup tapes on the DC Metro.
    The Secret Service was supposed to store its backup tapes offsite at an Olney Maryland location. But the Marylander they entrusted to get the tapes there left two backup tapes on the Metro.
  • GE Money lost a backup tape with 650,000 card holders’ information.
    Personal information belonging to 650,000 US customers of J.C. Penney and up to 100 retailers, including 150,000 Social Security numbers, was stored on a backup tape was reported missing by GE Money.
  • Cattles Group lost backup tapes containing 1.4 million unencrypted customer records.
    The Cattles Group, which specialises in personal loans and debt recovery, admitted losing two backup tapes containing information affecting about 1.4 million customers.
  • TRICARE disclosed an SAIC breach, where stolen backup tapes held data on 4.9 million patients.
    The information was contained on backup tapes from an electronic health care record used in the military health system (MHS) to capture patient data from 1992 through to September 7, 2011. It may have included Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests, and prescriptions.
  • 1.6 million people were affected by lost backup tapes at Children’s Health System.
    Patient billing and employee payroll information on the tapes, missing from a Wilmington, Del. facility owned by Nemours, included names, addresses, dates of birth, Social Security numbers, insurance information, medical treatment information, and direct deposit bank account information.
  • O2 Ireland admited to the loss of an unencrypted backup tape.
    O2 Ireland said that its IT support partner IBM informed it of the loss of a tape used for routine daily IT backup work.
  • Bank of America lost customer data affecting up to 1.2 million people.
    Bank of America Corp. lost computer data tapes containing personal information on up to 1.2 million federal employees, including some members of the U.S. Senate. The lost data included Social Security numbers and account information that could make customers of a federal government charge card program vulnerable to identity theft.

Implementing Data Backup Security

What can you do if your toner cartridge is more secure than your company data? Cloud-based backup services like the AssureStor backup2cloud platform deliver some key advantages when you need to ensure your data backup security.

The backup2cloud platform, powered by Asigra, delivers security and deep audit capabilities. These allow you to have confidence that your data is stored securely and restricted so that only you can access it, and you can also track and report on all data access requests from the backup platform.

Utilising in-flight and at-rest military grade encryption, along with guarantees that data is always stored within highly secure Tier III+ data centres, the backup2cloud platform delivers a solution that reduces your risk of data leakage and complements your Data Loss Prevention strategies.

And with the inclusion of Asigra’s Backup Lifecycle Management (BLM), AssureStor can deliver tiered backup storage that drives down your backup and archive costs whilst delivering audited destruction of your data at the end of its life.

If you would like more information on how AssureStor’s backup2cloud platform provides data backup security, please contact us for a free, no obligation review of your backup and recovery needs.