There’s no doubt that encryption is a vital piece of any data protection strategy. However, while many companies take care to encrypt data while it’s in transit and being stored on company networks or in the cloud, not all organizations place the same priority on encrypting data that’s being backed up. No matter how data is being stored, if it’s unencrypted, a criminal with the right tools for reading it can easily access the data — leading to a major data breach.
Why Companies Aren’t Encrypting Their Backups
If you took a poll of companies that aren’t encrypting their backups, and asked them why, chances are most of the responses would be along the lines of “Encrypting backups is too difficult to manage.” Considering the amount of data that the typical company produces in a single day, those companies have a point. Among the challenges that make backup encryption difficult include:
- Key management. Have you ever locked your keys in your car? Your vehicle is safe, but unusable until you can unlock the doors. Now imagine that your roadside assistance provider doesn’t have a single tool that can unlock the doors. That’s what it’s like to encrypt data and lose the key to the encryption. The data is safe, but until you unencrypt it, it’s unusable. The potential for lost keys, and the difficulty managing all of the keys necessary to secure backed up data leads many companies to leave backups unencrypted, so that in the event they do need to restore, the data is actually usable.
- Difficulties Deduplicating Data. When data is backed up, it’s important to deduplicate it; otherwise, the amount of data just continues to grow until it is unmanageable. In many cases, companies need to decide whether to encrypt data or deduplicate it, since doing both slows down the system.
- Long-Term Access Challenges. One major concern about backups — encrypted or not — is long-term access to the data. Many IT departments struggle with how long to keep data; how long before it is obsolete? And since technology changes so rapidly, there’s always a chance that the tools needed to decrypt the data won’t exist when you need them.
Of all of these challenges, key management is often the biggest obstacle to encrypting backups. However, there are some solutions that can keep data safe.
Why Backups Should Be Encrypted — And How to Make It Easier
Often, businesses don’t encrypt backups because they’ve already taken security precautions, such as storing backup tapes offsite. While data storage companies are generally secure, there’s always the risk of theft. This is especially true in the case of small businesses, which opt to store backups in a less expensive, but less secure location, like the owner’s home or an offsite storage unit. Not all criminals are tech-savvy enough to know what they are looking at if they find a box of backup tapes or a hard drive, but many are, so improperly stored, unencrypted backups present a serious risk.
Also risky? Employees. While the chances of an employee using backups for personal gain are slim, multiple studies have shown that employees are the weakest link when it comes to data security. If an employee makes a mistake that allows malware to infiltrate your network, your unencrypted backups could give the hackers everything they need to wreak havoc on your business.
Finally, encrypted backups provide an additional layer of protection against data breaches, whether that means the exposure of critical data to criminals, or industrial espionage. In fact, according to the Privacy Rights Clearinghouse, millions of individuals have had their personal data — including Social Security numbers — exposed due to improperly encrypted and mishandled backups.
So how do companies handle the complex issue of encrypting backups? One easy solution is to work with a data security organization to handle your backups for you, ensuring that not only are your backups conducted on time and without corruption, but also deduplicated, encrypted, and secured. In doing so, you remove the issue of key management entirely, since the vendor manages that for you without the hassles of key management.
Experts also recommend that companies conduct regular restore tests using backed up data in order to ensure that it can be unencrypted and that it’s still accessible. These tests are part of any good disaster recovery program, and allow for the detection of issues before they become disastrous.
With new regulations regarding the protection of data appearing all the time, and the ever-increasing risks to data security, the issue of encrypting backups will undoubtedly move to the forefront of the data protection industry. Thinking about it now, and coming up with a solution that works for your company, will prevent a disastrous situation in the future
Featured image credit: ShutterStock