The last mitigation of the Essential Eight is Regular Backups. Backups can be the last line of defence for an organisation that falls victim to a cyber-attack as without a backup, restoring operations may be impossible – potentially ending an organisation.

An organisation should consider its Maximum Tolerable Downtime when designing the backup system for critical data and services. Restoration should be tested and measured to ensure that the organisation can get back to business as usual before that time elapses.

Adversaries are aware of the importance of backups and will seek to disable them before executing their primary attack. Secondary copies stored offline or with sufficient segregation can help counter this tactic however, making copies of data and shipping it off site, or into a 3rd party service also carries risks. It’s important to encrypt backup data and apply the same or better access restrictions as to production systems to prevent unauthorised access.

REMEDIATION STRATEGIES

Regular backups are one of the simpler strategies of the Essential Eight, and across all maturity levels backups of important data, software, and configuration settings should be performed and retained in a coordinated and resilient manner in accordance with your organisation’s business continuity requirements and restoration should be tested as part of disaster recovery exercises.

Maturity Level One

At Maturity Level One, organisations should ensure that all servers and cloud services have a regular (at least daily) backup, or document business reasoning for an asset not requiring backup.

Backups should be retained for at least ninety days in lieu of regulatory or other guidance with a more specific retention period. Alternatively, organisations can determine and document another period through an assessment of all applicable risks to an asset.

Organisations should conduct regular restoration tests from backup sets as part of their disaster recovery exercises, at least annually.

When it comes to unprivileged access to backups, ensure that unprivileged accounts cannot access the backup system or can only access their own data in that system and that unprivileged accounts cannot remove or modify backup data.

Maturity Level Two

Maturity Level Two sees an increase in backup data access controls. Organisations need to identify and authorise a specific set of backup administrators that have a business requirement to administer and utilise backups, ensure that unprivileged users, and privileged users that are not backup administrators, can only access their own data in backup sets and ensure that only backup administrators can make change changes or remove backup sets.

Maturity Level Three

Organisations at Maturity Level Three prevent all accounts, except for backup administrators, from accessing backups and prevent all accounts, except for a separate break-glass administrator account, from making changes or removing backups.

Additionally, policy guidance for the safe use of break glass administrative accounts and credential storage and password rotation should be established.