A growing trend has recently taken root even deeper into financial services. While many professionals focus on protecting their data, they may be leaving themselves wide open for a risk on the back end through lack of proper backup or, even more threatening, inappropriate security on their backups. With more focus on protecting active data, backup data is becoming a larger target for many cyber criminals.
The Business Digital Index recently released updated information, and this is a bit scary. Keep in mind that the BDI doesn’t just review large organizations, but companies of all sizes. This is very eye opening:
23% of businesses fell into a “D” rating for safeguarding their backup data.
40% of businesses fell into an “F” rating. (yes you read that correctly)
Only 11% of businesses were awarded an “A” rating.
Approximately 31% of businesses have had to rely upon a backup to recover from an attack within the last year.
This is even scarier when you look at a recent Apricorn survey revealed that 21% of organizations who experienced a breach reported that backups were the main cause. This is up from approximately 4% in 2021.
It’s important to have a solid plan in place to both protect your data but also ensure the backup is operational.
So What is an Accounting Firm to Do?
With a plate already overwhelmed by compliance and operational needs, how does an accounting firm stay on top of their backup process to ensure the data is properly backed up, but also kept secure. There are a lot of factors that need to be taken into account when deciding on a viable plan.
Security & Compliance. You didn’t think you’d escape this topic, did you? No matter what ultimately solution a firm selects, they need to comply with all industry-related requirements.
Backup data must be encrypted - both while in transfer and once placed with the backup media or provider.
Retention rules apply - the industry has retention requirements for most data, as such, the backup data falls within these requirements as well.
Logging - audit logs must be maintained and many backup solution providers do no log all activity or may only retain logs for a short period of time.
Access Control - even within backup, access to the data must be limited and managed; many providers do not support this.
Type of Backup. There are many type of backups. A Full backup will backup all data selected in its entirely. An Incremental backup will backup just what information has changed since the previous backup; this typically reducing the strain on the system. An Image backup takes an entire copy of the machine (including the operating and system files); this typically allows for fast recovery but is resource heavy on the backup side.
The type and frequency of backup varies by company and a hybrid approach is typically implemented. Many companies perform an incremental backup daily, a full backup weekly, and an image monthly. But this decision varies greatly upon the machine and data usage and how frequently the data is access or changed.
The Rule of Three Most backup solutions suggest a rule of three meaning data is backed in in a 3-2-1 solution:
3 Copies of Data - there should be at least 3 copies available; one in use and two backups.
2 Types of Media - backups should occur over multiple media types such as local hard drive, tape, network area storage, cloud, physical, etc.
1 Additional Location - beyond just the physical location of the data in use, a second location should house a backup.
Backup Verification Backups should include a process to verify that the data was backed-up safely. The backup system should provide a status after each backup to show success and/or failure with an accompanying detail log. More so, an organization should regularly test their backup by restoring files to make sure that the restoration process works.
Disaster Recovery Beyond just the standard backup process with points listed above, an organization should have a plan in place to recover for a full disaster or total system failure. An example would be a firm in a high risk area for hurricanes that keeps an off-site backup copy at a partner’s residence two miles from the office.
Oh, Is That All?
Sadly, that is not all, but it is a start to have a solid plan in place. For example, if we look at each item from a high-level first step:
Security & Compliance. Select an enterprise (not retail) solution designed for corporate data, such as iDrive, Microsoft, Wasabi, Barracuda. Retail solutions just are not viable and do not typically provide the appropriate security.
More so, ensure that you have configured the backup solutions appropriately including logging. Ensure that Multi-Factor Authentication is turned on.
Type of Backup. Many companies perform an incremental backup daily, a full backup weekly, and an image monthly.
The Rule of Three Many firms backup data locally on a network area storage devices and then onto a removable hard drive that is kept at a second location, such as the owner’s house or a safety deposit box. Additionally, most firms use a third-party hosting provider for a cloud backup as mentioned above.
Backup Verification Set a reminder once a month to test and review your backup - try to recover a file to see if the process is successful.
I Am So Glad I Use a Third-Party to Handle This!
There are a lot of third-party providers, most of whom provide software products in this industry, such as hosting providers, tax software, and portal providers. The challenge is that most of these providers add this service on as an auxiliary or additional add-on and not their primary solution. As such, the solutions are not always stable or perfect.
Even if you use a third-party, you are still responsible for the backup and protection of your data. If the backup from a third-party fails, that sadly becomes your problem and has a huge impact on your reputation.
When using software products that already provide backup services, it is still highly suggested that you maintain your own copy of version of the data as well. Sorry. :-/
Be Prepared.
I was (well, am) an Eagle Scout. As such, the phrase “BE PREPARED” is engrained in my mind and will forever be a part of my being.
It is best to adapt where you can and accommodate a lifestyle that allows for and embraces backup solutions. I promise, it could be fun. Well, maybe that isn’t a promise, but I enjoy it. So message me and we can chat about backup! Woooo.
If you do not fully understand an issues or if you need assistance working through a resolution, the team here at Financial Guardians is available for Individual Support Calls to assist with any individual or specific matters.
Financial Guardians is a proud member of InCite, the recently launched online community exclusively for tax professionals, bookkeepers, and accountants. InCite members receive a 30% discount.
Financial Guardians has partnered with the California Society of Tax Consultants to provide a 30% access discount as well as many other offers. More info can be found at www.cstcsociety.org
