Welcome to Part 2 of the series where we debunk some of the most critical myths about backups. Last time, in Part 1, we talked about separating command and control of your backups from command and control of the systems being backed up. Today we are going to explore services that either claim to include backups or otherwise throw around the word “backup” maybe a little too freely.

Let’s cut to the chase and flat out state the position of this article… file sync and share solutions are NOT backup solutions.

Take a moment to let that sink in. Having your files stored in the cloud does not automatically equal having backups. Furthermore, your file sync and share solution that labels some of its functions as “backups” may also not truly equal backups. If you’re utilizing a cloud file sync and share solution (think Dropbox, Box, OneDrive, SharePoint, etc.) you may easily fall into a trap of thinking “my files are stored in the cloud and, therefore, they are backed up.”

It is very easy to confuse the concept of sync/share solutions with the concept of backup solutions. Even so, they were created for two very distinct purposes. File sync and share solutions have the primary purposes of synchronizing files between multiple endpoints, accessibility across multiple devices, and often allowing collaboration/sharing along with ease of access. Backup solutions have the sole purpose of data protection and are fully geared towards backing up data and allowing the ability to recover and restore when the time comes.

Syncing, at its core, can be thought of as a two-way operation; two or more endpoints are pushing/pulling changes to files and the sync software is handling keeping these files in sync with each other across many devices, users, and across many files. Keep in mind that, by nature of syncing, unwanted changes (such as files being encrypted due to ransomware) will also sync to the cloud and across devices, effectively providing a crucial mechanism for the benefit of the ransomware.

Backups can be thought of as a one-way operation; it’s taking data from a point in time and storing it elsewhere specifically for the purpose of having the data available for recovery. Input is not being taken from multiple locations. It has a single source of authority for the data it is protecting and makes a copy/duplicate of that data to a separate location. If files are encrypted by ransomware, those files simply get backed up as well, the previous backups of the data are not affected.

Let’s be clear that there are some circumstances in which a cloud file sync and share solution may allow you to easily “restore” a file back to a previous state. For example, say an Excel spreadsheet’s complex formulas are no longer working as intended after a recent edit by a colleague. You notice the issue the next day and simply use your sync/share solution to revert to the previous version of that file when the formulas were working as intended. You may be thinking “that sounds a lot like a backup, doesn’t it?” Well, yes it does sound that way but that is more a function of versioning rather than a true backup and recovery mechanism. Using a sync and share solution to perform data recovery during a true incident response scenario can be time-consuming and tedious compared to using a true backup solution that is designed specifically for the purpose of restoring data in these scenarios. Versioning has its limitations.

Given their differences, file sync and share solutions pair well with backup solutions and can live together in harmony. You have your file sync and share operations in place for the day-to-day workflows and the one-off version reverting tasks that may pop-up. Additionally, you have your data that is being stored and synced to the cloud getting backed up through a dedicated backup service, allowing you the ability to more quickly and easily restore in the event of a major incident. Not to mention that core backup principle we discussed in Part 1: separation of the command/control of backups and the command/control of the systems being backed up.

Lastly, depending on your cyber insurance policy or carrier, you may not truly meet the expectations of the carrier by checking the “yes” box next to the “Do you have backups of your data?” question; potentially opening your organization to risk by way of the carrier denying your claim after finding that you only had versioning capabilities through your file and sync solution but not any true “backup” solution. One of the most devastating positions to be in is one in which you are reliant upon your cyber insurance kicking in to offset the cyber incident costs only to find out that the claim has been denied due to an incorrect answer within your attestation/application.