Many companies are leaving themselves exposed to a data leak through poor backup policies, according to a stark warning from GlassHouse Technologies.

Despite the huge publicity surrounding data breaches and the clamour to make sure all data is protected, the majority of businesses are ignoring a fundamental point of attack in the backup process.

Curtis Preston, vice president of data protection at GlassHouse, told vnunet.com at the Storage Expo show in London that the majority of organisations treat backup as an ignored and feared part of the business, relegating the task to the newest person on the team who often has no experience and never looks back once promoted to something else.

"This is folly. Backup is the most powerful data system in the entire company," he said. "All data flows through it and it cuts right through any encryption or other security, policy or 'auditability' measures in place throughout the rest of the organisation."

To make matters worse, the majority of backups are performed with root access, giving the user complete control with little or no chance of detection should they do something malicious.

"The log-ins are usually never changed from their default setting, even when the password is 'changeme'. It boggles the mind when everyone is banging on about data leaks, but leaving the back door wide open," said Preston.

Because many backup systems allow users to run scripts elsewhere in the system in case they need to shut down processes that are locking files or something similar, someone in this privileged position could steal valuable company data undetected and wreak havoc across the entire business if so inclined.

Preston believes that businesses need to stop ignoring backup as some dark art and regulate the area as with the rest of business, bringing in proper password management, user policies and auditing.

"And if a company is going to insist in assigning the job of data backup to the new guy, they need to perform proper background checks before hiring him," he concluded.