Cyber incidents are still a risk to all organisations, and the last few years have seen sweeping changes in the volume and nature of these incidents. Organisations that aren't prepared for this risk, are highly vulnerable and we recommend prioritising prevention, where at all possible.
A few years ago, we’d talk to customers about how they’d respond if they suffered a security breach. Now, many of them accept that it’s no longer a matter of if, but when. This calls for actions such as reducing your attack surface, educating your users, and improving your ability to detect, isolate and respond to an attack. It also means your backup and recovery systems are more important than ever, as they form the last line of defence.
Here are some key steps to consider that will improve your ability to recover in the event of a cyber incident.
Prepare your plan
First, you need a plan. Start with the big picture. When your organisation is compromised your backup system must recover data at speed. To identify exactly how quickly that needs to be, focus on the financial and reputational impact of the attack and then determine a suitable recovery time. Now, make sure your data recovery lead times are less than that. Essentially, it’s the cost of investing in prevention versus the cost of the ransom.
This is fundamental to your approach. Time to action is a defining factor of your plan. The speed at which you detect an attack is crucial. Early detection and limiting the spread of an attack can improve your recovery time and the operational impact.
Prepare your people
It’s useful to enact what would happen in the event of a real attack. This ensures that the key people in your organisation have the right information to make informed decisions. You also need to identify who is interacting, and why. Lots of people may be able to perform file recovery, but the ability to modify or delete a backup should be tightly restricted. Make sure you have the appropriate controls and policies in place in the event of an attack.
You may want to consider automation for recovery, too. Investing in just the tooling might be insufficient if IT staff will cause bottlenecks in the speed to recovery.
Prepare your data
Identify the data that needs to be protected in the event of an attack, and evaluate how much of that is absolutely critical to bringing services back online.
Your chosen backup service also needs to be able to survive a ransomware attack, even if it’s specifically targeted. Targeted attacks will involve an actor compromising certain key systems, such as the backup before payload is released. While some attacks will be random in nature, for example, an employee inadvertently running malware, larger enterprises will be specifically targeted, with the perception that they will simply pay the ransom.
As a result, your backup servers and the systems they run on should always be kept up to date and patched. Also make sure you have at least one offline, or online but immutable, copy.
Prepare your security
Finally, make sure you have the appropriate network layer security, so when your systems are compromised there is limited spread.
It’s also worth familiarising yourself with information available through the government’s National Cyber Security Centre, which provides advice and support on how to avoid computer security threats.
Survive an attack
Once your systems have been hit, your speed of recovery is vital. The ability of your backup platform to recover becomes the centre of your world. If it takes you too long, then the cost of lost productivity or reputation could easily outweigh the size of the ransom.
And because some systems can help identify the blast radius (the compromised files), this makes it much faster to identify and restore the necessary data. You may be able to discount millions of files.
An effective solution will aid in the identification of compromised files by using machine learning and pattern analysis – making sure only the compromised data is restored, rather than the entire service. This is important because, if an attack was identified several days later, for example, you’d potentially be removing non-compromised data, resulting in loss of productivity. This can also help ease any legislative requirements, allowing you to report back on what was compromised and the associated sensitivity of the contents.
Putting it all together
Most ransomware attacks fail. That’s a fact. Security providers work hard to mitigate the evolving threat, many users are switched on to suspicious content, and IT organisations are constantly learning how to protect themselves.
But it only takes one successful attack. According to a Mimecast survey, the average US victim pays an average of around $6m, with those in the UK paying nearly $850,000.1 That’s why preparation ahead of time is so important.
With the right planning, you can massively reduce the likelihood of severe impact. You can limit the chances of an infection spreading, and you can improve your ability to recover the right data quickly and accurately.
They say it’s best to fix the roof while the sun is shining, and this is no different. Make sure you walk through the experience of a real attack to test your plans. With careful preparation, you can provide robust protection for your organisation and send more hackers away empty-handed.
There are a few partners in this space that can provide you with advice and solutions on how to improve this, Join our webinar series with Rubrik, Druva and Veeam to find out more.
1 ZDNet, 2021
If you found this blog helpful here are links to the other blogs in this series:
Three keys to making your enterprise hybrid cloud strategy successful (softcat.com)