Backup strategies that your company should master

Having consistent backups of a company’s systems is the best answer to Ransomware attacks because these backup copies guarantee the possibility of restoring information without having to pay the criminal who orchestrated the invasion. Therefore, it is extremely important to ensure that backups are ready and available for any circumstances.

The risks of Ransomware attacks increased with the coronavirus pandemic, not least because users are less vigilant when working from home. According to Cybersecurity Ventures, a company will fall victim to a ransomware attack every 11 seconds in 2021, compared to 14 seconds in 2019.

Another 2019 survey by Forrester points out that 43% of organizations surveyed say it takes between 3 and 4 days to recover data and restore applications after the Ransomware attack. In addition, only 25% responded that it is possible to recover between 75% and 100% of the stolen data.

This type of attack also impacts the functioning of a company. The same Forrester study indicated that 51% of respondents perceived a loss of customer confidence after an attack and 43% of interviewers said they had lost revenue due to a shutdown in operations. In addition, there are companies that end up having to pay the attacker to get their data back, which does not always happen even after a payment is made.

To avoid the damage caused by Ransomware, backing up all systems is a must. A good way to ensure that backup copies are made correctly is to use an automatic model capable of including new systems, files and databases in environments designed to safeguard this information. The automatic backup of all virtual machines (VM) can benefit from a tag-based inclusion, in which each type of device is included in a specific tag.

Another important point is to make sure that the disaster recovery system (DR system) is able to restore the entire data center after an attack. Without this, there is no point in making constant backups. The idea of how a backup can save a company from major complications after a Ransomware attack is basic: erase compromised data and systems to use those that have been saved for emergency situations.

Some of the typical solutions that should be considered are:

• Air gapping

Oftentimes, Ransomware attacks spread across the entire network, including backup environments. Therefore, the air gapping solution can be crucial to avoid that all copied data is also affected. The idea behind this model is to ensure that at least one copy of critical data is kept on a secure network and is physically isolated from the insecure network.

The ideal scenario is to keep this backup offline and on a separate physical device, such as portable hard drives. The use of public clouds may also work, but the cloud system is not as reliable as physical mechanisms due to its vulnerability stemmed from connections to customer networks and shared infrastructure. In addition, attackers are able to act specifically against the security of cloud services.

Nevertheless, a cloud system offers protection against physical destruction, such as fires or power outages. Therefore, it is interesting to use the two solutions in a complementary way to guarantee the effectiveness of any backup.

The air gapping strategy is also important because the most sophisticated Ransomware attacks start specifically at the backup points, before even reaching the company’s network, in order to force the victim to pay the amount requested by the criminal. That makes it important to create a multilayered defense, with the original copies inviolable and inaccessible. Multi-factor authentication and the write once read many (WORM) solution are also allies in the search for more security.

• Rule 3-2-1

The tactic is not the biggest novelty of all in the computing market, but it still has its value in ensuring that a backup is secure. Basically, the strategy consists of making 3 copies or versions of the data, saving them on two different types of media and keeping one of the copies off site.

For more effectiveness, one should use different operating systems and locations to save the copies, in addition to scheduling the receipt of automatic reports monitoring whether the backups are being performed correctly. The use of Machine Learning can be beneficial in this case because it identifies patterns that can indicate problems and speed up the processing of information without relying on manual work.

• Backup review

Backup copies are only valuable when they are robust, so be sure to analyze whether the company really has the necessary robustness. For this, the technology team must perform system audits to confirm that the backup reaches all the indispensable data.

From time to time, it is still imperative to review the frequency of backups and where the copy of the data is being stored. Keeping separate duplicates of more critical information is also crucial to speeding up the data recovery process.

The possibility of an attack arising from within the company itself must also be taken into account. So, the IT team also needs to be concerned with auditing logins and monitoring network usage by its own employees.

During reviews, it is essential to make sure the backups are free of malware, which is not an easy task, but which can be done with the help of updated detection systems for this type of infection.

• DR system security

Backup and Data Recovery Systems are the first places where security patches must be installed to avoid security breaches. After all, these are the two systems that hold the most protected data in the computing environment.

It is advisable to choose a backup system that allows role-based administration, to identify who is managing the network. The use of administrator or root logins should be restricted.

Even with these network security strategies, access to the physical backup system must be made difficult to guarantee the integrity of the copied data. As discussed, the combined use of the cloud with a physical backup increases information security.

Given the importance of the DR System for the restoration of a company’s operations in the event of a Ransomware attack, this entire system must be designed based on the company’s needs.

The organization’s teams should hold meetings to determine the need for recovery time objective (RTO) and recovery point objective (RPO), based on which backups and the DR System should be planned. The first point provides more reference on how backup policies should be planned, while the second evaluates the amount of information that can be lost after an attack.

• Less fragmentation, more encryption

The growth in the existing amount of data and the ever greater information fragmentation within a company increase the amount of elements that can be targeted by Ransomware. Therefore, a unified solution is needed to eliminate this spillover by connecting the infrastructure, workload and the company’s backup environment.

In addition to being unified, saved data must be encrypted so that a threat is unable to follow a path to find the backup servers. The service provider must also encrypt traffic between all systems.

Data that has already been copied can also be encrypted, especially when located outside the physical control of the company’s management team. This process includes both material copies and those stored on cloud networks.

• Tests

The backups not only need to be made, but the team that works with the technology department must know how to respond quickly in case of attacks. They should test all of the recovery plan phases over the saved copies in case of invasion.

Modern DR systems and backups support frequent testing of the entire network. Even so, it is recommended to use duplicate media when testing possible scenarios to prevent an exercise from contaminating existing copies.

Tests make it easy to organize the recovery of copied data when you really need to use this option. Precisely for this reason, all personnel must have contact with these exercises, even those who do not work daily with the system.

Organization is key to not losing data in case of a Ransomware cyber attack, and also to avoid paying criminals to regain access to company information.