One of the biggest falsehoods of cyber security is that it is an IT problem. Any cyber breach, whether caused by ransomware or another attack type, is a business continuity issue says Edwin Weijdema
In the industry we say there are two types of business: those who have been hacked and those who don’t know they’ve been hacked. Given the inevitability of ransomware striking, organizations must design for recovery. While IT is a fundamental part of this, a business continuity plan brings in elements beyond restoring data and applications. These can also be critical factors in whether your strategy will be successful or not.
Rather than looking at technology as the end game when it comes to cyber security success or failure we must view it in the context of a broader business continuity strategy. There are lots of things that must happen before and after the point where we use anti-virus and firewall solutions to identify and repel attacks or backup and recovery solutions to restore data. The first is setting out a clear policy of how the organization will respond in the event of a cyber breach. This involves rigorously testing the decision-making capabilities of your business leaders to ensure they are prepared to lead the company through such an event. Wargaming worst-case scenarios and creating a best practice playbook of how to respond, communicate, and move forward from a cyber security event can stand the business in good stead.
Given that the Veeam Data Protection Trends Report 2022 shows that over three in four organizations have suffered ransomware attacks in the past 12 months, it is surprising that cyber breaches still appear to come as a surprise or catch companies off guard. While this is not an everyday scenario for an individual business, cyber breaches happen every day. So, before it happens to you, have a strategy in place with clear rules, roles, and responsibilities. Never pay the ransom. This should be discounted as an option before an attack has been conceived. Map out the steps that will be taken to remediate and restore. What applications do we need to get back online first? What is the most critical data to restore first? What information do we need before we can communicate to each set of stakeholders – employees, customers, partners, shareholders, media. Who are the key people within the business who need to be informed of the breach and are they aware of the roles they must play? Is there an official document that outlines the steps to recovery and includes the contact details of people who will be involved in the process? Business continuity is a business challenge, not a technology challenge.
Developing an integrated security architecture
Technology is not an island and must not be viewed as the sole protector of a business against ransomware. It is, however, important that you get your technology strategy right. This starts with your employees and providing everybody in the business with the best practice guidelines to identify potential attacks and implement impeccable digital hygiene. Testing employees to see how they react to phishing links and emails is a good way to land the message that cyber attacks are often ushered into the business through the back door and do not always need to be incredible technological feats. This stage is about ensuring your first line of defence / defense is as solid it can possibly be.
When all else fails, modern ransomware protection requires an integrated security architecture from endpoints to network and cloud to detect, correlate, and remediate attacks. Saying ’restore from backup’ oversimplifies the process and leads to assumptions about backup and recovery capabilities that often prove false leading to data loss. To avoid the worst-case scenario, having a plan in place that includes verified, tested, and secure backups that can be restored quickly is key to dealing with ransomware attacks. Your backup infrastructure is part of your overall cyber resilience and can be the final option for getting back to, or staying in, business. Verified and tested backups are the first step to any successful recovery. Organizations should follow the 3-2-1-1-0 rule, which recommends that there should be at least three copies of important data, on at least two different types of media, with at least one of these copies being off site, and one offline, air-gapped, or immutable, with zero incomplete backups or errors.
Investing in a robust backup and recovery strategy is a critical component of a modern data protection strategy. Businesses must ensure that they have the technical capabilities to identify, mitigate, and remediate ransomware attacks. The buck does not stop with technology though. Business continuity is the responsibility of the entire business and its leadership team. With cyber attacks posing a significant threat to business continuity, organizations must be meticulous in their preparation for such malicious incidents. This spans from having a detailed action plan, clear roles and responsibilities, and the tools required to prevent ransomware attacks from landing, but also to deal with them should the inevitable happen.
Edwin Weijdema, Global Technologist, Veeam.