Updating your IT disaster recovery strategies to address the ransomware threat

Published: Friday, 09 July 2021 07:58

IT disaster recovery strategies that were previously seen as good practice are not keeping up with the rapid development of ransomware threats. Richard Massey explains why and describes additional steps that organizations should be taking.

We are constantly reminded of the rising threat posed by cybercrime to our livelihoods, our businesses, and our way of living. Businesses around the world are under constant bombardment from threat actors whose sole purpose and objective is to penetrate defence / defense systems, cripple them and access critical data for ransom. And there’s no sign of these incidents diminishing any time soon.

Now, the vast majority of European law enforcement officials continue to view ransomware as the greatest criminal threat to European public and private organisations. According to a Europol report, these incidents have been widely under reported. Despite warnings from many public and private sector experts, why have so many companies failed to implement well-built and reliable solutions to mitigate the damaging impact that ransomware can cause to their business?

In part, this is because an effective ransomware recovery plan requires a certain degree of preparation and foresight. It’s not quite as simple as establishing a company's ‘read-only’ backup – despite these solutions being hailed as the catch-all solution for ransomware. In today’s competitive market landscape, where customers are increasingly unforgiving, businesses are assessed not just based on their ability to recover from attacks, but on the speed at which they are able to do so.

An Arcserve study last year demonstrated this, finding that over a third of consumers would take their business to a competitor if they were unable to access their account or make a purchase within 24 hours following an attack. If the company couldn’t restore its system within three days, the number rose to 66 percent. Thus, it’s almost meaningless to have only read-only backups, because even though cybercriminals can’t do a great deal with these, neither can you. So, if you want to learn what the best and quickest systems recovery strategies are, here’s what you need to know…

Start with the basics: immutable storage

For any organization concerned about the growing threat of ransomware, immutable storage should be a priority when selecting a solution that protects business critical data and ensures business continuity. Immutable backup solutions offer a fixed, unchangeable data backup, meaning that once the data has been stored on the solution, there’s no altering or deleting it.

When backing up data, organizations must follow the 3-2-1-1 rule. According to this principle, along with the original data that has been produced, there should be two additional copies stored, making three copies in total. These need to be stored on two separate types of media, and one of those should be stored at an offsite location. Plus, one of these copies should be stored on an immutable storage solution, being on premise or cloud based.

In theory, these rules should enable data to be stored securely for a long period of time. If the worst happens and systems are encrypted by ransomware and data is stolen, following them will allow a quick and seamless recovery.

Why a hybrid on-premise storage solution is key

Even if not following the 3-2-1-1 rule to the letter, organizations that are focused on the speed and quality of recovery must at the very least not rely solely on the public cloud for their backup. Although the public cloud offers several advantages, such as flexibility and scalability, it is difficult to achieve optimum recovery speeds without an on-premise solution – especially for the most damaging and costly ransomware attacks. These incidents typically require several terabytes of data to be recovered. Fully extracting data from the public cloud also requires that your environment is already restored or recreated after a ransomware attack, which is not always the case.

This shouldn’t be taken as “you can rely entirely on on-premise backups”. For most businesses, a hybrid model is the best approach to take. Following a comprehensive audit and determining your recovery point objectives (RPOs) and recovery time objectives (RTOs), you can select the data that is most critical to the business and requires the greatest protection, such as confidential client information. You can then ensure the most important data is continuously backed-up onto the on-premise solution. The less vital data can then be stored in the cloud at a smaller cost. A hybrid cloud infrastructure which takes advantage of an on-premise backup solution offers a rapid system recovery following a ransomware attack.

Take a combined approach to cyber security and data protection

Emphasis should be put on a multi-layered approach to data protection. Both a proactive cyber security and backup system that’s distributed between an on-premise and cloud solution can prevent a successful attack, as well as offering various recovery options, should the worst happen. In an ideal world, this would require implementing a state-of-the-art cyber security capability that can detect both known and unknown threats.

Today’s hackers are making this particularly difficult by using advanced attack techniques, such as the EKANS ransomware, which has relentlessly targeted manufacturers. This strain goes after a company’s data backups with the same hostility as its primary systems. With this in mind, backups need to be treated as a form of critical infrastructure and secured with the same, high level of cyber security mechanisms. In response to this increasingly sophisticated threat landscape, many companies are now opting to shell out for the best cyber security and data protection providers with the most expensive solutions. The best approach is to seek a solution that is all-encompassing and can be implemented with minimum human interference. This will offer increased protection and visibility in identifying threats and continuing day to day activities.

In addition, having a proactive cyber security solution that also protects the backup system and its data from compromise will help mitigate the damaging impact of ransomware. It’s critical to have a solution that can continuously monitor backup images for malicious code – so that organizations don’t involuntarily back up ransomware.

Overall, businesses should follow the 3-2-1-1 rule and air gap best practice.  A multi-layered approach which implements both a world-class cyber security solution and on-premise backup – as well as treating backups as part of critical infrastructure – offers the absolute superior approach to defending against ransomware and ensuring business continuity.

The author

Richard Massey is VP of Sales, EMEA,  at Arcserve.