Matching The Layers Of Your Data To A Layered Ransomware Response 

Everyone is rightfully concerned about ransomware these days. A coordinated attack has the potential to completely take your business out from underneath you. 

“Being attacked is a sign that you are important enough to become a target.” 

Robert Greene, American Author  

The Importance of a Ransomware Plan

I have talked to dozens of companies over the past few years, and the subject of “writing a ransomware plan” has come up more times than I could easily count.  Companies are always concerned about how they are going to prepare for a ransomware attack, but the key thing they should be worried about is how they are going to recover from an attack when it occurs. 

 It is key to remember that ransomware attacks are separate and distinct from other types of cyber incidents. If someone attacks your company with an old school DDoS attack and takes your customer facing web page offline, then that is certainly an issue you need to work around but it is not something that can go through and fundamentally destroy core assets of your business like a ransomware attack can. If you want to ensure the survival of your business post-incident, you need to have recovery plans in place. 

“Ransomware is unique among Cybercrime because in order for the attack to be successful, it requires the victim to become a willing accomplice after the fact.” 

James Scott, Sr. fellow, Institute for Critical Infrastructure Technology 

Some companies have policies that say they are going to make payment if a ransomware attack occurs, but that is not a panacea. Studies have shown that while most companies do eventually recover their data, those that pay the ransom typically pay about $1 Million more to get their data recovered. Decryption, even if they do get a provided key from the attackers after paying, is often slow and takes systems offline for an exceptionally long time. If you want your company to be able to recover from the incident, you need to set the standard of recovering to a pre-incident level of capability. The only way that you can do that is to have trustworthy backup data sets and underlying infrastructure. 

Data Storage and Immutable Backups

The “gold standard” for trustworthy backup data sets are data backup methodologies where backup copies are saved in an immutable manner. One of the most common things ransomware attackers will do to force companies to pay the ransom is to make a concerted effort to corrupt existing backup copies at companies they attack. If companies do not have good data to fall back on, they are forced to rely on their attackers to help them recover the business. Immutable backups, however, are created and stored so that they cannot be corrupted by an attacker. Therefore, making sure that your critical data is stored in an immutable manner should be an essential part of your backup strategy. 

Unfortunately, storing large volumes of data in isolated, immutable storage can get extremely expensive. Recovering large volumes of data from that isolated immutable storage can also be an incredibly time-consuming process, depending on the specifics of the data restoration efforts.  While it would be nice to be able to store everything at high-speed immutable volumes that are instantaneously accessible, the costs of building that sort of infrastructure are out of the reach of most companies. 

Therefore, most companies (particularly small and mid-sized companies) tend to leverage multiple storage mediums and storage locations as a part of their overall data backup environment. It is common to have data stored on premises and sent to cloud, even utilizing multiple cloud vendors. It is also entirely possible that companies may have multiple copies of their data in multiple environments, such as immutable local snapshots, isolated vault copies, and immutable local file backups. 

With this tremendous diversity in backup formats, locations, and performance levels, companies are effectively using a multilayered approach for handling their backups. Unfortunately, in most cases, this multilayered approach has come about out of happenstance or budgetary necessity rather than it being part of a grander plan to meet the recovery needs of the enterprise. 

A Multilayered Ransomware Response

We do recommend a multilayered approach in planning out your recovery environment, particularly in planning for the recovery of a ransomware event. However, the key factor in designing that multilayered recovery scheme is to make sure that the performance capabilities of each different back-up environment is suited to the business requirements for the data. You need to make sure that your recovery strategies, when executed, can meet the appropriate recovery time objectives (RTO’s) and recovery point objectives (RPO’s) for the business. The resumption of critical business services is completely dependent on correctly prioritizing the importance of data within backups and matching your recovery strategy to the data needs of those critical business services. 

“Everyone has different layers to who they are.” 

Carmen Electra 

If this sounds confusing, or if you just need help assessing what the best practices would be for the particulars of your backup environment, Sayers is here to help. We have a team of experts available to assess the needs of your individual environment and help make sure that your company can depend upon your data backups when they are needed.