Why backups alone are not enough

76

Why backup is good but not enough when it comes to ransomware protection. Even the youngest children seem to know the word ransomware today – worryingly regular in newspapers, magazines, information security reports, and everywhere else. We could call 2016 the year of ransomware , but compared to 2017 it was not so bad. After a rather quiet 2018 and 2019, ransomware made headlines again in 2020.

  1. enjoy good protection,
  2. never download suspicious files from suspicious websites, never open suspicious attachments to e-mail messages received from suspicious persons, and sensitize employees to them,
  3. back up your data regularly.

Every now and then I hear: with us, the protection and awareness of employees are at a good level. Why bother with strengthening security and training employees when we regularly create backups anyway? So if we are attacked by ransomware, we can restore everything.

It may not be quite that simple.

Backups must work

Backups are of course essential; however, has anyone ever tried to restore a corporate infrastructure from a backup? It may not be that simple – the more computers there are in the company, and the more heterogeneous the infrastructure, the more difficult the task. Seasoned IT professionals have certainly encountered situations where backups were not able to fully restore everything or did not restore everything as expected. Moreover, the trial did not take place as quickly as the victims would have liked. And sometimes backups don’t work at all.

Anyone who has ever used backups knows that you need to regularly check their integrity, test run the server in a staging environment, and make sure that restoring doesn’t take too long when needed. People who have never tried to restore from a backup should realize that it may not be useful at zero hour.

There is another problem: if the server on which they are stored is on the network, the ransomware will encrypt it as well, along with other computers on that network – which means that repair will be impossible.

Conclusion : Increase your chances of rolling back unwanted changes quickly by segmenting your network, creating sensible backups as well as performing a test restore.

Recovery means business downtime – and it costs money

For large companies where there are many different devices and the infrastructure is diversified, a quick recovery is rather unlikely. Even if the backup works properly and you manage to restore everything, it will take a long time to do so.

During these weeks (yes, it will probably take weeks, not days), the business will be suspended. According to some, eliminating the effects of such an incident, and therefore the cost of business downtime, may cost less than fulfilling the demands and paying the ransom (we strongly advise against this ). Either way, downtime after a ransomware attack is inevitable; you can’t decrypt and recover all your systems and services just like that, even if the cyber criminals are nice enough to release the decryption tool. In the real world, cybercriminals aren’t nice , and even if they do, the decryption tool might not necessarily work as expected.

Conclusion : To avoid the downtime associated with ransomware attack, don’t get infected. Invest in adequate protection and raise employee awareness of cybersecurity issues.

Modern ransomware is worse than regular encryption programs

Ransomware gangs that typically target end-users are demanding around $ 300  in cryptocurrency for decryption . However, they are more likely to conclude that it is far more profitable for them to target companies that can pay – and are more likely to do so – in a much greater amount. Some cybercriminals are unscrupulous and even attack medical organizations: many hospitals have been attacked this year and a company in the coronavirus vaccine supply chain has recently suffered .

Today, ransomware not only encrypts , but stealthily lurks on the web and collects as much data as it can. This data is then analyzed and used to blackmail companies with their encryption or sharing (or both). Refusal to pay may also result in the publication of personal data of customers or the company’s trade secrets. And when a company loses its reputation, it may not get it back. In addition, such a leak may cause problems related to e.g. GDPR.

If a burglar decides to disclose company secrets or users' personal data, the backups will be useless here. Moreover, if you keep these copies in places that can be accessed relatively easily by an outsider (e.g. from the cloud), they may also provide information that can be used to blackmail you.

Conclusion : Backups are essential, but not enough on their own to protect a business from ransomware.

The three pillars of protection against ransomware

Since there is no gold standard against ransomware, our advice remains the same: backup is essential, but it must be done correctly with due care, and you should try to restore your data every now and then. It’s also worth knowing how often the company backs up its data and where it is stored. All affected employees also need to know the exact instructions on how to get up and running quickly.

Protection is also necessary – not only reactive, but also proactive, which will protect against threats trying to enter the corporate network. Equally important is training employees in the basics of cybersecurity, as well as regularly checking their knowledge.

In conclusion, your protection comes down to three aspects: backup, protection, awareness. They must be used together, because only then can you be sure that you are using the optimal ransomware protection strategy.