What do backups have to do with cybersecurity?
BOXX knows the importance of a well-managed backup and recovery solution first-hand. Recent claims have shown that data backups are an important part of cyber risk management. That’s why some Cyberboxx memberships come with fully-managed data backup and recovery services, in addition to cyber and data insurance.
Not sure what backups have to do with cybersecurity? Read two real-life recovery stories below, and see for yourself.
Scenario 1: An employee clicked on a malicious link and a virus is downloaded onto the company server, encrypting all information. A message appeared on the employee’s computer demanding payment in Bitcoin within the next 48 hours in exchange for the decryption key. The company called the Hackbusters to assess the validity of the threat. The problem: the hackers also compromised the company’s backups, since they were not separately managed or segregated. With the backups compromised, the company was forced to pay the ransom and they were unable to do business for over 48 hours.
Scenario 2: The second company faced a similar scenario, and also called the Hackbusters in their time of need. Within an hour, the Hackbusters team was in consultation with executives to find out what was locked and encrypted. Since the company had multiple, separated backups, the Hackbusters were able to remove the infected files and systems from the network and restore data from clean backups. This meant that the company did not have to pay the ransom. With a recovery solution in place, they saved considerable time and money.
What kind of backup do I need?
Small businesses should have a backup that is kept disconnected from their systems. This typically takes the form of an external hard drive. As long as the backup is disconnected at the time of an attack, it should be safe from encryption.
It’s easy to poke holes through clouds in today’s ransomware strains are very good at gaining access to and encrypting cloud-based backups. Remember if the backup is connected to the main system, as the cloud always is, it is vulnerable.
Some cloud-based backup products save multiple versions of files. Thus, even if the encrypted versions of files are automatically synced to the cloud following the attack, you will in theory be able to restore previous unencrypted versions of files.
However, hackers know this and have begun to make ransomware variants that delete the previously saved versions of files. Hence, the only truly effective backup is one that is disconnected from the main system.
For the most effective resiliency, large businesses should have multiple types of backups in place. Generally recommended is the 3–2–1 backup strategy; organizations should keep three backups, on two different storage mediums, with one being disconnected.
To demonstrate this, let’s use the example of a hypothetical company that relies on a primary data centre in New York to host most of its critical data and systems. Every 15 minutes, an automatic backup is made of the data to a second data centre located in Toronto. The storage medium used in both of these data centres is good old-fashioned hard disks.
If data centre A fails, the business can switch its operations over to data centre B and only lose a maximum of 15 minutes of data.
Active-active systems versus active-passive systems
In the above example the set-up is referred to as an active-active system set up as both data centres are constantly connected and up and running. Active-active systems are highly effective at mitigating the risk of system failure or physical events, especially for businesses that are heavily reliant on uptime to generate revenue.
However, they aren’t effective when it comes to ransomware. If a ransomware attack took the New York data centre down, it would simply spread to the Toronto data centre within 15 minutes.
For this reason, it is important to also have offline (or active-passive) systems in place. In a backup context, this means that the backup is not connected to the main network and therefore protected from the ransomware. Ideally this should take the form of multiple tape backups. This may seem archaic, but tape drives continue to be used because they are relatively cheap and easy to maintain.
As a minimum standard, we expect larger insureds to make tape backups of their entire system at least once a week – a version of which should be stored in a separate physical location. In addition, we also look for our insureds to make daily tape backups of any new or modified files. Combined with the weekly full system backups, this helps to minimize the time required to restore full operations.
The importance of offsite backups
In 2018, a website hosting company with about 20 million in revenue suffered a cyber incident when an ex-IT administrator, who had managed to maintain access to the systems, decided to delete everything. His knowledge of the company’s systems allowed him to access and delete all the company’s backups that were connected to the company’s computer systems.
Overall, the losses from this incident were well over two million dollars. Had the insured had some type of offline backup (ideally stored remotely), the loss would have been much smaller.
Practice makes perfect
Backups are difficult to do properly. Generally, the only way to know if they work is to test them. An untested backup solution should be seen as fallible. In addition, testing backups will give the internal IT team the knowhow to be able to restore operations from backup faster if an incident occurs.
How do you know if you have good backups?
Understanding backups can be hard. Regardless of the size of your business, as an owner, executive, or risk manager it is important for you to have a good grasp of your backup strategy. The following questions are meant to help you get the information you need from your internal IT team – or from an external IT provider if you rely on one.
For small businesses:
• Do we take backups of all of our critical data and systems on at least a weekly basis?
• Is the backup disconnected from our systems and regularly tested?
For large businesses:
• Can we describe our backup strategy?
• Does our backup strategy protect us against a ransomware attack?
• When was the last time our backups were tested?
*The overview provided here is for educational purposes only. This overview is not intended to be and should not be taken as providing any professional advice and should not be relied upon or used by you as the basis for making decisions. The cyber threat is continually evolving, and therefore we would strongly recommend that additional advice is taken before making decisions in relation to the right backups for your business.