Why backups aren’t enough

Even newborn babies seem to know the word ransomware these days — it appears in newspapers, magazines, infosec reports, and pretty much everywhere else with alarming regularity. And we may have dubbed 2016 the Year of Ransomware, but it turned out to be nothing in comparison with 2017. After a relatively quiet 2018 and 2019, 2020 saw ransomware again making headlines.

Our corporate blog contains dozens of articles about ransomware, almost all of which offer three general tips:

  1. Use good protection.
  2. Never download suspicious files from suspicious sites or open suspicious attachments in e-mails from suspicious people, and teach your employees to do the same.
  3. Back up data regularly.

From time to time, I hear objections of the following nature: Protection and employee awareness are all well and good, but why bother strengthening protection and training employees when we can just back everything up regularly? We back up all the time anyway, and if we get hit by ransomware, we’ll just restore everything, so what’s the big deal?

Here’s the big deal.

Backups have to be recoverable

Backups are, of course, necessary. But did you ever try restoring your company’s infrastructure from a backup? It might not be as easy as it sounds — and the more computers and infrastructure heterogeneity you have, the more difficult the task becomes. Experienced IT pros have all probably faced a backup not quite restoring everything, or not restoring everything quite as expected. The process is certainly never as quick as they hope. And sometimes backups don’t work at all.

Anyone who’s ever stepped on the proverbial backup rake knows they have to check the integrity of backups regularly, to do some practice runs resurrecting the server in a staging environment, and generally to make sure that if it becomes necessary, recovery won’t take too long. And those who’ve never tried to execute recovery from a backup should really not rest easy; their backups are unlikely to help when the heat is on.

Here’s another problem with relying on a backup: If the backup server lives inside the network perimeter, then ransomware will encrypt it along with all other computers in the network, which means a farewell to recovery plans.

Your bottom line: Maximize your likelihood of a quick rollback by segmenting the network, making backups wisely, and performing test recoveries.

Recovery means downtime — and downtime is expensive

For large companies with diverse devices and infrastructure, a quick recovery is unlikely. Even if the backup functions perfectly, and you sweat blood to restore everything, it will still take quite a while.

During those weeks (yes, we’re probably talking about weeks, not days), the company will be idle. Some will guesstimate the cost of such downtime as less than that of paying the ransomers (we strongly advise against that). In any case, downtime after a ransomware attack is unavoidable; it’s impossible to decrypt and get all systems and services running again straight away, even if the cybercriminals are kind enough to provide you with a decryptor. n the real world, cybercriminals aren’t kind, and even if they are, the decryptor doesn’t necessarily work as intended.” Is that OK

Your bottom line: To avoid ransomware-related downtime, don’t get infected by ransomware. (But how? The answer is protection and employee awareness!)

Modern ransomware is worse than just encryptors

Ransomware gangs used to target mainly end users, demanding about $300 in cryptocurrency for decryption. However, they have now discovered the joy of attacking companies, which can pay — and are more likely to pay — much larger ransoms. And some of those cybercriminals have no scruples about going after organizations on the medical front line: This year has seen many hospitals attacked, and recently a company in the coronavirus vaccine supply chain was hit.

Modern ransomware does more than encrypt — it lurks in networks and siphons off every bit of data it can sniff out. The data is then analyzed and used to blackmail companies with encryption, leaks, or both. Failure to pay, the ransom message might say, will result in the publication of clients’ personal data or the company’s trade secrets. Even if not fatal, that would stain the company’s reputation, perhaps permanently. As well, such a leak will result in some very unpleasant conversations with GDPR compliance regulators and the like.

If an intruder decides to leak corporate secrets or users’ personal data, having backups won’t help you. Furthermore, if you store backups in a place, such as a cloud, that’s relatively easily reached by an insider, they too could provide attackers with the information they need to blackmail you.

Your bottom line: Backups are necessary, but they alone are not enough to protect your business from ransomware.

Three pillars of security against ransomware

Once again, because there is no silver bullet against ransomware, our advice remains the same: Backing up is absolutely necessary but must be done correctly, with diligence and recovery rehearsals. Part of that diligence is knowing the details of your backups: how often your company backs up its data and where the backups are stored. All relevant employees must also know exactly how to restart operations quickly.

Protection is also a must — not just reactive but proactive protection that keeps threats from gaining a foothold in the network. Training employees in the basics of cybersecurity, and regularly checking their knowledge, is no less vital.

In short, your security comes down to the same three words: backup, protection, awareness. All three need to be in place, and when they are, you can confidently say you’re employing optimal antiransomware security strategy.