What a Robust Data Backup Strategy Looks Like in Practice
Data backups are one of the top security measures that organizations need to recover from a ransomware attack. Nearly a quarter (24%) of respondents in a 2021 survey cited backups of critical data as a “must-have” ransomware defense. This was followed by user awareness training and endpoint/device protection, wrote Threatpost. In another 2021 report covered by Cloudwards, 57% of organizations struck by ransomware revealed that they had recovered their affected information using a backup.
The Essential Elements of a Robust Data Backup Strategy
For this recovery method to work, organizations need to be strategic about how they maintain their data backups. The Cybersecurity and Infrastructure Security Agency (CISA) noted that organizations can start by following the 3-2-1 rule when it comes to backing up their data. The rule states the following:
Keep three copies of any file – Organizations can count their primary data as one copy. But it’s important that they don’t put all their faith in just one backup. They need to have a second backup in case the other copy fails. It’s important to note here as well that you can’t rely on SaaS vendors like Microsoft or Google to automatically back up the data you store with them. In fact, Microsoft SLA’s (Section 6b) specifically recommends 3rd party backups, “We recommend that you regularly backup your content and data that you store on the services or store using third-party apps and services.”
Keep those files on two media types – Different hazards require different types of backups. For instance, they can use an external hard drive to restore their desktops if they need to replace a computer that’s lost or destroyed. Ransomware doesn’t always necessitate this approach; organizations can use the Volume Shadow Copy Service to restore their files after removing the malware from their infected machines.
Store one copy offsite – Data backups don’t just help organizations in the event of a ransomware attack. They also help in other instances of data destruction such as when there’s a fire or other natural disaster. Acknowledging those possibilities, organizations can’t keep their backups in the same place without risking the loss of their data copies. That’s why they might consider backing up their data in the cloud. This will allow them to take daily snapshots of their information and choose a point in time for retrieving the exact data that they want.
Once they have those measures in place, organizations need to follow the advice of Computer Weekly and test the viability of their backups. They can do so by creating backup policies that fit within their wider business continuity and disaster recovery plans as well as their data protection strategy. As part of those policies, organizations need to specify a recovery point objective (RPO) for designating how old the most recent backup can be and a recovery time objective (RTO) for specifying how quickly teams must be able to recover their systems.
Some Important Data Backup Considerations to Keep in Mind
While backups can help them to recover their data, organizations need to keep some considerations in mind. The first is the fact that some ransomware actors changed their tactics to render a victim’s backups unusable. The UK’s National Cyber Security Centre (NCSC) explained what it’s been seeing back in 2020:
We've seen a number of ransomware incidents lately where the victims had backed up their essential data (which is great), but all the backups were online at the time of the incident (not so great). It meant the backups were also encrypted and ransomed together with the rest of the victim's data.
Second, ransomware attackers are using double extortion to steal a victim’s data before launching their payload’s encryption routine. This use of double extortion doesn’t prevent victims from using their backups to recover their encrypted data. But because they don’t do anything to remediate instances of data theft, it means organizations can’t recover completely from a modern ransomware attack using a backup.
These concerns highlight the need for organizations to defend themselves against ransomware in the first place. They can do this by using a security solution to protect themselves against email-based attacks, one of the most common delivery vectors for ransomware. Specifically, they should invest in a solution that’s capable of analyzing incoming messages for threat indicators while allowing legitimate correspondence to reach their intended destination.