Ransomware Even Backups May Not Save You
When the Colonial Pipeline ransomware attack became public in the first half of 2021, many were surprised that the company paid a ransom of $ 4.4 million to recover its business systems. After all, it’s unthinkable that a company this large doesn’t have backups in place. According to an article in the Wall Street Journal, however, Colonial’s CEO authorized a 4.4 million ransom. Because the authorities did not know how much the cyber attack violated his system. And even ransomware even backups, as a result, will take a long time to restore the pipeline.
Colonial didn’t say much more about why they decided to pay the ransom, but, assuming the company has backup systems in place, there are two possible scenarios. The first is that the backups themselves have been affected by the ransomware malware. This seems unlikely, as a large organization like Colonial is likely following the 3-2-1 maxim for backup: three copies of data on two different forms of storage media with one offsite. Certainly, it is possible. That all backup and product networks still have logical connections. Which would have allowed the attacker to access the backup. But in general, offsite backups are better protected against this type of attack. And are often stored in read-only format. Which cannot be encrypted or overwritten by malware.
The importance of recovery time
Recovery time is much more likely to be the issue. Unfortunately, while almost all organizations have some sort of backup system in place, far too many don’t consider how long it will take to recover. This is especially true in the case of a large-scale ransomware attack or a disaster that destroys a significant portion of company data.
For a company like Colonial Pipeline, getting the business back. And running as fast as possible was the # 1 priority. It’s not like the company was losing millions of dollars in revenue every day. The closure of the pipeline caused gas shortages throughout the southeastern United States. Colonial’s recovery time goal (RTOs) is to run its business. There is no way to know exactly what happens to the data needed. But in my experience, I have seen such systems in very large organizations. Which will take a few weeks to restore. Adequate data for business operations.
So when faced with the choice of paying a ransom to recover data faster than an organization could with its backup systems, the cost of additional downtime is a much larger loss. In this situation, financially, it is an obvious financial decision to pay the ransom. However, paying a ransom raises a number of legal and ethical questions that companies should discuss with their boards and ethics committees.
Different technologies for different workloads
To avoid having to pay the ransom, organizations should think about backup and disaster recovery (DR) from a recovery perspective. Everyone wants to get back online as soon as possible. It is important to rank data and applications according to their importance. It is very expensive to require a few minutes or hours of RTO for each data in the organization. So it’s critical to understand the business’s tolerance for downtime for each workload, and then match those tolerances to the right solution.
Immediate Full Recovery:
This will require a synchronous hot site, which is by far the most expensive approach. But if ransomware hits, the company will experience, at most, a slight setback in its operations. A good example here would be a case where a museum’s HVAC control systems being offline would result in the destruction of priceless works of art.
Continuous data protection:
Backup vendors and Backup as a Service (BaaS) vendors offer solutions that deliver RTOs from seconds to minutes. They are less expensive than asynchronous hot sites but more expensive than a traditional backup system. For this category, Ransomware Even Backups think of a comprehensive just-in-time supply chain system. If it is offline, a truck or ship can wait a few minutes before leaving with a load without causing significant damage.
There is a wide range of RTOs and tariffs, depending on the architecture of the solution and whether you are working with a managed service provider. They can range from less than an hour to a few days or weeks, if not well designed. Provide the required RTO for each level of workload. It is necessary to test the system to ensure this. A business application that processes weekly batches of information can stay offline for hours or even days. There was no significant effect.
This is the cheapest way. But it can take hours to recover a relatively small amount of data. And it can take days if the backup is stored offsite. Not suitable for large-scale recovery. However, ransomware even backup tape is ideal for storing data for compliance and legal purposes. Most companies have such data. Which they are required by law to hold for seven, 10 or 20 years or more. When “the only goal is to recover in a timely manner.
Finally, as businesses review their backup and disaster recovery strategies to ensure they can meet RTOs, they must continue to function in the face of ransomware or other disasters. They should therefore not neglect regular testing. The IT infrastructure is constantly evolving. Businesses need to make sure they have taken IT dependencies into account so that workloads are recovered in the right order and everything is running smoothly. And they need to make sure new applications and data are protected with the RTOs they need.
Doing this in-house will require disaster recovery experts who can recommend the right balance of protection for each workload and the corresponding expense. That’s a lot to be expect from IT staff who only deal with disaster issues on occasion. Additionally, when you factor in the time spent on ongoing management, organizations may find that the DIY approach can be more expensive than using a Managed Service Provider (MSP).
No matter how an organization approaches backup and disaster recovery. it can’t take the approach that if the backup is available, we’ve got you cover. Backups that cannot be recovered in time are only slightly better than having no backup at all.