Our Views:
The importance of backups
If you lost all of your data today, what would be the cost to start over again?
With ransomware-as-a-service (RaaS) on the rise, so too are the costs of recovering from an attack should your live data and your backups become encrypted. While backing up your data has always been an important control to mitigate against everyday data loss, the increase in cyber risk now makes this ‘critical’ if you wish to recover from an attack should one occur.
In addition to your internal risk register, backups are also a requirement under your cyber insurance policy. The implementation of these backups needs to be better understood to combat the rise of ransomware attacks that attempt to encrypt and make unusable all of your data including your backups.
The best practices for backups have changed over time as technology and attacks have evolved. The modern implementation of backups is the 3-2-1 rule. This concept initially started in the photography industry by photographer Peter Krogh, to ensure copies of his photographs were safe and readily restored when lost. Follow the 3-2-1 rule of creating additional copies of your data to improve the likelihood of a successful restoration. The rule states:
3) There should be 3 copies of the data
2) On 2 different storage media devices
1) With 1 copy stored off-site
Put simply, backing up your data involves creating copies of your data for the purpose of future restoration. The copied data needs to be usable, relevant, and recent enough to reap the benefits of its recovery. Having adequate backups that are also separated from your network (off-site) can ensure your data is readily available for restoration in the event a ransom attack renders your on-site backups unusable.
The ability to restore data also has benefits outside of protecting against ransom attacks. For example, if a file is mistakenly deleted or is corrupted for any other reason, your backups can keep your business moving without too much delay. Insurance companies are also increasingly interested in the implementation of your backups and therefore applying best practices for backups can significantly affect your premiums.
One of the key challenges with this is understanding the exact meaning of ‘off-site’. For data to be considered offsite in the context of protecting your data from ransom attacks, backups need to be completely separated from the business premises and network, preferably stored offline. Having backup data stored a different physical location also protects your business from physical disasters such as fires and other unforeseen events. Increasingly, organisations are also adopting ‘immutable’ backup solutions, where your data backups remain onsite, but cannot be changed. We recommend that regardless of the procedure or technology you are using, you should regularly conduct testing to ensure it is fit for purpose.
In our work as incident responders, we have increasingly seen organisations ‘retire’ their backup regime when moving data to the cloud or outsourcing to a managed service provider. There may be many reasons for this such as a perceived cost saving, a lack of understanding of the risk, or perhaps just oversight. Unfortunately for some organisations, they have been unable to operate effectively following a ransomware attack and incur large financial costs. Looking forward to the coming year, we recommend you review your backup procedure to ensure you can continue operating tomorrow if all your data is lost today.
About the Bulletin:
The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.
To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.
This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Incident Response Solutions 