Are good backups really the best ransomware recovery strategy?
Sort by:
How much time does it take to restore your backup? What if you have to restore five terabytes of data—how long is that going to take? How long is your company going to be down? Unencrypting backups takes forever. It's great that you can say, "I have encrypted backup." But if that backup is on tape or in Amazon cold storage, forget it. It will take you weeks to get it back.
Yeah, some were loaded on drives and FedExed to data centers because it was just going to take too long otherwise.
The simplest approach to recovery, especially from ransom attacks, is making regular backups. But there are two issues with relying on backups. First, people don't make backups. I will be honest: I have never backed up data on my laptop and I’ve already lost data on a previous laptop of mine that crashed. The second thing is, we still don't have the right technology to make quick backups and restore the systems. To backup data and then restore, could take hours, days, or weeks, if not longer, because we are talking about a significant volume of data.
Try not to put all your critical data into one file. As an analogy: I'm from Poland, and around 10 ago, our government put all the top political and military leaders on the same plane. The plane crashed, and all of them died. It’s the same principle with data. You don't put all your data into one bucket. You also have to consider that it takes time to encrypt such huge volumes of data. It takes weeks.
It’s better to focus on having proper mechanisms that will try to prevent a major attack by monitoring what's happening in the system. Switch to zero trust security, where you constantly verify everyone. You don't verify someone once and allow that person access to all your data, you verify every time there is a request for new data. It's a fairly new concept that not many companies have implemented, but all those mechanisms can definitely lower your risk.
Attackers are typically in your environment for 10-30 days before they let the bomb go off. They have lots of time and that's when you need to detect that something abnormal is going on. You need the tools that use AI to identify when a data flow is abnormal and should be flagged for someone to review.
And then it's too late.
Attackers will go after backups as well. It's important to have them, but when we went through an attack, some backups weren't very good. When they went to restore, they had to rebuild a lot. It wasn't because they were attacked, it was because the backups hadn’t been going off as they were meant to, and in some cases, the attackers actually penetrated the backup.