When it comes to ransomware recovery, what details often get overlooked?

There was a large publicly traded company that had a massive breach. And the attackers brought this company to its knees to the point where they started erasing all of the backups and then working forward from there. I was with a colleague of mine when we were joined by his friend who was working as a consultant brought in by this company to help them rebuild everything from the ground up. He said, "This is the dumbest thing they're doing. The management team has stepped aside to eliminate any delays in decision making so they can get back up and running as quickly as possible." The problem was that they were essentially rebuilding exactly what they had when they were breached in the first place.

That's a component to incident recovery that often gets missed and it's an important piece. Rather than take a moment to ask, “How did they get in? What can we do differently without losing a significant amount of time?” they just built it exactly the way it was. And the consultant said, “I wouldn't be surprised if we see something in the news shortly after it's up and running again."

A critical consideration is your ability to recover: How soon can we recover in case there's a breach or an attack? In an incident that happened to one of my colleagues, another CIO, they got ransomware and the attackers were so sophisticated that they were able to encrypt every single backup that the company had, even off-site. They had been sitting within the environment for six to eight months, looking at everything that was happening. So now we are trying to determine if there is any technology out there that will protect all the backups that we are making.

Because when there is ransomware, the first thing that your CIO will ask is, "Do we have the ability to recover?" If you say "no" then your hands are tied and you will have to pay the ransom. But if you can say, "Yes, there is a VCP and this is how long it will take to recover everything," then the question is how much risk the company will take if that information is out there. That's a totally different conversation. We will be able to recover and restore, but the data is already out there. So now we are exploring what avenues or tools are out there that could help protect these backups so that we can bring them back if anything happens.