The cloud is big and welcoming, but it’s not enough as cyberattackers go after backups.
The rules for backing up critical data and systems are changing, as cybercriminals look for new paths to exploit.
The original idea around backups was to deposit all data in a second location. In case of attack, that backup would be used to restore operations. With the advent of cloud services, backups became easier than ever.
But ransomware attacks are growing increasingly sophisticated. Attackers now go searching for the backups as well as primary systems.
A recent study by British IT security company Sophos found that cybercriminals attempted to go after backups in 94% of attacks in the past year.
And those attacks were costly: Companies where backups were compromised were nearly twice as likely to have paid ransom to recover data than those with no backup damage (67% versus 36%), the study found.
The ransomware demand was twice as much when backups were breached: an average of $2.3 million versus $1 million, according to Sophos.
Companies need another layer of security, says Tim Wilkinson, global head of cybersecurity operations at Rolls-Royce. Specifically, they need an offline vault that attackers can’t get to.
“In cybersecurity — and you hear this from everyone — it’s not a matter of ‘if’ but ‘when,’” said T.J. Mayotte, a Maryland-based IT executive who has worked in government and the defense and finance industries. “Immutable backups go to the top of the list, because if there’s no wall that’s high enough and no moat that’s deep enough, then backup is the most critical thing you can do.”
Mayotte and other industry experts emphasize the importance of a 3-2-1 rule: Have three copies of your data; store two copies locally (one online and one offline); and keep one copy off site.
This approach not only safeguards data from ransomware but also protects against accidental data loss due to hardware failures or natural disasters.
But not every system is the same.
“It’s not binary,” Mayotte said. “You don’t back everything up the same way.”
Think about the most critical systems — what you would need, for example, if a tornado flattened your operations. “You have to be willing to spend a little bit more and spend a little bit more time on offline immutable backups for those true critical systems,” he said. “And then have different layers for everything else”
Be smart about the cloud
It’s also good to know exactly where your cloud-based data and systems are being stored. If you use, for example, Amazon Web Services, your hosting takes place in a certain location. “You can pay a little bit more to have a backup in a separate geographical space,” Mayotte said. “But it’s worth doing that level of effort to have true separation between your backups.”
Test, or regret
You also can’t build the vault and forget it. If you haven’t tested your backup system, assume it doesn’t work, Mayotte said.
“What I’ve seen is that when you have the event and you go to use that backup, it doesn’t work because you never tested it, because everyone’s afraid to do that,” he said.
So companies need a strategy and a plan, and also some active steps to make sure the backup is there when they need it.