Vice President of Digital Infrastructure at ConvergeOne, the leader in secure IT transformation.
It happened. Everything is shut down. The halls are lined with people trying to figure out what’s going on. The phone system is down, but your cellphone won’t stop ringing. It’s not Armageddon — it’s ransomware. The question of the day: How do we get our data back?
Unfortunately, while this picture is bleak, it’s being faced by a growing number of organizations daily. In 2020, we’ve observed both the highest recorded ransomware demand followed by potentially the largest recorded ransomware attack. This comes in addition to ransomware demands surging past $100,000 on average paired with a 25% increase in reported ransomware attacks.
A ransomware remedy is not a straightforward answer. Organizations can (and should) invest heavily in cyberinfrastructure that can detect and defend against modern-day cyberthreats, but it is not uncommon for organizations to focus solely on these areas. IT and information security professionals are apt to view the landscape as a win-or-lose scenario. This makes sense in terms of a traditional attack where cyberattackers are focused on stealing corporate data. However, in the realm of ransomware, it’s not so simple.
Organizations need to recover their data. Unfortunately, a study conducted by Dell found that 69% of IT leaders lack confidence that they could recover their business-critical data in the event of a cyberattack. It’s no surprise that 70% of businesses hit with ransomware paid the ransom to retrieve their data, according to an IBM study, which in turn, further funds the malicious development of advanced ransomware variants.
Can’t we just pay the ransom?
Yes. However, there’s no guarantee that hackers will provide the decryption key after payment. Additionally, decryption keys have failed in prior ransomware incidents, leaving only a portion of the systems and data accessible. When this happens, organizations are forced to rebuild — a devastating process severely impacting productivity and overall ability to operate.
Can’t we restore from backups?
Yes, but only if your backups have not been encrypted or deleted. A common ransomware “feature” enhancement is deleting or encrypting backup data prior to launching the main attack. This is why we say “encryption happens last.” Cyberattackers are intelligent — and dedicated — deleting and encrypting backups is a critical way to improve their odds of receiving the ransom.
Enter cyber recovery, the data of last resort.
Shockingly few organizations operate a full-fledged cyber recovery environment — that is, an environment established to protect against threats such as ransomware by copying data into a digital vault. In order to be considered a cyber recovery vault, the infrastructure must be air-gapped and fully isolated. The backed-up data must be immutable by design, making it resilient to encryption and resistant to deletion. The system should also have digital forensics capabilities as well as the ability to recover in a reasonable amount of time.
It’s important to note that cyber recovery is fundamentally different than disaster recovery. Cyber recovery protects against malicious disruption whereas disaster recovery protects against physical disruption. However, in today’s age, it is far more likely that an organization will suffer from a ransomware attack than the data center catching fire.
When looking to establish a cyber recovery environment, here are some things organizations should consider:
1. Immutability: Immutability is the underlying critical element of cyber recovery. If a system does not have immutability traits, then it cannot be considered a true cyber recovery system.
2. Recovery Time: Don’t forget that when an event happens, full recovery defines success. It’s important to consider the time and effort required to fully recover your data.
3. Runbook: A mature runbook can separate a quick recovery from a painful one. A cyber recovery system must include a professional runbook unique to your organization.
It’s certainly more comfortable to focus on preventing a cyberattack. However, the reality is that attackers are far more successful and advanced today than at any time before in the history of IT. Many, if not most, organizations will be faced with the difficult task of responding to and recovering from a successful ransomware attack on their enterprise infrastructure. Establishing a resilient cyber recovery environment is quickly emerging as the primary method to successfully recover data without paying a hefty ransom.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?