#WorldBackupDay: 5 Backup Tips to Retain Critical Data Following a Ransomware Attack

The phrase “data is the new oil” offers a dramatic yet apt description of the importance of information flows to modern businesses in an increasingly digitized world. Sadly, cyber-criminals are highly aware of this fact, leading to surging cases of data breaches in the past few years.

Additionally, the evolution in ransomware attacks, which exploded in volume in 2021, has exacerbated the risk to organizations’ data. While traditional ransomware attacks focused on locking down systems and data until a ransom was paid, modern ‘multi-extortion’ approaches also encompass the threat of releasing accessed data. This point is echoed by Jeff Costlow, CISO at ExtraHop: “Today’s ransomware has become an advanced threat with the hat-trick of exfiltration, encryption and software exploitation. It used to be that the sole endgame of ransomware was encryption. Deploy the ransomware, encrypt the files and demand payment in exchange for the keys. Today, ransomware criminals have introduced payment incentives at multiple steps in the kill chain, from exfiltration of data to software exploitation.”

Given this threat landscape, it is vital that organizations establish contingency plans to prevent the loss of critical data in the event of a successful cyber-attack. Backups may feel like an aging concept to some, but their role in an organization’s security architecture is arguably more important than ever. Javvad Malik, lead security awareness advocate at KnowBe4, noted: “With backups, organizations can avoid having to pay hefty ransom payments and bring their organizations back online. While it may not help with stolen data, it will ensure business operations resume.”

This is why the annual World Backup Day campaign on March 31 is taking on increasing relevance, sending a timely reminder of the need for backups and best practices surrounding  implementation. ExtraHop’s Costlow added: “This World Backup Day should be a call for all organizations to examine how their backup and recovery plan weaves into their overall security strategy to ensure they are protected in the event of a ransomware attack.”

Here are five best practice tips around the use of backups to help ensure critical data can be restored and business operations will resume promptly following a cyber-attack:

1) Identify Your Organization’s Critical Data

The sheer volume of data processed by modern organizations means it is impractical to attempt to backup all information they hold. “Data is growing at a rapid, exponential pace, so much so that some businesses can’t afford to protect everything. To reduce a negative impact on revenue and reputation, organizations must make informed decisions about which data systems are essential for running backups,” pointed out Adrian Moir, technology evangelist and principal engineer at Quest.

Such informed decision-making requires careful planning and consideration, falling in line with the organization’s specific needs. KnowBe4’s Malik pointed out the importance of involving records management professionals: “Organizations should involve a records management professional in the process to ensure that only essential data is backed up for the appropriate amount of time in line with a set strategy. Otherwise, blindly backing up all data indefinitely can not only be an extra cost but could also fall foul of some regulatory requirements.”

2) Schedule Regular Backups

With new data constantly being added to systems, and existing data changing frequently, organizations must ensure critical information is backed up regularly. “If you do anything for your cybersecurity in the next few days, make sure all company data is backed up regularly. It won’t take more than a few minutes and could well save you in a crisis,” stressed Jamie Akhtar, CEO and co-founder of CyberSmart.

The frequency of backups will vary for different types of businesses and, again, requires strategic planning to ascertain. Jennifer Froelich, content author at Micron, highlighted the need to consider scheduling: “Choose a regular backup schedule that makes sense for you and your workload to make sure you have continuous data protection. Typically, your personal data needs to be backed up often. If you work on important data every day, then backing it up every day just makes sense. If your data changes less often, a weekly backup may suffice.”

"Organizations should revisit their restore point objectives and adjust to more frequent backups based on how often data in the system is changing, in case of ransomware"

Recognizing how vital restore points are, Bud Broomhead, CEO and founder of Viakoo, commented: “Organizations should revisit their restore point objectives and adjust to more frequent backups based on how often data in the system is changing, in case of ransomware.”  

3) Establish Off-site/Isolated Backups

To ensure the integrity of backup data and that they are not impacted by cyber-attacks, at least some backup systems should be isolated, disconnected from the organization’s main network. This point is shared by Chris Hauk, consumer privacy champion at Pixel Privacy: “All backups should be stored offsite and should be isolated from the user’s production environment to ensure the integrity of all backups. While it may seem old-fashioned, users could still follow the 3-2-1 backup rule, which encourages them to create one primary backup and two copies of all data. Backups should be saved to two different types of media, and at least one backup should be kept offsite.”

Paul Bischoff, privacy advocate at Comparitech, added: “Backups need to be stored on a separate system and network from production data, or else you risk malware spreading and your backups being encrypted as well.”

This principle also applies to individual users, an increasingly relevant consideration amid the shift to remote working. As Micron’s Froelich observed: “A lot of us make the mistake of keeping our external backup drive(s) sitting right next to our computer (or even dangling from the computer by a USB cable). Ideally, an offsite fire and waterproof safe or safety deposit box are best for at least one copy of your data. But at least don’t store your backup device in plain sight, where thieves are likely to grab it along with your system. Admittedly, it is not practical to use your offsite backup every day, but in the event of a catastrophic loss, you’ll be glad to have this copy of your data, even if it is a month old.”

4) Implement Security Measures for Backups

As the value of data grows, security experts have observed cyber-criminals increasingly targeting backup systems. Mike Parkin, senior technical engineer, Vulcan Cyber, explained this trend: “They’ve also started deploying attacks that specifically target backups, which makes backup security just as important as the backups themselves.”

Targeting backups is an approach that ransomware actors, in particular, are starting to adopt more frequently, according to David Friend, co-founder and CEO of Wasabi Technologies. “Ransomware hackers know that if you can restore your systems from backups, they are unlikely to be able to extort ransom from you. So they try to destroy backups at the same time they are encrypting your primary data.”

In addition to keeping at least one backup isolated from the main network, there are other steps organizations can take to keep data contained on these systems secure. This includes ensuring backups are incorporated into access management strategies, thereby ensuring “that accounts that can be used to access and damage the original information should not implicitly have access to affecting backups,” stated Martin Jartelius, CSO at Outpost24.

Another important approach is to encrypt data stored in backups. Florindo Gallicchio, managing director, head of strategic solutions at NetSPI, elucidated this approach: “These backups should be encrypted so that sensitive data is not disclosed and stored in such a way that an organization can recover its data in a timely manner, as this is necessary to minimize disruption to business operations. Additionally, organizations should regularly revisit and test disaster recovery and business continuity plans to validate that ransomware and other threats won’t impact the integrity of any backups.”

Given the current landscape, Wasabi Technologies’ Friend said that organizations should consider using immutable buckets to add an extra layer of security to data stored in backup systems: “One underutilized way to protect and backup your data against cyber-threats and ransomware is through object-level immutability in your cloud storage, which means certain files and stored objects cannot be modified or deleted by anyone, even a systems administrator. If you store your backups in immutable buckets, ransomware hackers can’t delete or encrypt your backups,” he explained.

5) Test Backup Systems

The ability to restore data should form a crucial part of an organization’s incident response strategy. As such, as with other aspects of incident response, it should be practiced regularly to ensure it will work effectively in the event of a successful attack. Sam Curry, the chief security officer at Cybereason, highlighted this need: “This is really about disaster recovery and business continuity. You must have an incident response plan, a so-called immutable backup, and must test, test, test. From tabletops to live restore tests.”

Outpost24’s Jartelius noted the need for restore-tests: “We must also remember to make restore-tests. If we have backups that are running, but we have not verified that we can restore them in time, we are again at risk of in practice not having them at all.”

Finally, Rick McElroy, principal cybersecurity strategist, VMware, advised: “Prepare for the unexpected, test backups, and warm-up incident response muscles.”

What’s Hot on Infosecurity Magazine?