We live in turbulent times and it’s 2 AM on a Saturday morning during your peak holiday season, you get a phone call that says your business has been hit by Ransomware.
The hair stands up on the back of your neck, cold sweats, heart rate increases, what are you going to do? Have you prepared for this event? If you do not have a Cyber Security Incident Response Team, if you have not practised for this event, if you’re not certain that everyone knows their roles and responsibilities, then your business is at risk. It’s not so much ‘if’ you suffer a ransomware attack; it’s ‘when’. 85% of organizations experienced at least 1 ransomware attack last year according to the 2023 Veeam Data Protection Trends Report
Cybersecurity does not belong to one person, one group within an organization, it belongs to everyone in the organization and that also includes your supply chain and your customers. It is a shared responsibility so don’t assume someone else, either inside or outside of your organization has this covered.
Ransomware Should be Expected
Ransomware is a 24x7x365 threat. Cyber criminals do not work business hours. There’s a high financial reward for those who are successful, which is why they are sometimes very slick, well organised business or state actors. Therefore your security posture needs to be 24x7x365, but don’t forget leap years too!
Also consider that it is not the backup alone that is going to help your business recover from attack, it is the ability to restore your systems and data. You need to ensure that your restores happen in a timely manner to get the business back up and operational, because while you are offline you are not conducting business; you are losing money and damaging reputation.
How Well Would You Recover from Attack?
The Veeam 2023 Ransomware Trends Report highlights a number of disturbing trends that organizations will need to deal with. It does not matter if you are a small business or a multinational conglomerate, you are in the sights of these criminals.
According to the Veeam report, the average recovery time for organizations is 3 weeks. Multiplying the cost of staff not being able to function, the loss of business input and output, loss of credibility, this is the true cost of an offline outage due to Ransomware. Clearly, this is not acceptable.
No wonder, then, that the report found that 60% of organizations needed a significant or complete overhaul of their backup, DR and recovery systems. Your first question should be: do you fall into this category?
- Do you test that your backups are working properly, how do you do it?
- Do you perform regular restores, do you scan these restores for Ransomware, Malware etc.?
- Do you wait for a critical event before scanning your backups?
- Do you not even scan and run the risk of restoring infected systems only to begin the process all over again?
- Can you even restore in the first place or has your backup stream been deleted too?
Examining this infographic, we can understand the need to plan for restores not backups:
Implement a Best Practice Recovery Strategy
Having established a need to be better prepared for recovery in the event of an attack, let’s look at some best practices to implement a recovery strategy to protect your business.
First we need to ensure that the backups have integrity, Backup applications and backup accounts are one of the first places that Ransomware attacks target. As you can see from the below graphic, this is almost a certainty now.
You need to protect against this, the 3-2-1 backup rule on its own is not a deep enough protection now. You need more resilience, but not more complexity, this is why a good practice is to extend this into the 3-2-1-1-0 rule.
- 3 – Copies of your data
- 2 – Different media ( different products, media types etc.)
- 1 – Offsite, so you can protect against localized events.
- 1 – Offline copy or Immutable Copy – you need to stop people modifying it
- 0 – Errors, this is the ‘can you restore and have you tested your restores’ portion
We have established that there are ways to provide more resilience for our business, but this is getting complex. You are now starting to think about how you manage your budgets and manage those risks.
Veeam has a Cloud Service Provider Program (VCSP); these are specialist organizations with skills you can rely on. Many of these VCSPs provide a capability called Cloud Connect that provides an immutable offsite copy of your data, but with the added separation of duties to offer insider threat protection, which is a growing trend in Ransomware threat vectors. Combining your on-premises or cloud protection with the expertises of a VCSP enables you to not only simplify, but also enhance your capabilities.
Zadara partners with many VCPSs and we provide the capabilities to support their offering as well as enable them to provide end to end services for their customers. Zadara supports Veeam Direct to Object Storage capabilities introduced with Veeam Data Platform V12. This provides a local immutable storage option providing extra protection against localised backup tampering. Now on-premises backups have additional capabilities without complexity.
Zadara Storage as a Service (STaaS) on-premises delivered in this way also enables the deployment of recovery media for SureBackup recoveries. This speeds up options for localized recovery, as you have the Block / File Services, as well as the Object Storage delivered in a multi-tier recovery model.
If the VCSP offers recovery services they may be able to work with you to restore your Cloud Connect backups onto a new infrastructure layer in their facilities. You would need to provide the recovery keys. This is an important factor in recovery as the Veeam data format is portable and can be rescanned and imported in the event of a disaster.
Illustrated below is a sample recovery strategy model and its components
3 – Copies of the data ( 4 if the Cloud Connect SOBR is a copy job to Object Storage)
2 – At least different media, primary storage, first backup copy and second to Cloud Connect
1 – Offsite via the Cloud Connect copy
1 – Immutable or offline using on-premises immutable Object Storage or via Cloud Connect
0 – Errors use SureBackup to test recovery and use VPSA’s on demand for recovery media
Understand Your Next Steps
If you are a Service Provider, Zadara is the ideal enablement partner; if you are a reseller we can provide you with a new revenue stream; if you are an end user we can put you in contact with our trusted partners to gain the very best in terms of recovery options. Our Technical Alliance with Veeam means we are able to work together to provide a 100% OPEX solution that allows complete flexibility.
It is easy to say it only happens to others, in reality, the numbers speak for themselves, you need defence in depth; you need partners you can trust.
If you ever do get that call in the middle of the night, I hope this has helped you plan for that event and mitigate it; but don’t rely on hope, hope is not a Ransomware mitigation strategy.