Backup and recovery tools at many organizations are insufficient to address the ransomware threat, according to respondents to a survey by backup-as-a-service provider HYCU. (Air Force)

Backup-as-a-service company HYCU on Wednesday released a report that said some 65% of companies surveyed lack full confidence in their backup solutions, leaving them vulnerable to ransomware attacks that occur on average every 11 seconds.

The report also found that just 47% of companies routinely test their backups and just 41% air gap their backups.

“Survey respondents were clear that many of their backup and recovery tools were insufficient to address the ever-present threat from ransomware attacks,” said Simon Taylor, founder and CEO at HYCU. “This data shows it’s time for a new generation of backup solutions, especially when you look at both on-premises and cloud-native needs.”

Aaron Turner, CTO, SaaS Protect at Vectra, explained that when it comes to anything-as-a-service built in the cloud, companies have to ask how privileged users are authenticated to administer that service.

Turner said there are two schools of thought. First, isolation: build a separate identity chain that’s not subject to the same attack vectors or vulnerabilities that the rest of the organization’s clouds services are affected by. Turner said this approach can result in separation, but also leads to additional investments that companies must make in detection and response, which typically don't get made.

“So what began as an isolated highly resilient design, ends up being an identity backwater with actually more potential for abuse and compromise than if the privileged identities were federated from the start,” Turner said.

This leads to the second approach: federation with enhanced multi-factor authentication (MFA). By federating identities to cloud services through technologies such as Azure AD, Okta or Ping, Turner said organizations enjoy better visibility into how identities are used or abused. He added that it’s critical organizations do not allow for privileged cloud identities for services such as backup-as-a-service to get used for daily tasks like reading email. The best approach for federation is a dedicated privileged identity that relies on strong MFA, such as a security key like a Yubikey.

“The HYCU report suggests that ‘air-gapped or immutable backups’ are the only way to truly protect against ransomware,” Turner said. “My concern with that suggestion is that organizations must have very strong cloud privileged identity controls in place to harden their identity provider which provides access to that backup service, and then utilize the best detection and response technology to assure that privileged identities are not abused to destroy those air-gapped or immutable backups as part of a sophisticated ransomware campaign.”

Claude Mandy, chief evangelist, data security at Symmetry Systems, said the monetization of ransomware has been focused on encrypting and restricting access to data, with potential long-term impact to operations. Mandy said cybercriminals are further monetizing access to data through the threat of releasing sensitive and sometimes embarrassing data to the public. Mandy said although immutable backups do allow organizations to successfully recover from a successful ransomware attack focused on encrypting data, like most controls in security, they do not guarantee security, nor prevent impact.

“Most of the challenges from an organization stem from a cybercriminal gaining access to an enterprise's data,” Mandy said. “These challenges are exacerbated for most organizations by a lack of understanding about what data they have, how sensitive or critical it is to business operations, where it gets stored, and who or what has access to the data. The adoption of the cloud, and the erosion of the traditional perimeter has made it even harder for organizations to answer these questions, which is critical to a successful ransomware defense.”

Christopher Prewitt, chief technology officer at Inversion6, added that most ransomers target backups as part of their operation, hampering a company’s ability to recover data, being solely limited to paying for a decryption key. Prewitt said more backup providers are trying to create immutable repositories and solutions to protect against such threats and usually the impact is not ransomware alone. Prewitt said the recovery processes are often untested and sometimes because of bandwidth limitations may take many days or even weeks to fully recover, impacting the organizations ability to transact and service customers.

“Attackers have also been known to target cloud workloads, where quite often backups are within the existing cloud hyperscaler,” Prewitt said. “The 'Customer Entity Controls' section of SOC reports of cloud providers enforce the notion that data backups are the responsibility of the customer. With ransomware being the largest risk to organizations of any size, it’s critical to have a trusted backup process and technology that will protect recoverability.”