Flirtin’ with disaster
The rise in ransomware attacks has highlighted the need for reliable data backups. And while “ransomware” and “cyber” pair together quite nicely, the recent spate of devastating natural disasters across the globe—earthquakes, hurricanes, floods, wildfires—should also be a call to arms. Even without “cyber attack” in the headlines, companies should be thinking about how any ruinous event could affect business operations. Yet, according to a report published in early 2017, only 57% of IT managers said they have a backup solution in place. Of that slightly-more-than-half, 75% of companies said they were not able to restore all lost data, presumably because backups were not tested and not actually available (much to the IT team’s chagrin), or because the team thought it maintained adequate backups but those backups were physically or logically connected and thus affected alongside original data. These situations place companies in a bad predicament. In the case of ransomware, pay the criminals, spend tons of money hiring outside experts to help decrypt/recover your data, or recreate data from scratch, all while trying to keep the business up and running. In the case of disasters that aren’t cyber related, just remove the first point. In every case, lacking data backups is a bad idea. As the saying goes, companies that fail to plan, plan to fail.
Have you ever been working on a Word or Excel document and—poof! —it disappears? That momentary panic is a horrible feeling. Now imagine that Office didn’t automatically save copies of your files and you had to start over from scratch. Incredibly frustrating and time consuming. Now imagine that Word or Excel file was, instead, your entire customer database. Or your accounts payable/accounts receivable files. Or your sales team’s prospect pipeline. This type of data loss can be catastrophic. If your organization has reliable copies, great! You’re all set. As the numbers above demonstrate, though, many companies don’t. Why? All businesses run on data, after all.
“I think there are many reasons people and companies don’t back up their systems correctly,” says Kevin Johnson, CEO of security consultancy Secure Ideas. First, he says, “many, if not most, organizations don't know where all of their data is. They have systems everywhere, and even with policies about data storage, users will save documents and files to mobile devices and workstations without paying attention to or understanding how this impacts backup and recovery efforts.” Certainly, with cloud, internet of things (IoT), and other shadow IT, more of this happens than most companies would like to admit. If the IT/security team doesn’t know it has data to secure and back up, how can it secure and back it up?
The second reason Johnson believes companies don’t have a successful backup plan is because they don’t fully understand how to go about doing so. “With the move to cloud and vendor-based systems, many organizations believe (incorrectly) that they don't have the ability to back up remote sites or that they are being handled by the cloud provider,” he explains. Indeed, when companies hand off data to third-party providers, they often feel a false sense of security, thinking part of the provider’s responsibility is to fully protect—which includes the ability to recover—data when or if it’s lost. This is only true if the contractor is contractually obligated to do so. Even with this requirement legally defined, the organization handing over data to a third party has a burden to its customers/employees/partners/etc. “But the other company lost it!” won’t help much when the business can’t resume business after data has been lost, leveled, or locked up.
The third reason for lack of or inadequate backups, says Johnson, is management’s assumption that the organization is backing up important data regularly and through proper channels. “As I assess organizations,” Johnson shares, “I hear it all the time: Management assumes one thing yet IT is doing (or not doing, in this case) something else.” Communication failures can lead to business failures. Remember the infamous Hollywood Presbyterian Medical Center ransomware attack, where the hospital’s systems were down for over a week even though the ransom was paid? Patients had to be diverted and revenue was lost. In the case of a hospital, geographic location and emergencies will keep the business alive. For organizations where health and human safety aren’t a factor and where competition is plentiful, customers/partners could choose to do business elsewhere while you’re stumbling over recovery efforts.
Poor communication has negative consequences throughout security operations, but it is just one reason why companies are neglecting maintaining data backups. Following are a few other causes of shoddy backup management programs, with suggestions of how to remedy them.
Optimism bias: Companies that have not yet been affected by a major disaster may believe it can’t happen to them. Data loss can happen at any company—big or small—and has probably already happened at your company, whether you know it or not. Data loss might be small (e.g., a sales manager lost her pipeline spreadsheet and has to recreate it from scratch) and therefore IT and security teams might not know about it. Or the data loss incident might be a minor inconvenience (e.g., an employee leaves the company and wipes his machine and email inbox, requiring the IT team to find data on the server). Neither of these examples, though, are catastrophic, which may give the organization a false sense of security. When a disaster strikes, be it ransomware or an environmental factor, and local backups are unavailable or wiped out, you don’t want to be like Hollywood Presbyterian…or worse.
To illustrate the point: You likely have home owners or renters’ insurance. If you own/lease a car you are required to have automobile insurance. Data backups are another form of insurance: You might not need them all the time, but when you do, you’ll be glad they’re there.
The perception that backing up data is too time consuming: Employees’ schedules are packed, IT and security included. “I’m too busy,” or “I have other priorities” isn’t a good excuse for not maintaining adequate backups. If the company experiences a disaster, and you haven’t backed up critical data, you’ll find yourself required to work a lot more until the company can return to normal.
“It’s expensive”:Yes, a data backup and recovery program is an operational expense (and possibly CapEx, too, if you need to buy storage devices/services). That said, the costs to back up data, locally and off-premises, physically and logically, should be built into your operating expenses budget. It might not be feasible for every organization to maintain a 24x7 backup solution, therefore each organization must conduct a risk assessment and determine acceptable levels or risk. For instance, non-critical data can be backed up once per week while critical data must be backed up every day.
Knowing the risks and consequences ahead of time will also allow the organization to operate more smoothly and set appropriate expectations in the event of a disaster.
Not knowing where or what the data is:As Johnson stated earlier, this is one of the biggest organizational downfalls. If IT and security don’t know what data the organization have/maintains/uses, and doesn’t understand the level of criticality to business operations, there is no possible way to manage an accurate backup program. Security/IT teams must conduct regular and ongoing asset inventories—which includes business-critical data. This requires the security/IT team to communicate with every line of business, preferably in person. Meet with business leaders and explain why you need information about the data their team uses every day. Ask questions like, “What would happen if your team couldn’t access this data for 2 hours? A full day? A week?” Developing relationships with data owners allows you to discover business needs and will help you prioritize the backup and recovery plan.
Not backing up regularly: Creating a schedule to backup data regularly (every night, once per week, each month) is essential. Per the above, this schedule should be determined in coordination with the business and based on business criticality. Failure to back up data regularly could significantly negatively impact recovery efforts, or stall them indefinitely (if backups are not available). Sticking with the plan does require governance (in many cases backups can be automated), but it’s not a step that should be overlooked because it’s “another thing on the list.”
Not backing up to a physically/logically separated location: As stated earlier, 57% of companies say they maintain data backups. In the case of a natural disaster, if your data center, tapes/disks/etc. are in the same geographic location as your servers, laptops/desktops/etc., the backups are wiped out too. If a cyber incident hits and your data backups are located on the same network as the original data or your backup locations are logically connected to your network, criminals can find those too. The only way to have reliable backups is to ensure physical and logical air gaps.
Not testing backups: Time and resources are often a factor in what the security team can accomplish, but just like with an incident response plan, data backup plans must be tested. If you recall, 75% of companies that back up data said they were not able to restore all data lost during a disaster. Had backup solutions been tested regularly, the organization would have been able to discover problems in a non-emergency situation and remedy the process before recovery efforts were needed.
A backup continuity and disaster recovery plan is more complex than one blog post, to be certain. However, evaluating your organization’s data needs and current processes to ensure business resiliency will set in motion a reliable, up-to-date, and actionable process.
Kevin Johnson wil be co-leading a session on privacy with Tom Eston at InfoSec World 2018 in Orlando, Florida, March 19-21, 2018.