The role of backups within organisations has fundamentally changed with the rise of ransomware. How fundamental this change is and what to do with it as an organisation? Learn from a discussion with four experts in the field during a roundtable hosted by Techzine Netherlands.
For a long time, conversations around backups were certainly not among the most exciting ones held within organisations. Backups were often seen as a necessary evil, in case an organisation’s data centre catches fire, or a plane crashes into it. In other words, organisations created backups to solve a problem that was mostly theoretical. After all, how often does a data centre catch fire, and is the fire so bad that an organisation loses all its data? And how often does a plane crash into a data centre?
However, with the rise of ransomware, the status of backups changed considerably. According to studies, a ransomware attack currently takes place every 11 seconds. As a result, the chances that your organisation will have to deal with this threat are high, or at least a lot higher than the scenarios outlined earlier. With that in mind, the chances of an organisation losing its data due to such an attack are also many times higher, meaning that the role of backup and restore becomes much greater. After all, backup can ensure that you can be up and running again very quickly if your data is encrypted.
Conceptually, the above does not strike us as a hugely complicated observation. However, the question is to what extent it is actually done within organisations. And can you tackle it overnight? Techzine Netherlands addressed this question and more during a roundtable discussion with Dyon de Bruijne from Commvault, Hans ten Hove from Datto, Dick Vonk from Dell Technologies and Jan Ursi from Rubrik.
It’s not about backups anymore
Our four experts agreed that it is no longer about backups at all. Ten Hove clearly stated: “When you talk about backups, you are talking about a bigger picture, cyber resilience.”. As far as backups are part of cyber resilience, it’s about the bigger picture overall.
Ursi sees that the two worlds of ITOps and SecOps are increasingly starting to meet. In other words, cyber security is an increasingly important part of backups. He, too, talks about the bigger picture and identifies three sub-areas that play a role in the world of cyber resilience today: “resilience at the moment you are hit, understanding what is or can be affected and recovery from an attack.”
Vonk, who mainly deals with government clients, observes that many of these organisations are looking for resilience against cybercrime, and notes a big difference from one just a few years ago. Our expert mainly sees backups as hooks these days, it is ultimately mainly about ransomware.
Dyon de Bruijne, Technical Account Manager at Commvault, nuances this statement from his perspective by saying that it matters a lot which organisations you talk to. He notes that it is very important to make the distinction between cyber recovery and data recovery. Many companies he encounters still work with the outdated grandfather, father, son principle. In the case of a recovery from a cyber-attack, that’s not much use. “What is the value of a database built according to this principle?” he states rhetorically. “That is too old to be really useful in cyber recovery.”
It is also no longer a technical discussion
The shift from backups to cyber resilience does not only have conceptual implications. It also causes the topic to be approached differently internally. This mainly concerns within which forum it should be and remain relevant and discussed.
Previously, backups were mainly an IT topic, which therefore fell under the IT department. Now that back-ups have become part of cyber resilience, it is increasingly becoming a management discussion, Ten Hove and Ursi note. Of course, it depends on the size of the organisation, Ten Hove adds. There are plenty of organisations without a board or management layer that deals or can deal with such issues. SMEs, for instance, rely primarily on MSPs for cyber resilience. And there is still much to be gained there, Ten Hove points out. “Cyber resilience in SMEs is extremely low,” according to him. So MSPs really need to take steps to address this.
Understanding data and processes
So if it is no longer primarily a technical discussion, what should organisations discuss at board or management level? According to Ursi, these days it’s mostly about understanding the safety of your data. In other words, you continuously analyse data to see if it is still healthy. This is where De Bruijne concurs, but he still sees a big challenge there too, pointing out that “Many companies lose track of where their data is”. This is partly because organisations give the keys to their data to different parties, so keeping an overview can be quite a chore.
Such an overview is absolutely crucial to get your cyber resilience right from the perspective of your data. According to Ten Hove, however, this also implies that organisations have their processes well mapped out. And this is something that is quite often lacking. This is certainly no sinecure in somewhat larger organisations, but it is a prerequisite before an organisation starts looking at the technical infrastructure to become more cyber resilient.
Besides knowledge of the processes, there is also a lack of awareness around those processes. Ursi highlights that 70% of Microsoft 365 users do not know that they themselves are responsible for recovering their data M365 data in case of a ransomware attack. If awareness in such a primary application is already so limited, we fear for understanding in other processes.
How do you get started?
The theory is clear by now. Start by mapping the processes and discuss cyber resilience at board or management level. Then you can set up the infrastructure so that you can actually take steps on cyber resilience.
Dick Vonk, Account Manager Cyber Recovery & Data Protection Solutions at Dell, shares an interesting anecdote, illustrating how easily things can be overlooked. In a previous role, Dick helped organisations with business continuity consultancy and audits. One day, during a break in the canteen inside the data centre of a large bank, someone asked what the server that had long been running under a desk was doing. That turned out to be a server that had been temporarily set up long ago, but was still processing huge amounts of internal bookings daily. Everyone had overlooked it for years. Especially if such a server is not properly maintained in terms of patching and updates, it is a very big risk to your cyber defences. Anyway, it’s not good that something can be ‘under the radar’ in your organisation for years, of course, but that aside.
Besides understanding what you have in terms of processes and therefore infrastructure, you should also be able to make a good assessment of what you need to invest in. “At the end of the day, it’s about disaster recovery, and then especially the costs and the damage you can suffer,” De Bruijne argues. “If something gets locked, what is the impact of that on people and processes?” he continues. Incidentally, he does have a good tip for organisations wanting to set up such a session: “Make sure you only delegate one person per department to such a consultation.” Otherwise, it quickly becomes a chicken coop and you won’t really get anywhere as an organisation.
To arrive at an estimate of the impact of an attack on processes, people and costs, you can simulate an attack, Ursi points out. That way, you can see how many systems are affected, which systems are crucial to protect properly and you can see how fast and how much data is exfiltrated. In such a simulation, it is also very important to take into account things like the GDPR/AVG, Ten Hove points out. It’s quite a difference for organisations whether hackers threaten to leak corporate data or personal data.
Don’t reinvent the wheel yourself
As an organisation, you almost always have a choice between buying or building when you want a new solution for something. Here we see a nice parallel between the world of IT service providers towards SMEs and the government, among others. Indeed, both Ten Hove and Vonk note that people in those two sectors often choose to build things themselves even though there already ready-made solutions for sale that have proven their efficiency by protecting millions of customers worldwide.
From the MSPs’ point of view, this is actually not useful at all for SMEs, especially smaller MSPs, for reasons we mentioned above. Within the government, the choice to build a lot themselves is largely driven by the laws and regulations they have to comply with. “The government is scared to death of depositing data with third parties,” Vonk indicates.
As a result of this fear, people within the government keep reinventing the wheel and thus mainly get caught up in technical discussions that really shouldn’t be primary. The people on the shop floor often don’t want to do that, so then management will just sort it out themselves. Neither management nor the shop floor really has the knowledge at the moment to do things differently, which doesn’t help either. So it can happen that people go back to tape in panic, for no good reason.
So more awareness is needed at least among government and MSPs. This is an important step in getting cyber resilience to the desired level. This awareness starts with asking the right, critical questions to suppliers about the products and services they provide. Currently, De Bruijne sees very little of this in RFPs from the government. Ten Hove does see encouraging signs in his world of MSPs. “More and more MSPs are coming to us with questions from clients about the services we provide,” he states. This is a good development. It is also a sign that more and more customers are getting into the driver’s seat and asking the right questions.
Finally: the recovery plan (and testing it)
A final component towards better cyber resilience may not be the most exciting, but it is very important. An organisation needs a recovery plan, and preferably one that works well, of course. In drawing it up, you naturally sequence what needs to happen sequentially to get things going again. “You simply have a chain of dependencies on each other,” Ursi sums it up. You can’t do anything without DNS and DHCP, he gives as an example. So those should be high on the list of priorities if you want to get an environment up and running again.
In addition, before you start drawing up your recovery plan, you should have already done a business impact analysis, Ten Hove adds. In it, you need to formulate answers to questions such as what downtime costs and how much data loss an organisation is allowed to suffer. At this point, De Bruijne points out that an SLA is also an excellent starting point for a recovery plan. Vonk emphasises the importance of runbooks, which specify in great detail what needs to be done and in what order. This is in addition to the general framework of the SLA and/or business impact analysis. That part remains more or less the same. You don’t have to (re)write a book continuously when you update the plan. In general, the most important thing when drawing up such a plan is that you start from the worst-case scenario, Vonk argues.
Finally, you should also not put together a recovery plan once and then throw it in a drawer. That is, you should treat it as a living document. To keep it alive, you can link updating the plan to testing it. By the way, this does not have to be done at all by pulling the plug completely. “When you do a fire drill, you don’t set your building on fire either,” Ten Hove argues. You can also simulate just fine, as we also noted earlier in this article.
Conclusion
We had quite an in-depth discussion during this roundtable on how you should handle backups as an organisation. One of the conclusions is that we should no longer see backups as a technical exercise. They should be part of cyber resilience. That topic should be discussed in the higher echelons of organisations. This also means not getting bogged down in technical discussions. Everything starts with an analysis of the impact an attack has on the organisation. “You have to think very carefully about what you want before you can take a technical step,” Ten Hove summarises at the end of the talk. This requires the end customer to be empowered and ask the vendors, but will also require organisations and MSPs to take steps themselves.
