Even investing in cyber insurance doesn't guarantee protection - and might even make you a more appealing target.
Ransomware is a daily threat for organisations of all sizes and across all industries. Often, the ROI of securely backing up data is only demonstrated after an attack has taken place and the damage has been done.
Resigned to paying out astronomical ransoms to unencrypt their data and get operations back up and running, organisations are positioning themselves as attractive targets - but paying ransoms is not a valid cyber security strategy.
In an upcoming webinar on the 12th October Chris Butler, head of Databarracks' Resilience and Continuity Consulting Practice, will join Computing's John Leonard and Anne Cockshott to discuss the steps being taken to remedy the damage of ransomware attacks. Panellists will explore attitudes to paying ransoms, the lessons learned from incidents, and IT leader confidence in their backup and recovery solutions.
We spoke to Butler about the topic before the big day.
Computing: Why does it typically take so long to recover from a ransomware attack?
Chris Butler: Ransomware events are incredibly complex and can take weeks or months to resolve. That is the case even if the organisation is starting from a position of having good, tested plans in the first place.
Recovering from cyber causes is very different to ‘normal' DR. Recovering from a major incident like a storage failure or the loss of a site used to take perhaps 24-48 hours. In many ransomware attacks, the recovery of data won't even begin in the first two days.
Before you can begin the recovery, you have to identify the source of the breach and remove access for the attackers. You need to know how long the ransomware has been present on your systems so you can recover clean data prior to the installation. Typically this is done by external cyber forensic experts who take time to appoint and carry out the investigation.
Once you have identified what you think is the most recent clean backup, it is prudent to carry out sandbox recoveries and re-scan to confirm ransomware isn't present before bringing all systems back.
There are a some key factors that determine how long the recovery will take. Firstly, how quickly you can detect and take action to isolate and contain has a significant impact.
The next stage is finding the most recent clean backup of data to recover from. You can play it safe and revert to a very old copy but that leaves you with weeks or months of lost data. Being able to quickly identify the source of the breach and find when the ransomware was installed is the other major factor. There are a number of ways to improve response times. Features addressing these specific issues are now being built directly into backup software. Commvault, for instance has honey-pots and file anomaly detection as native features that help to minimise time on both fronts.
CTG: Is cyber insurance a practical solution, or part of the solution?
CB: It is part of the solution, but there has been an overreliance on cyber insurance.
Insurance companies initially favoured paying-out ransoms over recovering internally from backups because it seemed like the less costly option. They have quickly realised that the situation isn't sustainable.
As a result, cyber insurance has become much more expensive (an increase of 102% in Q1 2022) and there are now more stringent requirements in order to obtain cover.
Having home insurance doesn't mean you don't lock your doors. It's a requirement of all insurance that you are adequately protected to prevent needing to claim. That is what is happening now in cyber insurance.
The aim should be to never pay a ransom and to always recover from backups. This is the only way to break the vicious cycle fuelling ransomware attacks.
But, in cases where business do suffer losses, it is important that they can claim on insurance.
CTG: What is a DR runbook?
CB: Runbooks are the doing part of your DR plans. They're the step-by-step guide of what you need to do to recover from an incident.
You will likely need multiple runbooks for different types of recovery. A generic runbook won't cut the mustard for ransomware recovery for instance.
The benefit of documenting your recovery process in a runbook is that you react and respond more quickly. In a DR situation, that's vital because the speed of your response has a big impact on how quickly you recover.
CTG: What are the essential ingredients of a DR runbook?
CB: Anyone in the IT team should be able to follow it.
What would happen if the key people at your organisation weren't available? That happens more often than you might think.
Someone else in the team should be able to pick up the runbook and follow the steps for a successful recovery. If you have your A-Team, they will know what to do already. Your runbook means that your B-Team can deliver the recovery to the same standard.
A good runbook is more than just the priority order for which systems need to be recovered first. It should include all the manual fixes and work-arounds to bring systems back up like: IP changes, reboots, re-starting databases and functional and user testing.
Runbooks and DR plans can still be complex, even for an expert, so the key is to provide the guidance and instructions to make them simple, understandable and usable.
The organisations that have reliable runbooks are the ones who test and exercise their plans frequently. Every time you test your DR plan, you should document and update any changes so you are always prepared and ready.
This post was sponsored by Databarracks. Click here to register for the webinar: 'Ransom aware: The true cost of paying out and the value of business continuity'