The cloud is big and welcoming, but itโs not enough as cyberattackers go after backups.
The rules for backing up critical data and systems are changing, as cybercriminals look for new paths to exploit.
The original idea around backups was to deposit all data in a second location. In case of attack, that backup would be used to restore operations. With the advent of cloud services, backups became easier than ever.
But ransomware attacks are growing increasingly sophisticated. Attackers now go searching for the backups as well as primary systems.
A recent study by British IT security company Sophos found that cybercriminals attempted to go after backups in 94% of attacks in the past year.
And those attacks were costly: Companies where backups were compromised were nearly twice as likely to have paid ransom to recover data than those with no backup damage (67% versus 36%), the study found.
The ransomware demand was twice as much when backups were breached: an average of $2.3 million versus $1 million, according to Sophos.
Companies need another layer of security, says Tim Wilkinson, global head of cybersecurity operations at Rolls-Royce. Specifically, they need an offline vault that attackers canโt get to.
โIn cybersecurity โ and you hear this from everyone โ itโs not a matter of โifโ but โwhen,โโ said T.J. Mayotte, a Maryland-based IT executive who has worked in government and the defense and finance industries. โImmutable backups go to the top of the list, because if thereโs no wall thatโs high enough and no moat thatโs deep enough, then backup is the most critical thing you can do.โ
Mayotte and other industry experts emphasize the importance of a 3-2-1 rule: Have three copies of your data; store two copies locally (one online and one offline); and keep one copy off site.
This approach not only safeguards data from ransomware but also protects against accidental data loss due to hardware failures or natural disasters.
But not every system is the same.
โItโs not binary,โ Mayotte said. โYou donโt back everything up the same way.โ
Think about the most critical systems โ what you would need, for example, if a tornado flattened your operations. โYou have to be willing to spend a little bit more and spend a little bit more time on offline immutable backups for those true critical systems,โ he said. โAnd then have different layers for everything elseโ
Be smart about the cloud
Itโs also good to know exactly where your cloud-based data and systems are being stored. If you use, for example, Amazon Web Services, your hosting takes place in a certain location. โYou can pay a little bit more to have a backup in a separate geographical space,โ Mayotte said. โBut it’s worth doing that level of effort to have true separation between your backups.โ
Test, or regret
You also canโt build the vault and forget it. If you havenโt tested your backup system, assume it doesnโt work, Mayotte said.
โWhat I’ve seen is that when you have the event and you go to use that backup, it doesn’t work because you never tested it, because everyone’s afraid to do that,โ he said.
So companies need a strategy and a plan, and also some active steps to make sure the backup is there when they need it.
