Voting for data loss

Here’s a question for you, if you were sat in a room and someone asked;

“hands up who votes to lose their critical data?”

How many of you, be you a storage admin, IT Manager or CIO, would pop your hands up and vote yes?

None of you I guess, so imagine my surprise when I found this article a few weeks back over on and as you can imagine what caught my attention was the headline

“Most business owners wouldn’t pay if hit with ransomware attack”

Or, if they were sat in the room when that question was asked they were putting their hands up saying, “yes, I’ll lose data please!”.

The article also contained some interesting statistics;

  • 84% of U.S. business owners would not pay if they become the victim of a ransomware attack, even if that means permanently losing data.
  • 65% of businesses have not budgeted extra funds to regain access to systems and data if they were to become ransomware victims.
  • Ransomware is now the most prolific cyber threat of 2016

So clearly few would pay any kind of ransom for their data even though only 33% of them felt their businesses could survive without access to critical data for any length of time, but surely our survey respondents must have had a plan.

Well some did, they felt they were protecting themselves with appropriate backup regimes, however 22% of the respondents did say they were not sure how to backup and protect their systems and even more worrying they were not aware they needed to!

Just in case you wondered if ransomware was a problem, I loved the closing statement from Adam Levin from IDT911 who said;

“We’re talking about complete and utter paralysis of systems that could spell lost revenue, viciously impacted customers and a potential near-extinction level event for a business,”

Serious stuff then and ransomware is indeed a significant issue and although much of the article focuses on US businesses the threat is no less prevalent in the UK.

With that in mind I thought it would be apt to share a little bit of experience of dealing with this problem and how I’ve worked with a number of businesses to help to mitigate against the risk of this kind of attack and if this helps a couple of you avoid the potentially devastating effects of a ransomware attack, hopefully I’ve done my good deed for the day!

Where to start then? A good starting point can be found at the end of the article with Adam Levin’s closing statement;

“Businesses need a comprehensive cyber security strategy that includes prevention, monitoring and damage control.”

What does a comprehensive strategy as discussed by Levin practically look like?

As mentioned earlier I’ve had a bit of experience with ransomware attacks over the last 18 months with a handful of our customers finding themselves victims , fortunately however they greatly reduced the severity of the impact by having an appropriate strategy in place.

So after been a little surprised at the statistics and attitudes on show in the Ciodrive article, I thought sharing the steps these businesses took to protect themselves may be useful.

As with any strategy it’s important to have the right starting point and today when discussing data threat that place is “assume breach”, that is, the threat is already inside your network. If we start with that assumption, then we can look at how we protect our critical data assets.

In my experience robust protection is built on 4 simple steps;

Spot it

It’s fair to assume signature based AV tools are not going to spot such an attack, we need to be smarter, how are we smarter? By using tools that understand our users behaviour and importantly spot the unusual and ransomware attacks are very unusual.

For example, when Billy who normally accesses 10-15 files, suddenly accesses a 1000 in two minutes, we need to be able to identify this behaviour and address it, because the likelihood is, Bill has not just become super productive, but his account is likely to be carrying out activity it shouldn’t.

Deal with it

We not only need to be made aware of a problem, but have systems that allow us to address this unusual behaviour as soon as we see it, so when Bill’s account is happily opening 1000’s of files in minutes, we don’t want an email in the morning telling us Bill was happily encrypting all of our data, we need a policy and workflow that can spot it and stop it.

Identify the damage

To effectively resolve a ransomware attack it’s important our smart tools not only spot the behaviour and stop it, but also record it, so we can quickly see the extent of the damage that our friend Bill’s account has done, why? because once we have identified it we need to be able to look at our options for recovery of the now encrypted data with a ransom on its head.

Recover it

Our recovery options are dependent on our recovery point objective for our key data, it’s important we understand how much we can afford to lose in any incident, be that loss of a storage device or a ransomware attack, so if your business can only afford a one-hour data loss you best make sure your data protection regime can meet that recovery point, there is no benefit in nightly backups if you can’t afford to lose more than one hours’ worth of data is there?

If we look back at Adam Levins’ quote

Businesses need a comprehensive cyber security strategy that includes prevention, monitoring and damage control

Hopefully you can see how the steps I’ve described help meet that comprehensive strategy of prevention, monitoring and damage control.

We’ve seen real life examples where those simple steps have saved businesses from any significant impact of a ransomware attack, so if you can put them in place, then next time you are in a room and asked “who votes to lose data?” you can keep your hands safely by your side.

If you have any comments on this or any of your own experiences you’d like to share, then please leave a comment on here or find me @techstringy on twitter or on LinkedIn and share your story.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.