Often, companies will discover that things are stored where they shouldn't be stored, like payment data being stored on employee laptops. As a result, the back-up project will often run concurrent with a data loss prevention project, Watkins says.
6. Back up entire business processes
Ransomware doesn't just affect data files. Attackers know that the more business functions they can shut down, the more likely a company is to pay a ransom. Natural disasters, hardware failures, and network outages don't discriminate either.
After they were hit by ransomware, Kodiak Island's VanDyke had to rebuild all the servers and PCs, which sometimes included downloading and re-installing software and redoing all the configurations. As a result, it took a week to restore the servers and another week to restore the PCs. In addition, he only had three spare servers to do the recovery with, so there was a lot of swapping back and forth, he says. With more servers, the process could have gone faster.
A business process works like an orchestra, says Dave Burg, cybersecurity leader at EY Americas. "You have different parts of the orchestra making different sounds, and if they're not in sequence with each other, what you hear is noise."
Backing up just the data without backing up all the software, components, dependencies, configurations, networking settings, monitoring and security tools, and everything else that is required for a business process to work can make recovery extremely challenging. Companies too often underestimate this challenge.
"There's a lack of understanding of the technology infrastructure and the interconnections," says Burg. "An insufficient understanding of how the technology really works to enable the business."
The biggest infrastructure recovery challenges after a ransomware attack typically involve rebuilding Active Directory and rebuilding configuration management database capability, Burg says. It used to be that if a company wanted a full back-up of its systems, not just data, that it would build a working duplicate of its entire infrastructure, a disaster recovery site. Of course, doing so doubled the infrastructure costs, making it cost prohibitive for many businesses.
Today, cloud infrastructure can be used to create virtual back-up data centres, one that only costs money while it is being used. And if a company is already in the cloud, setting up a back-up in a different availability zone -- or a different cloud -- is an even simpler process. "These cloud-based hot-swap architectures are available, are cost effective, and are secure, and have a great deal of promise," says Burg.
7. Use hot disaster recovery sites and automation to speed recovery
According to Veritas, only 33 per cent of IT directors think they can recover from a ransomware attack within five days. "I know companies who are spending a lot of money on tapes and sending them off to Iron Mountain," says Watkins. "They don’t have the time to wait an hour to get the tapes back and 17 days to restore them."
A hot site, one that's available at the switch of a key, would solve the recovery time problem. With today’s cloud-based infrastructure, there's no reason not to have one.
"It's a no-brainer," says Watkins. "You can have a script that copies your infrastructure and stands it up in another availability zone or another provider altogether. Then have the automation ready to go so that you hit play. There's no restore time, just 10 or 15 minutes to turn it on. Maybe a full day if you go through testing."
Why aren't more companies doing this? First, there's a substantial cost to the initial setup, Watkins says. "Then you need that expertise in house, that automation expertise and cloud expertise in general," he says. "Then there are things like security controls that you need to set up ahead of time."
There are also legacy systems that don't transfer to the cloud. Watkins points to oil and gas controllers as an example of something that can't be replicated in the cloud.
For the most part, the initial cost of setting up the back-up infrastructure should be a moot point, Watkins says. "Your cost to set up the infrastructure is much less than paying the ransomware and dealing with the reputation damage."
For companies struggling with this, one approach could be to focus on the most critical business processes first, suggests Tanner Johnson, principal analyst for data security at Omdia. "You don't want to buy a million-dollar lock to protect a thousand-dollar asset," he says. "Define what your crown jewels are. Establish a hierarchy and priority for your security team."
There's a cultural barrier to investing proactively in cybersecurity, Johnson admits. "We are a reactionary society, but cybersecurity is finally being seen for what it is: an investment. An ounce of prevention is worth a pound of cure."
8. Test, test, and test again
According to Veritas, 39 per cent of companies last tested their disaster recovery plan more than three months ago -- or have never tested it at all. "A lot of people are approaching back-ups from a back-up point of view, not a recovery point of view," says Mike Golden, senior delivery manager for cloud infrastructure services at Capgemini. "You can back up all day long, but if you don’t test your restore, you don’t test your disaster recovery, you’re just opening yourself to problems."
This is where a lot of companies go wrong, Golden says. "They back it up and go away and are not testing it." They don't know how long the back-ups will take to download, for example, because they haven't tested it. "You don't know all the little things that can go wrong until it happens," he says.
It's not just the technology that needs to be tested, but the human element as well. "People don't know what they don't know," Golden says. "Or there's not a regular audit of their processes to make sure that people are adhering to policies."
When it comes to people following required back-up processes and knowing what they need to do in a disaster recovery situation, the mantra, Golden says, should be "trust but verify."