With AI writing ransomware and entrepreneurs selling ransomware kits on the dark web to enterprising threat actors, odds are pretty good we’ll all be affected at some point. Because this kind of malware often sits dormant for a while before it wakes up and takes your entire hard drive hostage, it can be hard to remove. It often gets restored from backups during the recovery process, meaning the situation will repeat over and over after restoring the data like the movie Groundhog Day with Bill Murray.
In addition to using a good antivirus tool to detect and stop ransomware before it destroys your data, having good backups is one of the best ways to minimize the impact and be able to sleep at night, knowing your data and systems are recoverable. But are your backups actually capable of recovering your data in a timely manner?
In the business, we look at two key terms to assess the effectiveness of a backup solution: Recovery Point Objective (RPO) and Recovery Time Objective (RTO). Let’s look at what these two key measurements mean and how they should be used to drive backup configurations.
The RPO measures how much data will be lost if forced to restore from backups. It’s the maximum age of data contained in the most recent backups. For example, if backups run every night at 01:00, in the worst-case scenario, if an incident happened at 12:59am, all data from the previous 24 hours would be lost because it had not yet been backed up. Thus, the RPO would be 24 hours. Thought should be given to determine how much data loss can be tolerated without disrupting business processes. If the data will be recreated, how much time can the business afford to devote to data re-entry or recreating key documents before it becomes impractical and disruptive to business operations?
Tools like Microsoft OneDrive, GoogleDrive, Apple’s Time Machine, and others are readily available for both businesses and consumers. These tools can help with the RPO by keeping versions of individual files and by syncing copies in cloud storage in real-time. An admin, or even a user in self-service mode, can quickly restore a file back to a specific date and time. And, once configured, these tools are automatic. They don’t require users to manually backup individual files and folders on a regular basis.
Where simple solutions like OneDrive aren’t available, practical, or technically feasible (i.e. backing up a database), care should be taken to set up proper backup schedules using appropriate tools for each system or service. For example, virtual servers and databases can be backed up via snapshots to minimize downtime while the backup is captured. This strategy needs to include a combination of incremental and full backups, saving one to six months or more on a rotational basis for each type of backup based on the desired RPO. This will ensure the ability to restore to a specific point, though it will mean the space required for all the backups will be many times more than the original data.
Working in conjunction with the RPO, the recovery time objective is a measure of how long it will take to restore data from backups. Restoring files and data from cloud, disk or even (gasp) tape, can take a significant amount of time. While the restore is happening, the business will be down. Having a backup strategy that uses appropriate technology and speed of recovery is critical to operational restoration. Additionally, knowing which data to restore first to re-enable operations as quickly as possible is also key. If an organization has terabytes of historical or archival documents and only a few hundred megabytes of current working documents for active client engagements, restoring the active documents first would only take minutes to enable business resumption. The archives could be restored in the background while employees returned to work, minimizing downtime. If, however, the backups were set to restore the archival data first, or all data at the same time, it may take many hours or days to restore everything, leaving employees waiting around and business operations at a stand-still the entire time.
In a perfect world, it’s ideal to minimize the recovery point objective so little to no data is lost, and to minimize the recovery time objective so normal business operations can be resumed as soon as possible. However, technical limitations and cost considerations may require tradeoffs to be made for each of these measurements. The key is to make those decisions consciously, so the impact is known, and preparations made ahead of time. If you haven’t thought about RPO and RTO, during a high- stakes security incident is not the time to get acquainted.
Once an appropriate backup strategy has been determined and implemented, it must be tested on a regular basis. At least annually, exercises should be performed to restore specific files as well as entire systems, and the data verified to be accurate. Quarterly reviews are even better. This ensures the backup system is in good working order and verifies the ability to recover from an unexpected event. This validation step is crucial. Too many businesses find out during a critical incident that backups were ineffective. They are unable to recover from an unexpected event because the backups weren’t working, were not backing up the right files or didn’t go back far enough to predate the unexpected event.
One final consideration that could result in catastrophic data loss is cloud backup. It’s a common misconception that cloud services and data are automatically backed up by the cloud service provider. Using solutions like OneDrive to back up to vendor cloud is a great strategy. But, what happens if the cloud solution is unavailable, has technical issues or perhaps ceases operations unexpectedly?
All data stored in the cloud should also be backed up to a secondary location. That location could be a different cloud storage provider, or it could be a local storage unit or other medium that is stored on site. The ultimate destination doesn’t really matter, as long as there’s a backup plan in case the cloud solution is unavailable. And just like with the mainstream backup solution, the cloud backup needs to be tested, at least annually, to avoid potential business disruptions.
If all of this feels like too much to think about, don’t worry. You’re not alone. A multitude of vendors exist, specializing in backup and recovery solutions. It might be a good idea to call in the professionals to setup and configure an appropriate backup and recovery solution based on business needs. Most of the work should be done upfront as part of installation and configuration. Users should expect a maintenance fee to cover having a tech on standby for a recovery event, as well as costs for annual testing and potentially for the storage if using the vendor’s medium or cloud environments. With or without a vendor to help, take a few minutes to review your backups today. It will save time and headaches tomorrow, and could possibly save your business too.