Ransomware mitigation with backups. It might work well for small or medium companies that cannot afford huge budgets for securing their systems

Provided that certain conditions are met

In a previous page I wrote about the balance that always has to be reached between costs in risks, including cyberattacks. So, I have expressed the opinion that there is no point in spending too much on some fancy security tool that covers a risk that, if occurred, it will cost the company far less than the cost of the mentioned tool.

Of course, this article is for those that are concerned more about how to restore the functionality of their servers, rather than sensitivity of data. For example, SMEs that are intermediaries dealing with wholesale trade of goods or transportation are probably more concerned about restoring their data rather than exposing publicly the data of its staff in case of a data breach (although data protection authorities lately use significant fines for data breaches – so, a trade-off between penalties and information security budget, whichever is less might need to be asessed).

This is the case with small companies, and some of medium-sized ones. Eventually, deleting all and starting from scratch, taking data from papers and input them in the company’s system, be it an ERP or other system might be less costly than securing its system investing a disproportionate budget.

However, if you have good back-ups in place, you don’t need to take it from scratch. Only since last back-up. Provided that several pre-conditions are met in respect of those back-ups.

Courtesy of Boardish – IT and Cyber That Speaks The Board’s Language the below twenty seconds video explains what happens in a ransomware (he he he – very funy! – but when real life hits it’s not funny anymore).

The back-ups will work to mitigate elegantly the ransomware attacks provided that:

  • you have back-ups defined according to your risk appetite and your organisation will have to delete all current live info from production environment (in order to delete also the malware from your systems because you don’t have the decryption key and might not want to pay for the ransom)
    • frequency of back-ups is to be defined according to how much back in time you want to repeat doing latest data entries in your systems (while remain in the risk parameters defined in your strategy and are virtually unaffected) as to be up-to-date and have latest customer transactions data available in your systems. This procedure supposes to take data from papers (contracts, written customer aplications, customer orders in written form). If to restore data from emails, this is a separate activity and I presume in this article that you have the email server hosted in the cloud (having the email server on premises without back-up on cloud will miss the opportunity to take data from customers from emails, so no back-up at all means data will not be recovered if the ranswom virus will spread on the email server as well)
    • the duration needed to input again the data since the last back-up (as to be up-to-date) does not take longer than needed (at least you have defined in advance a task force that is to be available upon request to do such data entries and have procedures in place how to do it)
    • the duration of reseting your systems / or reinstall all systems from the kits is not so long and is feasible to do it in the pre-defined time frame
    • last, but not least: testing regularly the back-ups will avoid surprises, namely when everything is recovered from back-ups but the systems do not work … or recovering from the back-ups is a messy process (so exercising regularly the procedures how to recover data is essential)
  • a second condition is to have back-ups decoupled from your live systems (unless you have a real-time back-up technology, in that case you have to have a third back-up that is done manually, decoupled from / live environment, namely on tapes or other independent systems that stay off-line all the time, like a safe storage of data if you like). Yep, you got it: the risk of having the back-up systems coupled (connected) on-line with your live systems (in order to do the back-ups automatically with predefined frequencies) has the downside that back-up systems might also be infected with the malware.

You know something? The above-mentioned pre-conditions are according to good practices and security standards, only they are more or less applied on various enterprises in the IT department. Real life is different than standards, I just hope you have in real life those actions already implemented. If not, and you are a small or medium-sized company that support your business operations significantly with the aid of whatever ERP or IT system, but cannot afford big budget for securing your company agaist cyberattacks like ransomware, you might need to consider implementing those recommendations I mentioned above.

In this context I would say you are probably free from the consequences of a potential ransomware that penetrates your organisation despite all security controls are in place.

In this happy-end situation you don’t have to pay for ransomware.

However, this does not mean security controls and protective actions to fight against cyberattacks are to be completelly ignored because ransomware is one type of attacks, but there are plenty out there ready to catch you unprepared (if there is some data at stake).

Nevertheless, as the duration of time needed to recover your business is the most important and critical / vital criteria to any organisation, I would say that the mitigation by back-ups as explained in this article (provided the conditions listed above are met) might work satisfactorily and will allow you to be quickly back in business.

Note: another assumption I made in this post is that the decision to pay for the ransom (or not) takes into consideration also the sensitivity of data. When I mentioned about cost and risk, presumably at the cost of producing the risk, all the costs, i.e. for example with fines from authorities (for example data protection) for leaking sensitive data outside the company (because securing company’s operations was not enough), or the other reputational risk like losing an important (or several important) customers have been quantified and the decision was taken in the direction to not pay for ransom.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: