Data management: backup and recovery can make a difference in cyberattacks

• There is still a significant journey that organizations must undertake to establish data management and cyber-resilience.
• It is vital for businesses to recognize that it’s not simply about recovering data, it’s about recovering data to restore business processes.
• While a business should aim to be back up and running as soon as possible after a cyberattack, IT outage, or other disaster event, this is not nearly as simple as it sounds.

It’s been an eventful time for Australia recently. While winning the Cricket World Cup may have sparked some joy, the reality is that businesses in Australia are increasingly concerned about the number of cybersecurity incidents happening in the country.

Despite the government making changes to cybersecurity laws and businesses investing heavily in their cyber defenses, cybercriminals are still finding ways to infiltrate systems and wreak havoc on Australian businesses.

The recent DP World cyberattack, affecting several ports in Australia, highlights how vulnerable systems can be. The cyberattack forced the company to stop operations for a few days. Although the port has now resumed operations, the incident raised several questions.

One particular question arises about the importance of strong backup and recovery plans. Could the downtime have been reduced if the company had had a well-planned backup and recovery option?

To understand more about this, we caught up Michael Alp, managing director for Australia and New Zealand at Cohesity.

TWA: Could an efficient data management system have reduced the damage these companies faced and are organizations paying the ransom because they don’t have sufficient backup?  

Firstly, it’s important to note that the complete details of the DP World cyberattack have not yet been fully disclosed. However, the occurrence of the attack is not surprising, given that businesses now operate in a world where cyberattacks are a matter of when, not if.

In fact, when we polled 509 Australian & New Zealand IT and security decision-makers (split 50:50) in our 2023 State of Data Security & Management survey, 56% said their organization had been a victim of ransomware in the six months prior to being surveyed, and 95% felt the threat of ransomware to their industry had increased in 2023 compared to 2022.

That means it’s also unsurprising that 71% of respondents lack full confidence in their company’s ability to recover data and critical business processes after a system-wide cyberattack. This finding underscores both the necessity of cyber-resilience and the challenges in establishing or maintaining it.

Cyber-resilience is the ability to continue delivering business outcomes and generating revenue, even in the face of an adverse cyber-event. When a malicious attack occurs, it’s not just a business’s technology, people, or processes that are tested, but their cyber-resilience, due to its crucial role in ensuring business continuity in the digital world.

While efficient backup alone wouldn’t have prevented DP World’s cyberattack, modern data security and management capabilities might have helped either prevent the attack or limit its impact. These capabilities could have enabled quicker recovery, contributing to cyber-resilience. Notably, the reported cause of the attack was a failure to patch a vulnerability, a fundamental cybersecurity measure.

Modern data security and recovery technology provides organizations with critical capabilities like encryption and immutability, ensuring data integrity. It also enables the detection of attacks and compromises in real-time through AI and ML anomaly detection, and integrations with third-party security solutions, as well as facilitating automated rapid recovery and instant mass restore at scale.

However, if our survey data is anything to go by, there is still a significant journey that organizations must undertake to establish cyber-resilience and adopt the modern data security and recovery technology that today’s threat landscape demands.

95% of ANZ respondents to our survey revealing their organization would consider paying a ransom if it meant being able to recover data and restore business processes. This, coupled with more than 4 in 5 saying their organization would need four or more days to recover data and restore business processes if a cyberattack occurred, certainly suggests that cyber-resilience and data recovery gaps are leading to organizations paying, or at least considering paying, ransoms.

TWA: Is paying the ransom cheaper than going through backup and recovery?  

According to Gartner, the average cost of a ransomware attack is 10 to 15 times the ransom demand, a concerning statistic for companies considering ransom payment as a fallback option in the event of a cyberattack.

Given that the average ransom demanded globally has risen from US$812,380 in 2022, to US$1,542,333 in 2023, according to the Sophos State of Ransomware 2023 report, this means that simply paying a ransom as a reactive countermeasure is likely to not be nearly as cost-effective as proactively procuring the right cybersecurity, data security, and data recovery capabilities that allow you to recover without paying the ransom.

It is up to each business to determine if paying a ransom is an acceptable option. However, there will be some companies that are forced to make this decision in response to an adverse cyber-event because they do not have the right cyber-resilience capabilities in place to refuse the ransom, or because there is a gap in their cyber-resilience strategy.

There are multiple reasons why paying a ransom is a bad and ineffective response, including:

• It does not guarantee that you will recover all your data and restore your business processes to their prior state.
• Often, the data when returned is either so corrupted, encrypted irrevocably, or misaligned, that it requires a ‘professional services’ fee to be paid to malicious actors to help you reinstall it.
• Malicious actors may return only parts of your business-critical data and demand a second or even third ransom payment; some malicious actors leave backdoors or malware to make a secondary compromise easier.
• Ultimately, some of the ransom payment will be used to fund a strike on another business.

As many countries consider banning ransom payments, relying on them instead of cyber-resilience is not a sustainable long-term strategy for recovery from cyberattacks.

TWA: What are reasonable recovery times for any business experiencing a cybersecurity incident?  

It’s vital for businesses to understand that recovering from a cyberattack isn’t just about retrieving data; it’s about restoring business processes. This is crucial because a cyberattack compromises not only data but also a business’s operational ability, making attacks like ransomware particularly destructive.

Before determining an acceptable recovery timeframe—a period during which downtime can significantly impact revenue, brand reputation, and customer trust—it’s crucial for businesses to identify the data critical to their operations and assess its sensitivity, considering whether its compromise or theft would halt their business.

By pre-emptively assessing these data risks, a business ensures two things:

• Firstly, that this data can be backed up and made recoverable, and that it can test its data recovery and business processes restoration plan.
• Secondly, that it can determine what additional capabilities it may require or where the gaps exist in its data recovery strategy.

However, while a business should aim to be back up and running as soon as possible after a cyberattack, IT outage, or other disaster event, this is not nearly as simple as it sounds. When asked ‘How long would your organization take to recover data and business processes if a cyberattack occurred’ – in our 2023 Data Security and Management survey – over 99% of ANZ respondents revealed they would need over 24 hours, 80% said they would need more than four days, and almost half (47%) of respondents said over a week would be required.

This not only demonstrates the cyber-resilience and data recovery challenges that many organizations are facing, but also raises the question for businesses: how long can I afford to be offline? And for their customers: how long could I accept for a company to be offline before it affected my willingness to become or remain a customer?

These questions should guide businesses in defining a reasonable recovery timeframe and serve as criteria to measure the effectiveness of their cyber-resilience strategies and data security and management capabilities.

TWA: Can AI play an important role in data management, especially for backup and recovery for cybersecurity incidents? 

Death and taxes used to be the only two certainties in life. With the current business and cyberthreat landscape, cyberattacks are now very much a third.

In fact, in our 2023 State of Data Security & Management Report, 79% of Australian respondents (402) revealed they were concerned about their organization’s cyber-resilience strategy being able to ‘address today’s cyber-challenges and threats.’ Given this sentiment, for many organizations, there are clearly improvements that can be made to their cyber-resilience strategies, and data security, management, and recovery capability gaps to address.

It is vital that organizations can protect and secure their data, detect cyberthreats such as ransomware, and respond or recover rapidly when the worst occurs. The good news is that not only are these capabilities provided by modern data security and management platforms, but many of these capabilities are also now being enhanced by AI or made possible by AI. These include:

• AI & ML powered anomaly detection: to help monitor data and detect when anomalous changes are made to data, such as size or format, which typically indicate malicious activity is taking place or has taken place. This technology can recognize these patterns, triggering an alert that allows IT and security teams to act fast and respond to a compromise before it becomes a widespread attack, or limit its blast radius.
• AI-enabled multifactor authentication (MFA): the strong importance of MFA is well-documented because of its ability to defend against password cracking and brute-force methods. With AI, MFA can be enhanced to account for behavior (such as typing speed), become adaptive (requiring multiple authentications based on data risk), or detect fraud (automatically blocking a user if their access strays beyond normal boundaries).
• AI system behavior tracking: near real-time monitoring of privileged and administrative users to indicators of anomalous activity.
• AI-enabled ransomware detection: AI can analyze network traffic or file access to identify activity that could indicate a ransomware attack is imminent or in progress, including by ingesting threat intelligence from external threat feeds that help pre-identify IOC indicators.
• AI-enabled activity and behavior monitoring: AI can look at access and user behavior and determine if the activity is suspicious and could signal a ransomware attack: failed login attempts, excessive file access, or other activity that is out-of-band of established norms could be indications of ransomware activity. Activity monitoring can establish norms for both user and application behavior based on continuously analyzing activity logs with AI.
• AI-enabled optimized scheduling: based on the critical need and usage of data, seasonality, and other variables, AI can adjust and optimize backup schedules to ensure recovery point objectives (RPOs) are always met.
• AI retirement of inactive data: as part of the backup process, AI can help organizations determine what data has become dormant for archive. This helps reduce recovery time by eliminating the unnecessary recovery of unused data as well as creating efficiency and cost reduction in storage.

---

---

---