Backups can help beat ransomware, but one small mistake can lose them too

Evolving ransomware attacks are becoming smart enough that simply following time-tested advice about data backup isn’t enough to ensure data protection, a senior IBM security strategist has warned.

As the security community looks past the WannaCry outbreak – which by all accounts spared businesses in Australia and the United States – IBM global executive security advisor Diana Kelley told CSO Australia that while it’s clear the outbreak was far from disastrous, it offers a significant point of reflection for those that avoided it by sheer luck.

“We really hope this is going to open an opportunity for people to understand that ransomware and other cyber threats are very real and have a significant impact,” Kelley said. “But rather than becoming frightened, it becomes a way to address the things that we need to do. And there are many things that organisations can do to increase their cyber hygiene.”

intensive analyses have reinforced the potential danger from similar exploits and highlighted, in particular, the importance of data backup.

Having current backups of afflicted systems, the theory goes, allows businesses to quickly wipe systems and recover them to the latest restore point before the ransomware infection hit. This is valuable advice, Kelley said – but it’s not a complete solution because backups are increasingly being targeted by ransomware as well.

“It’s not always the most exciting thing to say ‘back up your critical data’ but having a backup would have really helped those companies” that were hit by WannaCry, she explained. “It’s really one of the most important things you can do to protect yourself.”

Yet that advice comes with a qualifier that is often missed: “You also need to make sure that if you’re using backup as your ransomware protection, that that backup is not available online through an insecure channel,” she added. “Make sure that it can be taken offline and not accessible.”

The warning comes as a growing number of companies look to online backups to streamline the process of data backup, which has remained a bugbear for most companies given the rapid expansion of the corporate threat surface due to mobile, cloud, and other data channels.

Cloud services – which Gartner has predicted will grow 17 percent this year alone and influence more than half of IT outsourcing deals by 2020 – have proven particularly valuable to “mom and pop” small businesses.

Some 55 percent of businesses used earlier backups to recover after a security incident, according to figures in the Cisco Systems 2017 Annual Cybersecurity Report, which found backups to be the second most-prevalent process for restoring affected systems – slightly trailing the implementation of new controls based on weaknesses identified after the incident.

Cloud backup services can also fulfil many requirements for larger businesses, Kelley said, but she warned that in every case the data services need to be approached with caution: a compromise of the cloud-backup service’s password, for example, could inadvertently give criminals access to data that is now stored well outside the controls of the organisation.

“What many people don’t understand is if they use the wrong cloud services, and if it doesn’t have access control, then rather than protecting their data by making a backup – they could have exposed the data by putting it at risk.”

Even well-meaning employees may put data into harm’s way by simply being “humans doing human stuff”, she said, emphasising the ongoing importance of user education that not only includes information about malware and ransomware, but highlights data-protection best practice and the need to not go it alone in protecting sensitive corporate data assets.

A recent analysis from SecureWorks highlighted the importance of segregated backups which – along with rights minimisation, response planning, and user education – “would have had the most significant defensive impact” against ransomware attacks. That firm’s cybercrime response team reported a 75 increase in the volume of security incidents involving ransomware during 2016.