Why Data Backups Are Critical to the Life of Your Business

DAVIN: Thank you, Kindsey, for that warm introduction. Like I said, this is a deeper dive series that we’ve been doing coming up I believe on five weeks now. It’s Episode 5. We have one more episode next week, same time, Tuesday at 2:00. Today we’re talking about a very important topic on why data backups are critical to the life of your business. We have Tom Kirkham here. He’s joined on a couple other episodes as well. This is an exciting topic that not many people take too seriously, but you’ll understand why it’s critical to your business today.

But before we start, I’d like to start with a little fun fact. Last week we talked about Netflix. This week we’re talking about March 31st. Tom, do you know what day that is? What’s special about March 31st?

TOM: Thursday.

DAVIN: It is Thursday. Thirsty Thursday. No, that is actually World Backup Day. So it fits perfect for this week, and if you didn’t know that, now you know. Fun fact of the day.

Before we get started, we’re going to start with one simple question. It is: have you or someone you know experienced a cyberattack, a ransomware attack? It could be your friend down the street, could be a former organization. If you or someone you know experienced one, click yes or no.

TOM: That’s 20%.

DAVIN: And they’re still flooding in. It’s getting right at 40%.

TOM: I think that’s everyone.

DAVIN: Yeah. Nice. That’s just interesting to know. Cyberattacks are increasing every single year. We’re going to learn about that today. But hopefully you’ve got the proper security tools in place where you were able to say no to that.

What is a cyberattack? What is a ransomware attack? And what happens during that? To understand why backups are crucial and critical to the life of your business, you have to understand what actually happens during a ransomware attack. There are six stages during a ransomware attack. We’re going to break them down in groups of three.

It first starts simply by distribution. What we mean by distribution is that is how the malware or the bad code is distributed to your workstation, to your computer, to your network, to your system. Most of the time it happens by simply clicking on a link, opening a phishing email, downloading an attachment that you shouldn’t have. Once that happens, it basically opens the door for a ransomware attack, for a cyberattack. That’s when it begins to search for those vulnerabilities, those unpatched areas within your network. But that’s just the first step of a ransomware attack.

Next you go into the infection stage. This is where the attack spreads and begins and the infection process starts. This is where the ransomware is running in the background, it looks legitimate. You, on your end as a user, can’t really tell what’s going on, but in the background it’s actively spreading across your workstation and across your network.

Then, of course, it goes into the staging phase. I like to call this the housekeeping phase, where it’s really setting everything up to have a successful ransomware attack. You may see the ransomware moving into new folders. It begins to evolve, looking for the easiest way to have a successful attack. Seeing if you have admin rights, seeing what user privileges you have, basically what you have access to, and looking for that meaningful information that you’d be willing to pay ransom for – what they can do on your device, on your network, depending on how far it spreads.

This is a key point where admin rights are crucial. If you have admin rights to everything and you have privileges to everything, these cyberattacks have hit the jackpot because they have the keys to the kingdom now. So when you have policies in place like zero trust, where no one has keys to the kingdom, it makes this stage of the attack a little bit more difficult because you have limited access to that valuable information or those meaningful files, folders, those privileges.

Tom, do you have anything to add to that beginning stage of that ransomware attack?

TOM: Yeah. Ransomware will go out and find every device on the network and see what’s shared out. One of the problems that we see – and if there’s anybody in IT on this, I don’t mean to single it out. If you practice good practices, that’s terrific. But often we see IT professionals, either on staff or outsourced, will share out the folder so other network users can use it. But they share it to everyone. They don’t want to take the time and put the extra effort in – and frankly, it causes problems when you can’t get somebody up and running real quick.

Like when we bring a marketing intern on, they don’t have rights to the marketing folder until we specifically specify them to access it. We could share it to everyone, but the problem is that if all the shares are set to where everyone can see them, that means your attack surface is much larger. All it takes – say you’ve got 20 people. Now you’ve got 20 attack vectors for a ransomware attack. For all of the data on the network.

But if you limit say your QuickBooks folder to just one or two people, then only those two people can cause your QuickBooks folder to get encrypted. That’s an easy thing to fix. It doesn’t cost anything. It just takes a little effort to initiate and then to manage it going forward.

DAVIN: It’s easy, simple security policies. That’s that zero trust we’re talking about. Limit access for people to what they only need access to. If someone works in accounting, they don’t need access to all the IT credentials or the server credentials or the marketing credentials. They only need access to what their job entails. So it’s limiting that attack surface for the cyber attackers, and as you can see, in this stage it helps limit what they can access all at once.

On I guess you could say the second half of that cyberattack, it goes into the scanning phase. This is the stage where it’s preparing to take the files hostage. This is looking for content locally, on your workstation or device, as well as on the network level. Ransomware is focusing on those critical business files, what you need to operate so you’ll pay a good amount for it. But it also can attack vulnerable systems and limit your access to different things that you need to run your organization.

One thing that we’re seeing is it’s also looking for access to the backups. We’ll get into why, at the very end, if everything goes right for a cyberattack, you’d better hope and pray that your backups are working because they are critical in the situation of a cyberattack. This scanning stage where they’re preparing to take the files hostage is a good opportunity for your security team, your infosec team, to hopefully detect that infection or detect that activity that’s going on and do something about it.

I say your infosec team, the team of security specialists. That’s different from an IT team or whoever manages your IT. We’ve done webinars about this in the past; IT have different objectives at the end of the day: operations, keeping everything running smoothly. Your infosec team’s objective is to protect, make sure everything is in place to monitor and detect a circumstance like this.

During the scanning phase, hopefully you’ll have an infosec team in place to detect this activity that’s going on in the background. But if not, then we move into that next encryption phase. This is where the encryption begins. Those files, those important client information files, those folders begin to be encrypted, and then you lose access. Operations slow down, and at the end they come to a halt because you can’t do anything. You have access to nothing.

Now you’ll start seeing the next phase of the payday, where it says “The contents of this machine are encrypted. Send us (blank amount of money),” or you’ll see them ask for crypto or bitcoin, “to get your files back.” At that point they will make it very, very easy for you to pay them, give you step by step instructions. Then once you do pay, hopefully you get the decryption key. At that point, hopefully you get all of your information back.

That is just a brief scenario of how a ransomware attack goes. In that, there’s multiple points in that plan where if you have security controls in place, it can be stopped. You’re okay, your backups are great, you can rely on those. But in the end, if you have a successful attack, now what do you do?

You can pay the ransom, but hopefully you haven’t gotten to this point because hopefully you have that infosec team who’s prepared for this and they have policies and procedures in place to avoid you having to pay this ransom, to avoid this attack as a whole. But if not, you have the option to pay the ransom. This isn’t the best idea because 42% of affected organizations who have fallen victim to a ransomware attack did not get all their files get decrypted, or they didn’t get all their files back. They didn’t get all their information back.

As well as usually if you pay the ransom, that’s not the end of this ransomware attack. Usually there’s backdoors created where very, very soon after you pay that ransom, in the next year or however long, you are an easy target in their eyes. So they’re going to attack you again and hopefully go through the same motions on their end, and they end up with getting that ransom pay.

Or wipe your entire system, start from scratch. But this is when the backups come into play. Hopefully you have your good backups in place that have been monitored, tested, and checked regularly. I’ll get into very deep detail of why, if your backups aren’t being monitored, if they’re not being tested, if they’re not being checked, then they’re basically useless.

I ran into a similar example where a client, before they came to us, they were telling me about this experience they had. They work in the medical field, and an audit came around. During that audit, they had to go back and pull some files. I think it was from the past five years. During that audit, they went and looked I think six months back, and there was a gap. There was no information. There were no files, nothing. They didn’t understand why because they assumed that their backup was working, running smoothly. But when that audit came around and they actually had to test and check that backup to get the information, there was nothing. So they had a six month gap, and it ended up turning into a fine and a whole situation that simply could’ve been avoided by just checking that backup, seeing if it’s working.

That’s where you have specialists come in and actually do that job for you, making sure that everything’s running smoothly. If you have backups in place, that’s exactly what they’re there for. When something critical to the life of your business happens and you’re going through something crazy such as a cyberattack, you have your backups to rely on. Like I said, if they’re being tested, if they’re being monitored, they’re being checked regularly, then you’re in luck because you have nothing to worry about. That’s where your infosec team has certain policies and procedures in place to utilize those backups to get you back up and running as soon as possible with limited downtime.

The last thing you can do after a successful ransomware attack and you pay the ransom, I would advise thinking about what you could’ve done differently. Should’ve had an infosec team. Then, after you think about that, actually do something. Get the proper orchestration in place through your security specialists. One, if this happens, what are we going to do? Are our backups working correctly? Are we prepared for a situation like this?

That’s a brief example of a ransomware attack. Now, if a ransomware attack happens, I know I need my backups working. What is an actual data backup? If you’re talking about backups, what is that?

In simple terms, a data backup is copying data from one primary location to a secondary backup location to protect it in case of a fire, a disaster, accident, or something malicious like a cyberattack.

There’s multiple different types of backups. There’s removeable media, redundancy, external hard drive, hardware appliances, and cloud-based. Some of these are bad backup practices and some of these are good backup practices. Tom, I know you love talking about different types of backups and which are the best practices and what are the worst practices. I know removable media like flash drives is definitely an old way of backups. Could you talk a little bit about the risk of that, as well as maybe some of the other backup types and what you’re seeing recently?

TOM: Yeah, that’s a really good question. In fact, I just did a webinar where I was asked – they briefly stated their backup method, and I think it was going to removable flash drives. But the simple thing is it depends – almost all backup strategies we implement are unique to that company. It’s really a lot more complex than people think it is.

But I do not like removable media or external hard drives because those aren’t ransomware-proof. They’re not going to be protected. So not only is your data going to be encrypted, but so is the backup, so you’re not going to be able to get it off of the backup. If there’s anybody on here that still is using tape backup, just stop. That is the worst backup method ever made, except there wasn’t anything better when you had big large datasets.

DAVIN: At that time.

TOM: Yeah. But it was still horrible. I hated it. I never put a tape in for backup for any client. At the time we were using external hard drives. Our options were limited. But even external hard drives were expensive. It was easier, cheaper to buy a tape drive.

What I mean by it’s really complex – you’ve got to understand, is this for disaster recovery? Is this backup for business continuity? What’s the size of the dataset? What is the time window based upon that dataset size? If you’ve got a terabyte of data or you change a lot of files all day long, like if you’re an engineering firm with a bunch of CAD files, your dataset that’s got to be backed up goes up a lot every day. If you’re a law firm, even though you may edit 40 Excel files and 40 Word docs a day, that data’s not nearly like a CAD file.

So your time window – the time that it backs up any changes to the files to the time it completes – for some clients, it’s two minutes. Some of them it’s five minutes. Some of them it’s an hour. If it’s a big engineering architecture firm that has a lot of big CAD drawings, it may be three hours. So the time windows enter into it. The speed of your internet connection, which I think offsite – almost all offsite methods, unless maybe you’re using file sharing technology, any of the others are going to be ransomware-proof – the ones that are designed to back it up. And then there’s others that we do both on prem and off prem.

To plan for a catastrophic server loss and it’s a big dataset, we’re going to do both on prem and off prem. That way, we’ve got smaller time windows if you’re backing to a local network device than going through that little bitty pipe in the cloud, your internet speeds. Really and truly, it just depends. We’ve got a method where we can virtualize desktops and you can be back up and running literally within minutes and it’s like nothing ever went wrong. And we can virtualize it both locally and in the cloud.

Then you’ve got to look at just data backups. Do we just want to do data? Almost always, it’s a combination of technologies, administrative procedures, and both on prem and off prem, and it’s using different vendors. Almost always, for all of our clients. And that’s the way you need to approach it because you want to cover – you might as well cover business continuity, not just cybersecurity. Not to mention the fact that modern ransomware attacks now have an extortionware component where they’re going to publish your data unless you pay the ransom.

DAVIN: There’s a lot more at stake.

TOM: Right. The best thing is all about what Davin’s saying, infosec being on your team right now.

DAVIN: Because they’re thinking about these things first off.

TOM: Right. Prevention is the best plan, preventing the cyberattack. But backups are a lot more complicated. But above all else, like Davin said, the biggest thing is no one monitors. If you’re not paying anyone to monitor your backups and periodically test restores, or you’re not doing it yourself, you don’t have a backup. You’ve got a wing and a prayer and you’re just going to hope they’re going to be there and didn’t break two months ago and you lost two months’ worth of work when you need it. They’ve got to be checked every day.

In our case, it’s often part of our duties. The infosec team checks those backups. Some companies, if you’ve got your own IT people, that’s their responsibility to check it. And if you’re outsourcing your IT and you’re not paying them to check it, I’d be willing to wager they’re not being checked. And I have never seen a backup system that works 100%, and I’ve never seen a backup system that tells you that it’s not working 100%.

DAVIN: Speaking on that, Tom, that leads us into our next slide. What could go wrong with your backups? It’s a very complex situation. There’s multiple things that can go wrong. But the top three really narrow down to hardware failure, software issues, and overall human error.

It’s a very complex setup, but starting with hardware failure, it’s inevitable to have issues. All you can do is put specific things in place to minimize those failures from happening and be ready to remediate those problems as soon as possible. This goes hand in hand with the importance of monitoring those backups because if something goes down and you’re not monitoring, there’s a gap where the hardware could’ve not worked for three to six months just because you didn’t check it. Could’ve been avoided easily just by checking to see if it’s working. But you just let it go, assumed it’s running – that can come with serious consequences. Like the audit example, losing a whole year’s worth of important files. It needs to be taken seriously.

Regarding software, lots of people see updates and patches that need to be installed, and a lot of people assume that what comes with updates are issues, so updates get ignored. Usually in those updates and patches, they’re security patches because a vulnerability was found, and then a patch was created and everyone’s been told to update and fix that patch. If you don’t, then of course you’re just adding another vulnerability to your backup, to your network, to your whole organization just by ignoring that update.

An infosec team understands the importance of those patches, and they’re going to expect those hiccups and be ready to remediate as soon as possible after that update or after that patch is finished. But sometimes software, hardware can have problems because it was installed incorrectly, you can have connection problems, the setting could be wrong. It all goes hand in hand with why backups are very important and they’re very complex, and why specialists are required to run, operate, and monitor these backups.

You see at the bottom human error. That’s number one. I like to speak on this because I see this way more than I expected to. We’ll go to the external hard drive, something where someone is using a flash drive as a backup. You go into an office, they have a flash drive hooked up as a backup. At the end of the day, they take it out, plug a new one in, and put that flash drive or backup in their pocket and go home for the day.

This is a huge security risk, and we tell any new client if they’re doing this, that will be stopped immediately. What if you lost the flash drive? What if you lost that backup, or someone stole it from you? Or you dropped it in water, something like that. There’s so much room for human error and so much room for security risk that nowadays, in 2022, that should not be an option.

One goal of the information security team is to minimize the risk of human error. That’s why you have a team of specialists. They are going to help you understand the best security practices for your backup and make sure you don’t have the chance of losing confidential information for your clients, or that the files for your organization that are critical to your business don’t get dropped in water, things like that.

It sounds simple and it sounds silly, but too many organizations have bad backup practices that end up in things that can end your business, are expensive, in fines, things like that. Am I missing anything, Tom? Anything else you could see going wrong with a backup? Not working, being lost.

TOM: A lot of times people think, “Well, I don’t know if I trust the cloud. How do I know that won’t get hacked?” That’s why they’re still relying on external hard drives and flash drives. We know statistically that over 90% of breaches involve human error. We also know statistically that it’s more likely for that flash drive or external hard drive to be lost or misplaced than it is an online cloud backup system to be breached.

We also know there’s more failures, especially if you rotate flash drives. And even if you rotate them, it really messes with stuff unless you’re running just a plain old copy command. But one of the beauties of an online backup system is it keeps revisions. You can have a 5-minute-old one, a 30-minute-old one, a day-old one. You can set these parameters, so you can go back nine revisions, “Oh, I need that file from back two weeks ago. I want it back set two weeks ago from when I had it.” Or “I need it from five minutes ago.” And if you’ve got the bandwidth and you’re just doing incremental data and you’re a small firm, you could do continuous online backup.

So the simple fact of the matter is, it’s a waste of human productivity manually doing it, and if you put the cost against an online backup system against whatever your hourly rate is, your bookkeeper’s hourly rate, it’s nothing. It’s going to be about the same. But it just introduces so many more opportunities for a breach or backup failures. It’s just not a good way to do it, period.

There’s other methods that get a little bit beyond what we’re doing here, but sometimes we’ll put in an online BDR, onsite BDR. It’s a backup and disaster recovery server. It’s really, really cool technology. Backup technology – a lot of people don’t realize this, but almost every one of them is based on Rsync, which is an opensource, command line driven tool that is absolutely wonderful. These other vendors just take that and put a nice pretty wrapper around it and change the personality and all of that, but it just works flawlessly.

I really can’t say any more. As far as the online security, it’s no different than a password manager. I guarantee you that Keeper is going to make your business a lot more secure than you reusing credentials or writing it on sticky notes and hiding it under your keyboard or posting it to your monitor.

DAVIN: Yeah, or using the same password as your username.

TOM: Oh my gosh, yeah.

DAVIN: Simple things.

TOM: You need those passwords randomly generated. But that’s a different deeper dive.

DAVIN: Yeah. That was our last webinar, our last deeper dive.

TOM: Yeah, I thought we had one on that.

DAVIN: But the main thing that you need to get out of this and understand why backups are important is because of these key facts. One, downtime. There’s a cost associated with downtime. During a ransomware attack, if you can’t get back up and running because of your backups, you’re losing those transactions every single day. There’s a certain number of transactions that go on within your organization. Put a dollar amount on that. You can put that on top of the ransom. Your operations are on a halt, and it’s just a complete sunk cost because your business is basically useless while you’re being held ransom.

In 2022 – this is one of the security providers, Datto – in 2020, the average downtime costs were around $270,000. In 2018, it was around the $50,000 mark; 2019, $141,000; 2020, $270,000. So it’s increasing year after year after year. That’s what you have to think about when you’re thinking about your backups. What is that downtime going to cost me? How important are those backups regarding the cost associated with the time my business is going to be basically useless?

It also affects, like Tom touched on earlier, they have extortion methods that can come with a cyberattack as well. During this, if you have to rely on backups and you have no security controls in place, not only are you paying the ransom, not only are you going to experience downtime, you also have your company’s reputation on the line. The legal practices after that that come with the possible extortion of your clients’ information, your company’s information. Everything that comes with a ransomware attack can be avoided, and there’s a part of it with the recovery and response processes of your infosec team that all comes down to your backup. They rely on it. Of course, there’s preventative security controls in place that all lead up to the recovery process of your backup.

The data that’s crucial to your organization, if you can’t get that back, think about what you would do. Your clients’ information, having to tell them, “We’ve had a breach. We’re currently figuring it out, but we’ll keep you up to date. We don’t know what’s going to happen.” Avoiding conversations like that means more to an organization than you recognize.

And then, plain and simple, you have to have proper managed, regulated, and have an infosec team operating your data backup simply because of cyberattacks. Cyberattacks are not going to go away. They’re increasing every year. Of course, with everything going on in the world right now, we’re seeing a huge surge in cyberattacks, and companies who don’t have the proper controls in place are experiencing the worse end of that.

The discussion regarding data backups and your security controls on your organization shouldn’t be happening for the first time after the attack or during the attack. This should be something you’re discussing now, putting those preventative measures in place to avoid a whole situation like this. This can easily be avoided with the proper tools in place.

So, what do you do? The last step. “Okay, I know I need a data backup. I know cyberattacks are going to happen. I know that I need security tools in place. What can I do?” It’s simple. We make it easy. You simply speak with an infosec specialist. During that conversation, you’ll be talking with me, and we’ll discuss your whole network.

Like Tom mentioned, it’s different for every organization. Every organization has different needs. It’s not just a cookie cutter security tool, “Here you go, this is exactly what you need for everybody.” No, we need to have a discussion, understand how your organization works, the information you’re protecting, what security you have in place now, and find those vulnerabilities so we can develop a plan to put the proper security controls in place, get the proper backups in place that are specific to your organization, that fit your needs and prepare you to avoid a whole ransomware situation like we discussed today.

You see the meeting.irontechsecurity.com. You can use that link to schedule a short 30-minute chat at your convenience. It’s directly connected to my calendar, so I can leave that to you all. There’s also our email, sales@irontechsecurity.com. But there’s also my personal phone number. Call that; I will always answer unless it’s the weekends or late in the night. I will be asleep, preparing to answer your call in the morning.

I want to talk to you. I want to understand your backup situation, see what’s going on, and make sure you have what fits your exact organization’s needs. Like I said, not every organization is the same. You have different backup needs, and I’m telling you, at the end of the day, if you’re going to pull a flash drive or external hard drive out of your server room and put it in your pocket, please, before you do that, call me and let’s figure out a way that we can throw that whole process out the window and save you some extra steps.

Like I said, this is a weekly deeper dive series. We have our last one coming up next week regarding the 5 things that you need to protect your organization. Simple, simple security controls. And we’re not the ones saying this; this is from the White House. It’s going to be an amazing webinar. I’m excited to talk to everyone, really narrow down simply what you need to protect your organization here in 2022 when changes in cyberattacks are exploding, going crazy.

I’ll save some time – I know we’re a little over. If there’s any questions, please let me know. We’ll answer these before we get off of here.

TOM: No one’s got any questions. Oh, sorry, Kindsey.

KINDSEY: You’re okay. I’m not seeing any questions, but I did want to emphasize that that webinar that Davin is doing next Tuesday, there will be an email that goes out this afternoon with a link to sign up for that if you’re interested. Alrighty. Well, everyone, thank you guys so much for joining us this afternoon. We hope to see you next week. Thanks for joining us.

DAVIN: Thank you.