Why disaster recovery makes the ransomware debate irrelevant

(Image credit: Shutterstock)

Falling victim to a ransomware attack can have catastrophic consequences for a business or even a government organization. Those who don’t take the time to prepare accordingly and make backups or put a disaster recovery plan into place will feel the effects of such an attack the most. They might even consider paying the ransom to regain access to their files which just shows cybercriminals how effective their attacks really are.

To learn more about how organizations and governments should prepare to deal with today’s growing ransomware threat, TechRadar Pro spoke to Druva’s CISO, Tom Conklin.

Why do you think that cybercriminals have shifted the focus of their ransomware campaigns from businesses to governments?

Any organisation, including city governments, without a hardened infrastructure and emergency plans, like disaster recovery systems, can be a ripe target for ransomware.

With access to sensitive information and critical infrastructure, locking down a government system is not only lucrative, but can have national security implications and damage the local economy.  Government systems are not typically known for being up to date with the latest technology, whether through lack of funding, understaffing, or minimal resources, so they are vulnerable targets with a lot of potential benefits for a malicious actor. 

(Image credit: Pixabay)

Do you believe that cities should pay the ransom demands of attackers to regain access to their locked files?

To start, victims should never pay these ransoms. It’s easy to say, and may be harder in practice, but paying only propagates the model. Additionally, we are beginning to see cases where even paying the ransom has not guaranteed that systems are restored. Take for example, Lake City and Riviera Beach, Florida, which still had critical systems down weeks later after paying. With insurance only covering some of the ransom costs, and the cities remaining under attack even after the ransom was paid, it begs the question if there’s any value in doing this. 

Instead, teams should be focused on preparing for any potential attacks. A solid, well-planned, and well-tested disaster recovery plan can short circuit a ransomware and help an organisation continue without interruption.

Some cities have decided not to pay ransom demands as they have backups of their important files and systems. Why is this approach flawed and what can cities do to recover from a ransomware attack faster?

Backups and disaster recovery solutions are a great way to combat ransomware, but it should be used as a last line of defence. Implementing a backup policy in and of itself is not the silver bullet against malicious attacks. Backup and recovery should be part of a holistic strategy that includes everything from hardened internal systems, strengthening your network edge, and ensuring proper protocols are in place for cloud-based applications, where that is multifactor authentication, single sign-on. 

Your enterprise is likely to be tested at some point, but you should make it as hard as possible to reach the final gate before turning to backup and recovery. Like the saying goes – preparation is key. 

(Image credit: Pexels)

What kind of cybersecurity training would you recommend that cities and organizations that are trying to prevent falling victim to a ransomware attack should undergo?

Cybersecurity training is vital in order for any organisation, but training should be scalable based on an individual’s role in the organisation. At a minimum, all employees should be required to take entry level courses that educate on phishing attacks, avoiding malicious emails, etc. Technical teams and IT of course need more regular and in-depth training that dives into the latest tactics, how to spot attacks early on, and the best ways to keep an organisation’s security robust through things like air-gapping, following the 3-2-1 rule, and others.

Have local governments fully embraced the cloud or are many still relying on local storage for their documents and systems?

There are still many still relying on local, on-premises systems because they may lack the local resources, funding, or may not even have the internet bandwidth to move their systems to the cloud on a regular basis. Also, with today’s competitive job market, IT practitioners in public sector are increasingly moving to private companies where the pay and resources can be more substantial. 

But, the "cloud" is a broad term and could mean many things. An organisation that may not be able to move their on-premise systems to a hosting provider could look at limited use of public cloud storage for backups. For small scale workloads this can be something like replicating backups to an AWS S3 bucket with a retention policy. By setting the retention policy it ensures backups cannot be deleted or overwritten.

How will ransomware evolve over the next few years and do you think it will become an even bigger threat than it is now?

Ransomware is going to follow soft targets that have vulnerable systems. This may be small companies that have unpatched systems. My guess is that as more companies adopt cloud services and connect on-premises networks to the internet you'll see more ransomware when the on-premises systems are not patched or properly secured, and in places where cloud accounts are being misconfigured by the customer. Cloud vendors general adopt a shared responsibility model and it’s important those adopting cloud solutions understand where their responsibilities lie.  

Security industry expects the number of attacks and amount of payments will continue to increase at double digit annual growth. We expect to see more targeted attacks vs. broad high-volume attacks.

(Image credit: wk1003mike / Shutterstock)

What emerging cyber threats concern you the most and which ones do you think the general public needs to be more aware of?

Whilst obvious, and seemingly old school – phishing continues to be a major threat for the public and corporate entities alike. The financial and reputational impacts of these attacks can be huge, so we need to work on educating the public on how to spot a phishing email – and how to report it. By understanding the threats we may become subject to – we can better prepare and educate ourselves to deal with them.

On a corporate level, I expect to see these sort of attacks become much more sophisticated. Instead of simple one-off emails, I expect to see attacks that are more social engineered and slowly work on building trust and compromising a system.