If a cybersecurity provider informs a customer that they can completely protect the business from a breach of its IT networks and applications, be it malware, ransomware or some other type of cyberattack, they’re not telling the whole truth. This is underscored by Verizon’s 2024 Data Breach Investigations Report (DBIR), which found that the number of data breaches from 2023 to 2024 had more than doubled. With the use of advanced techniques including ransomware, sophisticated phishing attacks, and the utilization of AI to speed of attacks, it’s no longer an if but when a breach event will occur, no matter how much investment and emphasis the business has placed in resistance.
The good news is that cybersecurity providers can offer the assurance of a quick and complete recovery from compromised and encrypted data. Assured recovery is achievable through the proper orchestration of system and data backups. A company’s survivability is predicated on multiple copies of backups that are immutable. Immutability ensures that backups cannot be altered, deleted or encrypted. It also means that retentions cannot be reduced for backup data already written to disk. This is a reliable and proven recovery path. Rather than only focusing on preventing threat actors from getting in (resistance), an organization must first ensure its ability to recover all data (recovery).
Recommended CyberTech Insights: The Cybersecurity Gap: Why Even the Best-Trained Teams Still Vulnerable to Attacks
Backups: the ultimate cybersecurity weapon
The primary weapon of cyber defense lies in a security providers’ backup technology.. Keep in mind that many industries, such as legal and healthcare, mandate strict data retention and integrity protocols. Therefore, the correct configurations of immutable backups enable organizations to demonstrate compliance while establishing that they are on the leading edge of cybersecurity. Yes, you can guarantee that customer data (as well as your own) will be fully recoverable, with a minimum of downtime.
As we methodically work security — beginning with protecting our data and then moving to hardening our systems and access — we need to be countering the attackers’ behaviors by closing our systems as a standard. As an example, restricting outbound traffic from our internal networks is just as critical as restricting inbound traffic into our internal networks. It’s critical to work with cybersecurity providers that actively work breaches and have insights into current threat actor behaviors.
According to Fenix24’s research, 93% of cyber events target backup repositories. Data shows that 80% of critical systems do not survive a data breach. Of the 20% that do survive, only 50% will be usable within a realistic time frame. Even when a ransom is paid, only 68% of the data will survive the decryption process intact. For example, databases become corrupt when encrypted and decrypted, so that data often does not survive. The data also found that only 14% of organizations have backups that would survive against threat actor behaviors and just 24% have backed up all their critical data.
Why do backup systems fail?
According to IBM research, recovering from a data breach typically takes several months, with the average time to identify and contain a breach being around 277 days (nearly nine months). You might ask, “Why are so many backup strategies failing? Why is it so many organizations can not recover at all? And when recovery is available, why does it take so long?” For starters, many organizations don’t have good inventories of assets. Without knowing what assets you have, it’s nearly impossible to make certain everything is backed up, and it’s very difficult to have confidence that everything has been recovered. Additionally, many popular backup technologies are software-only, leaving IT to separately secure the storage platforms storing backup data. This introduces gaps in “immutability” requirements required to protect the backups, retentions, and underlying storage housing this critical data, all of which IT must solve separately.
If the backup data survives the threat actor behaviors, IT must have sufficient unused storage capacity available to house the restored data while DFIR firms freeze data and perform forensics. Having current context of threat actor behaviors helps shine light on where security and backup strategies fail, as well as where we can take quick actions to push back against threat actors and ensure recovery for “when it happens.”
Implementation of immutable backups may look costly on paper, but they will reduce the expenses of data breaches and disruption to operations, ransom payments and compliance fines notwithstanding. MSSPs, MSPs and other cybersecurity vendors do have outstanding tools and perform well-orchestrated security services. Unfortunately, there are many instances where backups are not a core offering.
Recommended CyberTech Insights: How 47-Day Certificate Lifecycles Will Transform Digital Security
The recovery over resistance imperative
Recovery from a ransomware event can be assured — with the right backup strategy and proper orchestration. Backup technology is your most critical security control. If your backup data can be destroyed, your firewall and EDR configurations don’t really matter. Stop everything else and assess/address your ability to recover first.
So, why aren’t more security providers adopting backup technology with their customers? Perhaps some of them aren’t fully aware of these benefits or have the expertise to properly deploy immutable backups. Maybe they think a system of backups is too expensive, especially for those clients with tight budgets. We know that not all backup systems natively support immutability, as those relying on legacy systems may find it challenging to move into a more modern data protection methodology.
Recovery over resistance. Maybe it sounds counter to what you’ve heard throughout your career. Threat actors are on the offense, putting IT security professionals on the defense. We will always lag behind current tactics, as the tactics threat actors take are constantly changing. They’re after one thing: your business’ data. Let’s start by ensuring we can recover if/when they find a way in, and once recovery is guaranteed (and it can be), we continue hardening our defenses to resist their behaviors and tactics.
Recommended CyberTech Insights: Avoid These 3 Costly Mistakes in Database & Cloud Management
To participate in our interviews, please write to our CyberTech Media Room at news@intentamplify.com
