Before I delve into how many backups are enough I want to start with a little story from a hospital that hit the news cycle about a year ago.
Hollywood Presbyterian Medical Center paid the equivalent of 17 thousand dollars to cybercriminals because their network’s data was entirely encrypted. Every single file was locked down and no one—not even the IT Department—was able to decipher heads or tails of the situation.
Their best recommendation? Pay the ransom.
The hospital desperately needed to do a lot of the things every single business has to do each day. In short, they need to treat patients (operations), retain patients (marketing), bill patients (accounting), generally keep the lights on and bills paid. Aren’t those concerns the same ones you have with your business?
Let me add a few details to their decision to pay the ransom note:
All of their data was encrypted—not a single department in that hospital was able to get any work done. Operations was crippled because doctors and nurses were dependent on knowing how to treat patients—they needed medical records to understand previous medical history. Billers couldn’t get money in to keep the lights on because their spreadsheets and Quick Books files were all locked up. In essence, everyone in Hollywood Presbyterian was dependent on data in one shape or form and no one could get even basic jobs done without it.
They had backups—Hollywood Presbyterian DID have backups. The fact that they had backups was not the actual problem. I’m sure you’re asking, why couldn’t they just recover their data from the backup files?
The big problem at Hollywood Presbyterian is that their backups were stored ON their network. The ransomware virus actually scoured the network in search of files that looked like backups. And guess what?
That virus deleted every single backup file. Not a big surprise if you’re thinking like a cybercriminal. Those folks want to make it near impossible for you to recover. They are going out of their way to look for organizations without properly configured backups. They’re also training their viruses to hunt and destroy backups if they’re on a network.
Hollywood Presbyterian was put in a very precarious position. They had no recoverable backups from the ransom attack. They had all their data locked down. The only option that made sense at the time was to pay the ransom and cross their fingers and hope that some criminal would hold true to their promise to return their data completely intact.
The problem with taking this approach?
Cybercriminals keep track if you’ve been attacked AND if you’ve paid a ransom note in the past. What that means for Hollywood Presbyterian is that many other criminals—including the group that initially attacked them—know that they’d be a good target for another pay day (they know that organization would pay for their data).
Criminals have resorted in attacking the same organizations that fall for one cyberattack multiple subsequent times simply because they are good customers. They comply to their demands and value their data enough to pay up.
Will you be a good customer?
My concern with these stories of organizations with misconfigured backups is that there are many more businesses out there that think they’re safe, but really aren’t.
They are told that their data is backed up, but it really isn’t. OR if it is, it’s being backed up on network where a natural disaster or cybercriminal could easily knock it out in the event of a network disaster.
I’ve gotten too many calls to count—where prospective clients call me to recover their networks when their backups were corrupted, or their IT guy can’t seem to recover them.
My team is completely capable of recovering really difficult backups, but let me warn you—risking your business continuity to a suspicious backup does not guarantee anything. You may only have some of your critical files discovered. Or you may have to wait weeks for the recovery to be complete.
I’ve helped our forensic team sift through the ruins of servers before and can tell you first hand that it’s not fun for us and it certainly is not fun for you. I hate having to work around the clock hours restoring from disasters, fully knowing that any of the events we’ve had to deal with were completely preventable.
Coming back to my original question, how many backups are enough?
I’d have to say that it’s not so simple to give you a number. What I’m mostly concerned with is (1) what data you consider crucial to your business keeping its lights on and doors open, (2) how often that data changes and (3) making sure that your data backups are tested and stored offsite so nothing can get to them.
Are you concerned about your data backups? Or should you?
Contact us today for a free network security assessment.
