I think we all approach a new year with a fairly large degree of optimism and trepidation, with a few resolutions thrown into the mix as we attempt to change how we do things.
Criminals engaged in ransomware are no different – it is increasingly apparent that they dedicate their efforts to causing the most significant amount of damage in the shortest possible time.
IDC has identified this trend with the observation that ransomware attackers have learned that eliminating the possibility of data recovery by attacking the data backups can maximise the attack's impact on primary data.
Just to put it into perspective, as far back as 2014 and based on industry surveys at the time, Gartner estimated the cost of network downtime was typically around $5 600 per minute, which extrapolates to well over $300 000 per hour. At today's exchange rate, that amounts to approximately R85 400 per hour. I'm sure I now have your attention!
Forbes reports that the recent six-hour-long outage of the Facebook family of apps cost the company nearly $100 million in revenue. Worse, it drove millions of social media users to Twitter as people couldn't view their Facebook feeds, exchange WhatsApp messages or post Instagram reels. To add insult to injury, it sparked a derisive meme feast that didn't do much for the brand.
None of us need to be reminded that the damage from ransomware can have a profound and lasting impact on organisations. If it is to be defeated, the solution should appear obvious − IT organisations need to architect a system that assures data recovery without paying a ransom. This may appear to be a tall order, but the good news is that it has been achieved.
Many CIOs are familiar with the old ‘3-2-1’ rule when it comes to data protection, namely: three copies of data (primary and two backups); two copies stored locally on two formats (NAS, tape, or local drive); and one copy stored offsite (cloud or secure storage).
But this is now somewhat outdated due to the importance of protecting the backup, the now recommended 3-2-1-1 strategy to safeguard data, with the extra ‘1’ being immutable storage.
Immutability is a critical element of successful ransomware protection. It is when data is converted to a write-once, read many times format, which cannot be altered. Unlike data encryption, there is no key, so there should be no way to ‘read’ or reverse the immutability.
If ransomware gets into an admin system, it can spread like wildfire and even infect secondary storage.
The latter is also crucial when paired with other data protection elements, such as continuous data protection, which can capture data on each write at rapid intervals measured in seconds. If that data is stored in immutable form, the customer can then have a ‘snapshot’ of data that cannot be altered.
Having the right technology in place, augmented by sound and well-rehearsed recovery practices, is essential but adding immutability means you can access and restore data to its unaltered state and get back into operation within minutes of a breach. What CIO and CTO does not want to keep the lights on and be up and running within minutes of an attack?
Breaking down 3-2-1-1 vs traditional 3-2-1
Let's take a look at what the traditional 3-2-1 rule entails. In essence, as noted, it recommends that you keep at least three copies, store two of them on separate media and store at least one additional copy at an offsite location.
While it sounds like having two copies onsite means the business automatically has quick access to its backup if its primary storage fails, that may not always be the case. What happens when disaster strikes and takes both of the onsite devices down?
If ransomware gets into an admin system, it can spread like wildfire and even infect secondary storage. These scenarios are played out every day in businesses across the world.
For example, what if both data copies are compromised? The first thing the company does is shut its systems down and put its backup and disaster recovery plan into motion. That's when it turns to offsite backups. This is precisely where the problems commence.
With secondary storage primarily built for backup security and scale at a relatively low cost, these systems can impair recovery if they can't quickly transfer the vast amount of data that typically needs to be recovered. That could add a considerable amount of time for applications and data to come back online after a disaster – which is, of course, very costly.
In a nutshell, the 3-2-1-1 rule comes into its own in this last example, with at least three backup copies of data and two stored on different storage media while placing one of them offsite.
Immutability is the key to successful ransomware protection because the company’s data is converted to a write-once, read many times format that can't be altered. Essentially, the data cannot be changed or deleted once it is written.
In my next article, I will elaborate in detail on how immutable storage works and what the benefits are.