Why most enterprise backup and recovery is inadequate.

Ever turned up to party underdressed? That can be a bit awkward. Ever turned up to a meeting underprepared? That can end-up being pretty embarrassing. But if you turn up to a battlefield ill-equipped and underprepared, the consequences are likely to be catastrophic.

Yet, when it comes to backup and recovery, that is exactly what most enterprises are doing every day. Your business is under attack, and cyber security experts agree that sooner or later your defences will be breached.  You will need to be ready to mount a fast and effective recovery. But there’s a problem.

Your backup infrastructure and recovery processes weren’t designed to deal with today’s sophisticated cyber-attacks. There’s been a huge increase in cyber-criminals actively targeting backups – encrypting or deleting your backup data to eliminate your last line of defence.

There is a very real possibility that when the worst happens, you will be unable to recover your business-critical data when you need to. Put simply, the vast majority of enterprise backup and recovery will be seriously inadequate in the face of a large scale cyber-attack, but many won’t know until it’s too late.

Here’s just a few reasons why:

Typical Disaster Recovery methods are no longer fit for purpose.
Many businesses don’t do regular DR testing, and those that do only test a small percentage of their backups. Why? Because DR testing is disruptive and time-consuming, and infrastructure teams are under-resourced.

Traditional DR testing is also highly ineffective in the context of modern cyber-attacks. In most cases a DR test simply checks whether a workload will successfully recover. If that workload contains dormant ransomware, it will recover, and no issue will be flagged. But later, when that ransomware is activated as part of sophisticated, wide-spread cyber attack, it will encrypt or delete the backup data, and render it useless – exactly when you need it the most.

Most backup anti-virus scanning processes are inadequate
Typically, businesses scan their backups for viruses at the point the data is first backed-up and/or at the point of restore. That’s not enough.

If you are only performing AV scans at the point of backup, there is a very real danger of ingesting infections into your backup estate as a result of zero day attacks – that’s an attack with a virus that is so new, anti-virus software is not yet able to identify or protect against it.

If you are scanning at the point of recovery there is a risk of significantly increasing down-time for your business in the event of a cyber-attack while you validate the cleanliness of your data, and then hunt-down the latest clean copy.

Backup anomaly detection is not enough
Most backup and recovery software vendors offer backup anomaly detection capabilities to help to identify cyber threats. That sounds great, but there’s some important limitations.

Firstly, most backup anomaly detection lacks a feedback loop. That means that when an anomaly in backup behaviour is identified, there is no mechanism for the software to understand if that anomaly was actually the result of a genuine cyber-attack, or in-fact a false-positive. With no feedback loop, your backup software will continue to flag the same false positives time and time again. When alerts are going off all the time, it’s easy to miss the real threats amongst the noise. In fact, we often hear from infrastructure teams that they have disabled backup anomaly detection because they are overwhelmed by false alerts.

And of-course, it’s worth recognising that anomaly detection won’t pre-warn you of an imminent attack. The anomaly detection alerts you once and attack has been triggered.

So, what can you do to be better prepared?

1. Understand your recovery risk factors. There’s a lot of factors that can negatively impact  a business’s ability to recovery following a cyber-attack. The first step to removing the risks is to understand them. Predatar Insights is a free, self-service tool for IBM Storage Protect users that will highlight your recovery risks. Sign-up for Predatar Insights here.

Storage Protect users can also apply for deep dive cyber benchmark report, where our cyber resiliency experts will assess your infrastructure and processes against industry best-practices.
Apply for a cyber benchmark report here.

2. Security and Infrastructure teams need to come together. Cyber resilient backup and recovery often falls into a gap between these two historically disjointed teams. It’s time to recognise this critical shared responsibility and start a dialogue.

3. Make a plan. Building cyber resilient backup and recovery won’t happen overnight. In fact, with the constantly evolving cyber-crime landscape it’ll always be an ongoing task and it can be hard to know where to begin. Make a plan starting with your most business critical workloads and some quick wins.


Want to learn more about building cyber resilient backup and recovery?
Brought to you by Predatar and IBM, Control22 is the only event focused on helping IBM customers to build more cyber resilient backup and recovery. It’s free, it’s invaluable and it takes place next week. See the agenda and book your place today at www.predatar.com/control22