The Crucial Role of Recovery Planning in Ransomware Defense

With the increasing frequency of ransomware attacks it is crucial to ensure your organization has a solid data recovery strategy. Almost every news article about ransomeware mentions the need for good backups. Maintaining a good set of backups is one of the key strategies of mitigating the damage caused by the attacks. But backups alone are not enough.
One of the topics I find has not been discussed is the recovery plan. Pre-planning is critical to a successful data recovery strategy. Many organizations plan their systems to meet a specific “Backup Window”. When I talk to clients, often the first thing they want to discuss is “how fast can the data be backed up?”. In my experience, what many organizations fail to do is plan for the recovery window. Backups are worthless if you are unable to recover or recover quickly enough.

Below are a few topics that should be considered when reviewing your organizations recovery plan:

  • Do you have defined data types with Service Level Agreements? Not all data is equal. The process of prioritizing your recovery is not an easy task. It is crucial for organizations to understand what restores would need to be accomplished first and appropriate expectations set.
  • How much data of each type do you have? The size or amount of data that needs to be recovered will have an impact on the solution architecture.
  • How fast does your data need to be restored? Often there are systems that are more critical than others to the daily operations. A list of systems with priorities should be created.
  • Does your primary storage and applications support snapshot technologies? A recovery from a snapshot will be faster.
  • Does your backup/recovery management software provide snapshot management? Utilizing a product that integrates with your primary storage vendor and software will greatly enhance both backup and recovery times.
  • Does your backup plan include for “Air Gapped” backup storage? Should your organization experience a security breach it is possible for the attacker to render some restore technologies useless (Snapshots, disk array targets or appliances, cloud, etc.). A solid Disaster Recovery strategy will include
  • some level of offline or air-gapped backup storage (tape or offline disk).

When your organization has planned and executed a solid recovery strategy, it is quite possible that it will take longer to make the decision to recover than the recovery takes to complete.