Written by Sam Woodcock, Senior Director of Cloud Strategy, 11:11 Systems
Today being impacted by a cybersecurity incident is almost inevitable and it is not a question of if, or even when, but how often an organisation will be attacked. According to Veeam’s 2023 Data Protection Trends Report, which surveyed 4,200 business and IT leaders on their IT and data protection strategies and plans, 85% of organisations said they have had at least one ransomware attack in the last 12 months and 79% of respondents said they have a protection gap. Additionally, according to the UK’s Information Commissioner’s Office, one in three data breaches in 2022 were caused by ransomware. Therefore, as well as considering preventative cybersecurity measures, companies also need to think about whether and how they will recover from a malicious attack. How quickly they can recover their systems and applications and the cost of recovery to the business.
Do you have a plan?
A fundamental question every organisation should ask themselves is: Would we survive a cybersecurity attack? Along with: Do we know our level of preparedness; do we know how to recover our critical applications; do we understand the risks the organisation faces and do we regularly test our recovery plans?
Here at 11:11 Systems, we know that recovering from a data-compromising cyberattack requires planning, investment, capabilities, procedures, and so much more. Additionally, we understand how important it is for organisations to recognise the difference between traditional disaster recovery, in response to incidents such as wildfires, earthquakes, and extreme weather conditions, and compromised data recovery in the event of a cybersecurity incident.
Unfortunately, as the statistics above highlight, the latter is the more likely and more impactful disaster recovery event and unfortunately an interruption to operations caused by a cyberattack can cost businesses an enormous amount, financially and reputationally.
Cyber and back-up teams must be aligned
Another key finding from the Veeam research was that the vast majority of organisations surveyed had a hybrid environment, with an even split across architectures and workloads in the cloud, in virtual set ups, and on-premises. The key takeaway here is that modern data protection solutions must provide equitable capabilities across all architectures (physical, virtual, and cloud). In addition, organisations should plan for workloads moving across clouds and even back on-premises, and data protection strategies should accommodate for that fluidity. This means cyber and back-up teams must be aligned, and back-up must be part of an organisation’s wider cybersecurity strategy and integrate with modern systems management.
Interestingly, the research went on to highlight that 37% of victim organisations of a ransomware attack had a no pay policy, but regardless of their policy 80% of companies paid the ransom anyway. More concerningly, 15 to 20% of those who paid still couldn’t recover their data.
So, what should an organisation do to ensure that it can recover important applications?
In our cloud-centric world, organisations are creating an incredible amount of applications and data to drive their operations. IT teams use complex software programmes and applications that rely on other applications, external services, distributed systems, and various data sources. Application recovery planning helps organisations quickly recover critical data, applications, or systems in case of an unexpected outage or a cyber incident.
Application recovery requires careful planning
Determining how to protect and recover an application can often be easier than determining how quickly your business needs that application recovered. Establishing the correct recovery point objective (RPO) targets at an application level is a critical part of DR planning.
It’s important to understand best practices for building an application recovery plan for both simple and complex applications. Especially with dependent external software programmes and services.
The key to this is understanding how different components of the application interact with each other. This involves identifying all the external services and dependencies that the application relies on and understanding how they work together.
The organisation needs to think about compatibility and verification
In other words what technology should it leverage and where is the best place to bring applications back up and running from a compatibility perspective? Key questions to consider here are:
- Is my hypervisor and versioning compatible with the cloud solution?
- Is my virtual guest hardware also compatible
- How can I ensure that the architecture of my VMs is considered and compatible with the cloud
When considering connectivity, questions to think about include whether you have enough bandwidth to leverage cloud services as well as how to select the best cloud location for a positive and seamless end user experience. Likewise, how can you validate that connectivity will allow the organisation to meet its RPO objectives?
In a complex hybrid environment with many different components, it is also important to consider application dependency and to map out how applications work, how they communicate, and which are dependent on each other. To tackle these challenges, it is essential to understand the application architecture and the dependencies between its different components. This may involve conducting a detailed application analysis and identifying all external software services, systems, and dependencies.
This type of exercise should be undertaken on a continuous basis because the situation is dynamic and can change very quickly. A deep understanding of application and infrastructure is critical to successful application recovery, as is understanding end user access and ensuring a seamless user experience.
So, what are the key steps an organisation should take to recover applications from an attack?
- Identify and isolate the affected systems: As soon as the attack gets detected, the first step is to identify the affected systems and isolate them from the rest of the network to prevent further spread of the infection.
- Assess the damage: The next step is to assess the extent of the damage caused by the attack, including the loss of data and the compromise of critical systems. This assessment will help determine the application recovery strategy.
- Restore from back-ups: If you have backups available, you can use them to restore the system to its previous state. To ensure data integrity and system functionality, you should thoroughly test the recovery process.
- Rebuild affected systems: If backups are unavailable or the data gets corrupted, you must rebuild the affected systems from scratch. This process involves rebuilding the operating system, applications, and data, which can be time-consuming and challenging.
- Improve security measures: Once the system has been restored or rebuilt, it is essential to improve the security posture to prevent attacks in the future.
To mitigate these risks, it is critical to have a robust application recovery DR plan in place that includes regular back-ups, testing, and security measures to prevent such attacks. Having a clear communication plan is vital to inform stakeholders of the situation and the recovery. As the statistics in the Veeam Data Protection Trends report highlight, having a DR plan for application recovery in the cloud isn’t an option —it’s a must.
