When it comes to ransomware attacks, those who lose valuable data and have no viable backup tend to pay the ransom, while those with backups simply restore their data. However, neither group walks away unscathed because they both suffer downtime.
Downtime is the period when systems are unavailable for use, and it can cost small and midsize businesses thousands of dollars or worse—it could put them out of business. An Imperva survey of RSA 2017 attendees found that downtime costs companies more than $5,000 in 56% of cases and more than $20,000 in 27% of cases. Depending on the size of your company, this could be the cost of doing business, or it could be a catastrophe.
Establishing Recovery Time Objectives (RTOs)
Companies should take the time to identify the maximum amount of downtime that is acceptable under various disaster scenarios. It’s a good idea to get started on this right away because this information will help determine what type of backup systems you need to have in place.
For example, business leaders may decide, after analyzing the data, that email should be restored within 10 minutes, domain services within 30 minutes, customer-facing websites within 30 minutes and the Enterprise Resource Planning (ERP) system within 45 minutes. These values constitute applications’ Recovery Time Objectives (RTOs). Business leaders may also decide that email can be down for a maximum of one hour, domain services for two hours, customer-facing websites for four hours and the ERP system eight hours before losses due to the downtime are intolerable. Each of these values constitutes a Maximum Tolerable Period of Disruption (MTPOD).
In most circumstances, systems would need to be restored in accordance with the RTOs and, in extraordinary circumstances, systems would be restored within the MTPOD.
Based on the RTO and MTPOD, IT and other groups put redundancy, business continuity, and backup and recovery strategies in place to meet these objectives. This may involve a hybrid recovery strategy with cloud and on-site backups. Companies might also decide to use cloud replication with virtualization to resume services at another site if the primary site fails. Backup and recovery systems are crucial in bringing systems online after disasters like ransomware strike.
Actual vs. estimates
I have found that initial estimates for recovery objectives are often in need of revision following the first incident. Trend Micro estimates that the average ransomware recovery takes 33 hours. This is far higher than most organizational estimates prior to a ransomware infection. That’s likely because organizations don’t always factor in the initial steps of incident response when determining their RTOs. In the example above, recovery controls alone might be able to meet the domain services MTPOD of two hours, but it takes first responders 30 minutes to validate the incident and identify the extent of the incident scope, which results in the organization exceeding the MTPOD by 30 minutes.
In other cases, organizations have been surprised by the scope of ransomware infections. Trend Micro found that 47% of ransomware spreads to 20 or more people. Furthermore, ransomware is efficient at targeting sources of information in organizations. Without this critical information, large groups of employees are unable to do their jobs.
It’s also important to remember that recovery plans need to be kept up to date. Organizations relying on outdated plans may have unclear expectations as to when steps in the plan will be complete and as a result, they will be unable to meet recovery objectives.
Establish RTO and MTPOD for systems based on their availability need. Next, put controls in place to meet these recovery metrics. If you have not experienced ransomware before, consult with those who have to determine if controls are adequate. Backup and recovery controls are the most crucial elements and must be designed appropriately. That means ensuring that recovery is available to the required locations at appropriate speeds to meet objectives.
Recovery metrics should be reevaluated annually to ensure that changes in business availability needs are reflected in the established metrics. Controls should go through a similar process of evaluation against recovery metrics to ensure that controls can adequately meet recovery metrics for potential threats.