Organizations need to readjust how they think about potential ransomware attacks. In most cases, it’s not a matter of if, it’s a matter of when. This makes a modern approach to data backup and recovery vital for when a worst-case scenario takes place. When it comes to regulatory compliance, this is just as important for financial institutions as live systems are.
A modern approach to data management will go a long way in helping banks and other financial services firms through the economic uncertainty caused by the global pandemic. It can also help future-proof data infrastructure and put the appropriate protections in place before it’s too late.
We live in an on-demand world where services need to be available at the click of a button. For financial services, which need to be up and running 24/7, an unplanned break in services such as a ransomware attack, a systems failure, or even a state-sponsored attack, must be avoided at all costs.
Like any industry, financial services can’t afford to suffer downtimes of services that would block consumers from accessing their money or enterprises from completing business-critical transactions. Doing so not only equates to monetary losses, but even worse, could inflict damage to brand reputations that can have a long-lasting affect.
Financial services institutions are, understandably, subject to some of the most stringent regulations of any industry, such as the California Consumer Privacy Act, which is regional but is being adopted by large tech firms such as Microsoft, and a range of others specific to different aspects and services like the Gramm-Leach-Bliley Act and Dodd-Frank Act. For these institutions, data backups and the ability to recover them are not just a matter of getting business up and running in the case of a hardware failure — it’s about much more than that.
When you think about compliance you’re likely thinking about live production systems. However, there are requirements for backups that should also remain front and center. Consider the European Union’s GDPR, for example.
It requires organizations to not keep personal data longer than it is needed, and organizations must regularly review data to ensure whether or not it is still needed. It is the right of individuals to ask for their personal data to be removed. While this varies case by case and application to application, it’s important for financial services organizations to avoid repopulating applications with data that is not required for a backup.
GDPR also requires that organizations respond to requests from individuals for their data within one month, an adequate amount of time, but malicious attacks such as ransomware could leave organizations without complete access to their data for significant periods of time. Data backups can also be vulnerable, particularly those on a network-attached storage device.
In the U.K., the National Cyber Security Centre suggests that organizations keep recent offline backups of the data and files they deem most important. Regardless, many organizations remain without a backup system that enables the recovery of data. A recent report from Sophos found that 56% of organizations that endured a ransomware attack reacquired their data through backups. Meanwhile, 26% paid the ransom, 12% reported using “other means” and 6% were not able to recover their data at all.
All of this seems to indicate that backup tools are a last resort, but many don’t even meet that expectation. According to the research, for example, data backups for enterprises are successful roughly half of the time. This means that backups need to take on a wider and more visible role within organizations, particularly for those in financial services, where any downtime at all can be extremely costly.
Modern data management has the capability to detect if any changes have been made to the data, down to the bit level, which could indicate that an attack is underway. It’s also possible to scan VMs for potential weaknesses in order to prevent a threat or an attack before it happens in the first place.
Today’s criminals are increasingly attacking backup data and infrastructures in addition to the production environment. In many cases, malicious attackers take advantage of vulnerabilities common to legacy backup solutions that were created before ransomware is what it is today. For example, advanced malware has the ability to completely destroy restore-point data and shadow copies, making antiquated backup solutions and infrastructure easy to prey upon.
It may seem odd to encourage financial services organizations to overhaul their data management strategies by placing a greater emphasis on backups. But the simple truth is that many in the industry view data backups as a necessary evil and they treat it as such by filing it away as a sort of insurance policy that they really never intend to use. And this is particularly the case for backups contained within outdated infrastructures.
