Fall World 2017

Conference & Exhibit

Attend The #1 BC/DR Event!

Summer Journal

Volume 30, Issue 2

Full Contents Now Available!

The Business Continuity Institute

There’s no point in saying “it will never happen to me” as disruptions are always just around the corner, regardless of what sector or location you are in. This reality was brought home to us overnight as thunderstorms with strong winds and heavy rain swept across the south of England. The problem was exacerbated by dry weather in recent months leaving the ground hard, so rain water could not easily soak away, resulting in flash floods.

The aftermath was plain to see this morning – standing water, trees down and debris brought by the flooding scattered everywhere. Last night there were reports of the urgent need for sandbags as water levels rose, and several local restaurants had to be evacuated as the water eventually did enter the building.

Of course there’s no reason to worry and BCI Central Office is in not in any danger of flooding. But it is a reminder that we, the BCI, along with every other organization, need to have a business continuity plan to deal with such events. What would have happened if flood water had entered the building, what would have happened if staff could not get to work because of travel disruptions, what would have happened if power had been cut off due to the storms? All these things need to be considered in advance if we are to remain a functional organization despite whatever disruption comes our way.

Thankfully we do have a business continuity programme in place, so should the worst happen then we will be prepared for it. For well over a year we have had a team made up of CBCIs and DBCIs working in Central Office, led by one of our Fellows and championed by a member of the Board.

The team have been working hard to ensure that threats and consequences are analysed, priority activities are declared, and processes are in place to make sure those priority activities can continue in the event of a disruption. To date it has worked, but we would never rest on our laurels and become complacent, rather we ensure it is an evolving process that continues to develop based on changes at Central Office, the result of actual disruptions, or the outcome of exercises.

This programme will be developed further as we are now recruiting for a dedicated business continuity professional to take it forward.

Business continuity is clearly important to our members, so it is vital that we practice what we preach and have a business continuity programme to be proud of, and we like to think we have achieved this.

David Thorp
Executive Director of the Business Continuity Institute

Wednesday, 19 July 2017 16:09

Data Recovery in the Age of Ransomware

y

https://blog.barracuda.com/2017/07/19/data-recovery-in-the-age-of-ransomware/

Earlier this year, the world recognized World Backup Day (WBD) as a reminder to everyone that data is important and has to be protected. As part of the WBD recognition, Barracuda ran a series of blog posts on the reasons why companies lose data even when they do almost everything right.

As a follow up to our WBD activities, Barracuda conducted a survey of general technologists whose responsibilities include data protection and recovery. To be blunt, some of these results are alarming. In this article, we are going to run through the results, explain what they mean, and take a look at how to resolve these issues of concern.

Ransomware

As you know, ransomware is a global epidemic and is expected to cost over $5 billion in damages in 2017. Ransomware is a dangerous attack because it doesn’t just make a system unavailable; it renders the data unusable. This has already caused a great deal of trouble for healthcare institutions, government entities, law enforcement agencies, and of course, businesses all over the world. If you’ve fallen victim to a ransomware attack, there are only two ways to get your data back without paying the ransom: get a free decryptor from a service like this one, or fall back on your data protection strategy and recover your data.

Some victims have no choice other than to pay the ransom or lose their data. This is an unfortunate situation, because even if the ransom is a small amount, there are a number of problems with this course of action:

  • Criminals know you are willing to pay a ransom and are more likely to target you again
  • There is no way to know that the criminals will or can decrypt your data
  • Decryption might not work properly and you may lose data anyway
  • Law enforcement agencies and other authorities discourage rewarding the criminal by paying the ransom

You can leave your data decryption and recovery up to chance, or deploy a comprehensive strategy before the attack.

Data Protection and Recovery

There are a number of definitions for “data protection,” but the common theme is that it requires more than running a backup. Proper data protection is included in the security planning: it includes business continuity and disaster recovery planning, as well as the many security practices involved in preventing unauthorized access. The Barracuda survey focused on data recovery, which is ultimately what system administrators are trying to provide for their companies. Comprehensive data recovery involves data availability and data accessibility at all times.

Availability vs Accessibility

Let’s start with a quick overview of what these are. When we talk about the availability of a data backup, we’re talking about the data that is stored as a backup. In the case of a tape-based or a disk-based system, the data that is backed-up is available on the tape or on the disk.

Data accessibility refers to how easily it can be accessed for recovery. In our examples above, the data is not accessible unless the tape or disk is with a compatible system. Accessibility for that system may be close to 100% for an administrator in a server room, but may be reduced to zero while the administrator is off-site or away from a designated computer. Meanwhile, the availability of the data remains the same.

When questioned on the importance of availability and accessibility, 70.3% of respondents say that these two are equally important. This indicates that our respondents understand the value of the data as well as the value of recovering the data quickly, possibly from a remote location or even a mobile device.

Protecting Multiple Locations

Perhaps one of the reasons that so many respondents value accessibility as highly as availability is that 53.4% are responsible for data recovery in more than one location. That means that the majority of the respondents are working remotely at least some of the time. Their data recovery systems have to be accessible from more than one location and probably by more than one method.

50.6% of respondents say that their backups are cloud-based, and 76% of respondents replicate their data backups in the cloud. These numbers suggest that the 77.4% who say they have a disaster recovery plan are using the cloud for redundancy and accessibility. Cloud based data recovery is generally performed through a web browser with no need for special hardware.

The Bad News

There are two data points that cause some concern among the Barracuda data protection professionals. The first is that 81.2% of respondents do not test their data protection strategies more than once per year, and about half of that number do not test them at all. This could be a major pain point for these respondents. As we mentioned earlier, data recovery may be the only way to avoid paying a ransom that may or may not result in the decryption of data.

Another point to consider is that it’s good business to test the company resources. If the company has invested in the technology and planning to protect the data, then these things should be tested on a regular basis. User files change in value, applications are added or replaced, data is moved … these are all reasons to be testing backups more than once per year. Perhaps an application upgrade uses a new database instead of the old flat files. Perhaps a new application was never added to the data protection plan.

The second point here deals specifically with Office 365.  Nearly 66% of Office 365 administrators are relying on the Recycle Bin for backup. Only about 1/3 of our respondents are using a data protection solution to protect their Office 365 deployments.

The Microsoft Recycle Bin is a nice feature, but it’s job is to help the organization safeguard against accidental data loss. It’s not meant to be a data recovery solution. It doesn’t offer the features necessary to protect Exchange, Sharepoint, OneDrive, and the other services. Default retention times are not standard across services, so administrators may not even have the minimal protection that they expected. Data is non-recoverable once it is deleted or ages out of the Recycle Bin. Companies that have to work within compliance frameworks and liability requirements may find that the native Microsoft tools do not meet the regulatory standards.

What Next?

If you find yourself in one of the scenarios that we identified as “bad news,” don’t worry too much. These are things that can be fixed quickly, and then improved upon as you go along. You can start right now by evaluating your current data protection and recovery plan. Do you have one? Who is responsible for the deployment and management of the plan? Is the plan being tested? Are there any gaps between your recovery objectives and the capabilities of your data recovery solutions?

One of the most important questions for you to consider is whether your data protection and recovery plans are part of your security strategy? If you work in an environment where data protection is separate from security, it’s time to bring those two functions together. In the age of ransomware, they cannot be separated.


Rod Mathews is SVP & GM, Data Protection Business at Barracuda Networks.  Connect with him on LinkedIn here

The Business Continuity Institute

One in eight global business decision makers believe that poor information security is the ‘single greatest risk’ to the business, according to a study by NTT Security, which also found that 57% believe a data breach to be inevitable at some point.

The 2017 Risk:Value Report highlighted that the impact of a breach will be two-fold, with respondents expecting a breach to affect their long-term ability to do business, together with short-term financial losses. More than half (55%) cite loss of customer confidence, damage to reputation (51%) and financial loss (43%), while 13% admit staff losses and 9% say senior executive resignations would impact them.

56% of business decision makers say their organization has a formal information security policy in place, up from 52% in 2015. Just over a quarter (27%) are in the process of implementing one, while 1% have no policy or plans to do so. However, while the vast majority (79%) say their security policy has been actively communicated internally, a minority (39%) says employees are fully aware of it. Germany and Austria (85%) are above average in communicating the policy, together with the US (84%) and the UK (83%).

Less than half (48%) of organizations have an incident response plan, although 31% are implementing one. But just 47% of decision maker respondents are fully aware of what the incident response plan includes.

The study also found that many global business decision makers are still unaware of the implications of the forthcoming General Data Protection Regulation (GDPR), as well as other compliance regulations, with one in five admitting they do not know which regulations their organization is subject to. Just four in ten (40%) respondents globally believe their organization will be subject to the EU GDPR.

Coming into force in May 2018, the legislation leaves companies with less than a year to comply with strict new regulations around data privacy and security and could result in penalties of up to €20 million or 4% of global annual turnover, whichever is higher.

With data management and storage a key component of the GDPR, the report also reveals that a third of respondents do not know where their organization’s data is stored, while just 47% say all of their critical data is securely stored. Of those who know where their data is, fewer than half (45%) describe themselves as ‘definitely aware’ of how new regulations will affect their organization’s data storage.

Data breaches are already the second greatest cause of concern for business continuity professionals, according to the Business Continuity Institute's latest Horizon Scan Report, and once this legislation comes into force, bringing with it higher penalties than already exist, this level of concern is only likely to increase. Organizations need to make sure they are aware of the requirements of the GDPR, and ensure that their data protection processes are robust enough to meet these requirements.

“In an uncertain world, there is one thing organizations can be sure of and that’s the need to mark the date of 25 May 2018 in their calendars," according to Garry Sidaway, SVP Security Strategy & Alliances at NTT Security. “While the GDPR is a European data protection initiative, the impact will be felt right across the world for anyone who collects or retains personally identifiable data from any individual in Europe. Our report clearly indicates that a significant number do not yet have it on their radar or are ignoring it. Unfortunately many organizations see compliance as a costly exercise that delivers little or no value, however, without it, they could find themselves losing business as a result, or paying large regulatory fines."