World Backup Day: IT and security teams need to work better together or we are going to fail

It's like in the movie "Groundhog Day". Every 31st March the music plays and on World Backup Day we are reminded of the promise: "I solemnly swear to back up my important documents and applications". A noble goal that every company and every user immediately agrees to.

But in the weeks surrounding World Backup Day, we hear from the media that companies have been hacked and their data hijacked by ransomware. The big promise to restore the data from the backup and thus be resistant to any attempt at blackmail is then broken again.

The numbers speak for themselves, and the latest ENISA industry report on the transportation sector provides the facts. Last year, ransomware was the dominant threat, accounting for 38 percent of all recorded attacks, with data deletion at 30 percent and malware at 17 percent, in second and third place respectively. The report clearly emphasizes that due to the Russia / Ukraine war, state-supported actors and hacktivists have carried out targeted attacks against the transport sector in Europe. Clear evidence that the motivation is shifting towards "disrupting and destroying operations". 

Companies shouldn't just look at ransomware alone either. It doesn't always have to be a hostile act that makes backup and the associated disaster recovery process worthwhile. When an excavator cut important optical fibers during construction work at Frankfurt Airport at the beginning of February, operations were seamlessly switched to redundant systems and lines. However, when trying to revert back to normal operation, the primary system wobbled and had to be shut down for several hours. Several thousand flights were cancelled and Lufthansa's reputation suffered.

Collaboration is key

Why do companies have such a difficult time with this task? One reason is the complexity of their environments and growing reliance on software and data, which are becoming more distributed. They made attempts to get the sprawl under control and ended up with dozens of isolated backup and disaster recovery solutions. The result: Some applications are overlooked, fall through the cracks and the safety net. In an emergency, processes have to be run through manually by people who are highly stressed. Mistakes happen and this increases recovery time. This is where companies should start to modernize by replacing uncontrolled growth with a central data security and management platform, accompanied by a strong Digital Operational resiliency plan.

Beyond the technical answer, it's vital for companies to ensure that their security teams work more closely with the infrastructure teams that are ultimately responsible for data recovery. Both teams have to pull together in order to contain the consequences of a successful attack, and at the same time maintain core operations. And they must coordinate closely to restore systems cleanly and hardened, lest they be compromised by the same attack again.

Both teams should agree on these four things:

1. ITOps and SecOps should co-own the cyber resilience outcomes 

The cyber resiliency outcomes should be defined in an objective and measurable way, ideally managed by a combined CISO / CIO role. 

These cyber resiliency outcomes need to include aggressive RPO and RTO that define specific targets for the overall objective: the ITOps and SecOPs teams need to be able to restore critical services and data even during a cyber incident such as a ransomware attack, and deliver the business outcomes.

The RPO and RTO will also guide both teams which controls and KPIs are required to deliver the desired security posture. These will form part of their Digital Operational Resiliency plan, which is a stage beyond the DR/BCP approaches taken by many companies today.

2. Joint ITOps / SecOps planning aligned with security posture targets 

Once both teams, SecOps and ITOps, have agreed on the common objectives, they can start a fact-based discussion about how to balance out investments into protect controls, and controls that minimize the impact if breached. By following this approach, this joint budget conversation stays aligned with the security posture and defines the right priorities to achieve Digital Operational Resiliency.

3. Comprehensive understanding between ITOps / SecOps Teams of the attack surface 

Both teams need to share the same understanding of the potential attack surface.

To gain these insights, both teams need to know what data the organization is storing, and where everything is located (on-premises, private cloud, public/multi cloud)

Both teams should also have the same understanding of the level of maturity their organization has with their visibility of data. This will enable them to better understand the potential risk of cyberattacks and data loss.

4. Coordination between ITOps / SecOps with incident response

Finally, both ITops and SecOps teams need to increase the collaboration to better interact during an incident response. To achieve this, ITOPs teams need to be tied into the incident response process. To evaluate the quality of their interaction as well as to identify potential issues, both teams should run regular drills and simulations as table top exercises, including tested recovery through clean rooms to demonstrate RTO, which is often different to their traditional BCP timings.

Image credit: Wayne Williams

Mark Molyneux is EMEA CTO for Cohesity.