Don’t expect cybercriminals to go easy during a hurricane. Quite the opposite, in fact. Just like they’ve used the coronavirus pandemic to launch COVID-related malware scams, hackers will capitalize on the names and news coverage of hurricanes to disguise attacks. That’s why now is a good time to review your cyber security posture and your overall cyber resilience strategy. We talked with Carbonite VP of Product Management Jamie Zajac about how to anticipate the types of adverse events that catch a lot of people and businesses off guard. With the right protection in place, you can maintain access to data during a hurricane – and all year round. You can start by knowing what to expect.
Get woke to data loss
When most people think of data loss, they think major disasters, like headline-generating storms and floods. Of course, it’s important to anticipate highly impactful outages. But these are far more rare than other causes of data loss. “It’s everyday scenarios that are really common. Like leaving a laptop on an airplane, dropping a phone in the river, or accidentally deleting a folder and having the recycle bin policies expire,” Zajac says.
Another cause of data loss is hardware failure. “Hardware has become more reliable,” Zajac says, “but you never know when a hard drive will fail, a computer will be dropped or a motherboard will crash.”
Since hardware has a finite lifespan, failure is inevitable. When you’re considering how to protect devices that store important data, Zajac recommends looking for a few key features:
- Continuous backup (so you’re capturing changes as you make them)
- Online file recovery (so you don’t have to wait to buy a new computer)
- Cloud failover for critical servers or disaster recovery as a service (DRaaS)
An ounce of prevention
Whether it’s a lack of awareness, the complexity of systems or the perceived difficulty of deploying protection, too many people and businesses fail to protect themselves ahead of time. “We often don’t think to make cyber security and data protection a priority until it’s too late,” Zajac says. “For consumers and business alike, we see a ton of inquiries about how to get data off a hard drive that wasn’t backed up. That is way more time-consuming, expensive, error-prone and ineffective than having a full cyber resilience and protection plan in place.”
“It’s never worth the risk of being hacked,” Zajac says. “I’ve seen businesses struggle and even close when they lose data, or their brands suffer because hackers have stolen their data. As compliance requirements and privacy requirements evolve, more and more small businesses face these risks.”
Hurricane checklist
Hurricane season is prime time for system outages. But it’s also a useful reminder to prepare for the unexpected. Here are three key steps you can take to form a strategy for dealing with annually occurring threats, according to Zajac.
- Anticipate your office being unavailable – Like the physical disruptions we’ve experienced with the COVID-19 pandemic, anticipate IT infrastructure becoming unavailable. Can you run systems in the cloud? Can you access a cloud backup quickly? DRaaS is a great solution for businesses susceptible to hurricanes.
- Back up everything, not just some things – Many people realize too late that they only chose to back up critical systems, and that one of those “second-tier” systems is also necessary to run the business. It’s better to have everything backed up than to be missing something. You can often save costs by tiering your backups or having different recovery objectives for different systems. But don’t skip backing up some systems.
- Test your backups – Know whether you can recover systems within the time required.
When it comes to hurricanes and weather-related risks, specific security-related concerns should also be considered. “It’s important to train people on the protocols for when they need to work remotely,” Zajac says. “Generally speaking, you should be training users on security best practices, whether they are remote or in the office. But people are more distracted and thus susceptible to phishing and social engineering when they are remote.”
If people need to work from cloud workstations, personal devices or laptops, make sure they have a security suite, such as cloud-based anti-virus and anti-phishing protection. Make sure you have security software that doesn’t require people to be in the office. For example, if you are relying on your firewall to block malicious websites, it won’t help employees who are off the network. Use DNS protection with roaming device security for these scenarios.
An all-of-the-above approach
Murphy’s Law dictates that you’ll probably experience the data breach you’re not prepared for. Any form of data loss can have bad effects. So, if you’re too narrowly focused on just one threat, consider all the potential adverse events you could experience.
“Hackers are a constant threat and can have really big impacts in terms of data loss, productivity loss, compliance requirements, regulatory fines, brand damage and more,” Zajac says. “A coffee spill is a constant threat,” she warns, “but the damage is typically isolated. You still don’t want to rely on someone re-creating all of your work if a coffee spill or other localized damage even occurs, especially if it is the CEO’s laptop.” Zajac continues, “A hurricane is a rare and often well-predicted event, but the impact can be catastrophic. You can’t wait for a hurricane to build a plan.”
The good news is that a competent IT consultant can help you build a strategy, and a good vendor can protect you against many of these adverse events in one fell swoop.
Setting expectations
There’s no backup without recovery. But how do you know if your recovery process is sufficient? It should align with the objectives you establish before disaster strikes.
“On an endpoint, you can typically get very fast file backup and recovery so that you only lose minutes of data and all files are available online in a web interface for fast access,” Zajac says. “For servers, you need to tier systems into mission-critical applications and use a very low RPO solution, such as DRaaS. Non-mission critical infrastructure can withstand a few hours or days to get running again.” Zajac suggests doing an impact analysis. If a given system is offline, how much will it cost your business?
Cloud considerations
It’s not just devices that are worth protecting. Today, both personal and business users leverage the public cloud, like Microsoft 365 and Azure, for much of their storage and computing needs. A lot of people make the mistake of thinking cloud data is protected by the vendor. But this is not the case.
“Microsoft cannot tell the difference between accidental data loss and legitimate file deletions because the content is no longer relevant. It’s up to users and company admins to make this determination,” Zajac says. “Microsoft 365 credential attacks are on the rise. It’s only a matter of time before someone creates or spreads ransomware to Microsoft 365 native data. That won’t be a good day for anyone who doesn’t have a backup in place.”
Next steps
Never let a good catastrophe, or the threat of one, go to waste. Use this hurricane season to make sure you have a robust cyber security and resilience plan. And not just for hurricanes, but for all the ways you can lose access to data.