Ransomware data protection grows in increasingly WFH world
As COVID-19 increased the number of people working remotely, experts have found that more businesses move to bolster their backup for protection against ransomware attacks.
By changing the way people work, the COVID-19 pandemic has also altered the way IT must handle data protection and security.
Businesses going remote suddenly face a new set of data protection challenges. Laptops, mobile devices and home networks aren't likely to be as secure as devices inside an organization's walls, yet businesses are relying on these a lot more. The rapid change can leave important corporate data exposed and provide cybercriminals more targets.
Ransomware has been a serious problem for businesses over the past few years, but the increased remote workforce has exposed new avenues of attack.
In April 2020, IT analyst firm Evaluator Group conducted a short study on COVID-19's impact. The study identified the top three investments among businesses in response to the pandemic as enhancements to security, data protection and cloud infrastructure. The study also concluded the infrastructure changes that organizations deploy to support at-home workers are likely to stay permanent.
Krista Macomber, senior analyst at Evaluator Group, said for some businesses, the reaction to the pandemic has been like partially enacting disaster recovery plans. She said businesses are becoming more open-minded about using the cloud, and the pandemic has pushed companies that were reluctant to use cloud and SaaS into doing so.
"A lot of organizations are not as prepared as they expected to be," Macomber said.
Phil Winder, chief of information technology at Delaware Department of Correction, said he built out the infrastructure in his department's prisons to withstand hurricanes, so he already had DR in mind. His setup also gives him a way to respond to ransomware.
COVID-19 didn't impact the Delaware Department of Correction's data protection from a technology standpoint, Winder said, because each of the system's prison is like a small city, and the state's four level-5 "super max" facilities can operate on their own.
"It's about staying prepared," Winder said. "Staying prepared is the only way to survive these types of attacks. You need something to roll back to."
Winder, who uses Commvault to protect terabytes of data, said ransomware is a top concern for him. A ransomware attack would be catastrophic, as the Department holds medical records, sentencing records, court order documents and other important data on its inmates and offenders on probation. Winder said data loss meant potentially losing track of offenders' treatment progress and time served. It wouldn't necessarily be gone forever, as that data could be rebuilt by going to the court system and manually pulling paper records -- a process Winder wants to avoid.
The Delaware Department of Correction has personal data on around 4,000 inmates in level-5 facilities and supervises 12,000 offenders on probation. Surveillance video data is also stored. Winder said it is around 2 TB of data that is usually maintained for 30 days.
No matter how prepared they were before COVID-19, circumstances around the pandemic has given IT shops new dangers to deal with.
Steve Costigan, senior director of International Solutions Architects at storage-as-a-service vendor Zadara, said remote work leads to more deployments of technologies such as Microsoft's remote desktop protocol and SaaS applications. He said customers are doing this quickly to remain operational during the sudden shift to remote work.
Costigan said this acceleration may have consequences that won't be seen until many months later. More people working at home, using the cloud and devices that aren't vetted by their IT security teams are opening up new vectors for cyberattacks. The challenge for organizations focused on quickly setting up remote infrastructure is to remember to secure it during implementation.
"If you're doing things in a rush, you make mistakes," Costigan said.
Costigan noted several storage purchasing patterns among Zadara customers. Customers are finding they aren't guaranteed access to their colo facilities, making it impossible to do daily tape rotations. Costigan said there's a shift from tape toward object storage for long-term retention. At the same time, he also noticed increased interest in solid-state-based technology, as customers seem less focused on backup windows and more concerned with how quickly they can restore.
Flexential provides colocation services throughout the U.S. with secured data center facilities. Craig Cook, vice president of solutions architecture and engineering at Flexential, said he has seen about a 20% increase in network usage since lockdown orders were issued in March. VPN traffic, conference systems and video streaming among Flexential's customers have accounted for this surge in internet traffic. Cook said there have also been spikes in phishing attacks, and concluded it's a result of newly exposed security vulnerabilities that customers didn't account for.
Cook said there has been an increased demand for storage capacity, power and cooling at customers' colos to host virtual desktop infrastructure (VDI) and backup data. Cook noticed customers aren't protecting more systems, but they are increasing frequencies of backups and being less particular about what's considered critical. This has resulted in an overall increase in backup data.
There has also been increased adoption of Flexential's DRaaS offering. Cook said people are realizing they can't get into their physical data centers, which can be problematic during a failover scenario. He said the pandemic has prompted more customers to take a hard look at their disaster preparedness.
"A lot of these events that were deemed very unlikely have all come to fruition at once," Cook said.
Cook also noticed customers trying to scale up their remote work infrastructure have been running into supply chain problems. Customers might need more storage, servers and bandwidth, and the equipment for that is manufactured in China. Some customers try to get around hardware shortages by adopting more SaaS applications. Cook said OneDrive, Box and Dropbox will become the most common ways businesses store and share files.
The seriousness of ransomware
Doug Matthews, vice president of product management at data protection vendor Veritas, said increased remote work has dramatically broadened the attack surface for ransomware. Laptops, mobile devices and home networks are unlikely to be as secure as devices inside a data center, yet businesses now rely on these a lot more. Matthews said it is likely -- almost inevitable -- ransomware will get in.
Matthews said combating ransomware is about detection, protection, mitigation and recovery. Historically, IT have separated the first two into security and the last two into data protection. However, Matthews said ransomware is changing administrative behavior. He noticed more of his sessions with customers include system admins and members of the security team. Security and data protection teams work together to address cyber threats, where they used to solve their issues separately.
"People are without a doubt taking [ransomware] more seriously. It's top of mind," Matthews said.
Outside of greater ransomware concerns, Matthews said he noticed increased customer interest in laptop backup. More people working from home means more people saving their work locally, which opens up the possibility of data loss if the device is lost, stolen or hacked. He said customer requests are spiking for Veritas NetBackup CloudCatalyst, which writes local backup to cloud storage.
Matthews said Veritas is also finding more interest in protecting SaaS workloads. Matthews said SaaS adoption was already growing, but the COVID-19 pandemic has accelerated it. Businesses using SaaS products such as Microsoft Office 365 and Salesforce were quickly realizing that native availability and data retention features for them tended to be inadequate, so they've turned to third-party vendors like Veritas.
"It threw gas on the fire," said Matthews of the work-from-home circumstances.
Combining data protection and security is not a new idea, especially since ransomware has started targeting backups. Arcserve recently added to its Secured by Sophos line of products that combine Arcserve's data protection capabilities with Sophos security software to prevent backups from getting encrypted by bad actors.
Oussama El-Hilali, CTO at Arcserve, said protecting against ransomware is now more important than before due to a shift in consumer sentiment. Citing a survey commissioned by Arcserve and completed by Dynata, El-Hilali said consumers are becoming more aware of cyberattacks and actively avoid companies that have been hit.
The survey of 1,998 respondents across North America, the United Kingdom, France and Germany was completed in December 2019. It found that 59% of consumers would avoid doing business with companies that have experienced a cyberattack in the past year. Also, 43% of respondents said they were willing to pay more for products and services from an organization they believe can reliably secure their data.
El-Hilali said in the past, consumers were more sympathetic to companies victimized by cyberattacks. But this study found that 17% of respondents view ransomware-afflicted businesses as incompetent. El-Hilali said the study showed a link between the strength of a company's data protection and its marketability -- something rarely considered in the past.
"There is a relationship between ransomware and consumer behavior," El-Hilali said, adding that businesses usually don't consider an investing in backup as something that could impact customer opinion.
El-Hilali said since the surge of internet traffic due to more people working remotely, cyberattacks have increased. Bad actors are focusing on endpoints, using workers' laptops to gain access to the rest of the business's data. The study shows how much more dire the consequences of ransomware has become, and why it's important for businesses to keep data protection in mind as they build out infrastructure to support remote work.
"There used to be a mindset that you can just recreate the data if it's lost. Now, you need that data, because its loss could cost you your business," El-Hilali said.