Federal government organisations in Brazil may need to reassess their approach to cyberthreats, according to a new report by the country's Federal Audit Court. It outlines multiple key areas of concern across 29 key areas of risk. One of the biggest problems in the cybercrime section of the report relates to backups. Specifically: The lack of backups when dealing with hacking incidents.
Backups in Brazil: An uphill struggle
Backups are an essential backstop that can help against several forms of attack, as well as mistakes and mishaps. The most obvious one of those would be ransomware. When networks are compromised and systems are locked up, victims with effective backups can try to restore their systems to a point in time before the attack.
Not having backups leaves victims with very limited options. Assuming the attackers don't just vanish into the night, the business may decide to pay the ransom and recover the encrypted files. At best, that is a slow, manual process. If things go badly, the decryption tools may be broken and fail to recover data. In some cases, they may not even exist. At this point, an organisation is out of pocket and files.
This is enough to cause showstopping issues for any organisation. And if the affected business performs critical tasks, attacks can have alarming consequences for the community at large. Healthcare and law enforcement are good examples of this.
As a result, getting up to speed on backing up data has become more prominent in recent years. In fact, not just backing up. It's important that organisations create sensible, organised backups which can be deployed in a crisis. You can't roll back properly if the files are disorganised and nobody can make sense of which folder goes where.
With this in mind, the statistics don't make for great reading.
The numbers game
According to the report:
- 74.6% of organizations (306 out of 410) do not have a formally approved backup policy—basic document, negotiated between the business areas ("owners" of the data/systems) and the organization's IT, with a view to disciplining issues and procedures related to the execution of backups.
- 71.2% of organizations that host their systems on their own servers/machines (265 out of 372) do not have a specific backup plan for their main system.
- 66.6% of organizations that claim to perform backups (254 out of 385), despite implementing physical access control mechanisms to the storage location of these files, do not store them encrypted, which carries a risk of data leakage from the organization, which can cause enormous losses, especially if it involves sensitive and/or confidential information.
- 60.2% of organizations (247 out of 410) do not keep their copies in at least one non-remotely accessible destination, which carries a risk that, in a cyberattack, the backup files themselves end up being corrupted, deleted and/or encrypted by the attacker or malware, rendering the organization's backup/restore process equally ineffective.
Backing up: Not a guaranteed fix
The report notes that various initiatives already exist to get people talking about the need for both encryption and backing up. While any rise in backup numbers is a good thing, it's not necessarily going to come close to solving problems.
One of the worst offshoots of standard ransomware attacks in the past few year is the rise of "double extortion", where ransomware authors steal data before it's encrypted, and then threaten to release it if the ransom isn't paid. One of the reasons double extortion attacks came about is precisely because backups don't work against data leaks.
For organizations that do keep backups, the challenge is how to set them up and maintain them so they do what's expected, when they are needed most. This is surprisingly difficult.
David Ruiz, host of Malwarebytes' Lock and Code podcast recently spoke to backup expert Matt Crape, a technical account manager at VMWare, to find out why backups often fail when it really matters, and how to ensure they don't.