Existential Threats Online II

Explore Cybersecurity – Backups

My prior post listed IT threats for online businesses, as I see them. (See the previous post, or, see the list repeated below). So, why, in this post, do I begin with Backups, the last item on the list? Answer: if any or all of the list items before “Backups”, the last on my list, caused your network or website to go offline, become unusable due to a corrupted server or database, or has been encrypted by bad actors, you are going to be reliant on your backups. If you have backups, but they are on your network or your server in the wrong place, you may be looking at a major effort to recover the damaged data, if that can be done at all.

If you have been diligent about backing up your data regularly, you may be on the way to managing what could otherwise be a big job to restore, recover, or otherwise prevent an existential threat to your business. This, of course, depends upon the nature of the threat.

If your backups are on the same server or virtual private cloud that was damaged, you may not be out of the woods, just yet. There are many cases where bad actors have penetrated a network or website, looked around, and left, (with no easily found traces), having decided that the time is not yet right to launch an attack. Code allowing them to access your network will certainly have been installed in your code. The result: your backups may overwrite good backups with a backup of compromised data. At some point in that scenario you will find that you have no clean backup. There are several ways to manage that risk, but none are truly simple.

I will lay out some rules we recommend for our clients.

  1. If you are hosted remotely, or use a network appliance, know who has full access, and how access is protected.
  2. DO NOT ASSUME IT safety because your are “in the cloud”. Cloud providers have all the same risks as everybody else.
  3. Backup your data. If you don’t have useable backups, you can be well and truly out of luck if you are hacked.
  4. Automate your backups. There are many ways to do that, but don’t leave it up to your memory.
  5. Trust, but verify. If you leave backups to your hosting, or to a tech agency, know how, and where to go to test.
  6. We recommend separate backups by data type: Accounting and HR records, website database, website folders, etc.
  7. Follow the 3-2-1 backups rule. 3 copies, in 2 places, plus 1 copy stored completely offline.
  8. Ensure that you have trusted people that have successfully tested the restoring process.
  9. Bear in mind, always: there are no magic bullets against losing your data online. Everybody is ALWAYS at risk.
  10. Consider working with a trusted commercial service. (Veeam is our own choice).

If yours is a micro-business, or is a small business with a small footprint online, and in either case has little or no access (except yourself) to your network or website, you may opt for a simple backup method. Most hosting services, ecommerce shopping cart applications, and blogs have, or will install a backup utility for you. (There are exceptions, about which I would think very carefully about the result of a complete loss of your data. These vendors will always assure you of their commitment to data security, and of their care of your data. They, as with all users of any part of the Internet, are fully subject to the primary causes of IT security failure listed in my first post, and replicated below). However and by whomever, you must have a tested backup of both the application that drives your network or website, and a reasonably frequent backup of your database, presuming a dynamic environment, which yours almost certainly is. Keep your backups current. Having a backup on your website, (on your website server), is handy if you go down for reasons other than a step towards ransomware. You or your IT folks may simply restore from your server, and you can move on. See 3-2-1 above: 1 backup on your server. 1 backup on your home or office workstation, and 1 on a flash drive that is NEVER left connected in your usb port. Keep enough copies of your prior backups to guard against writing new backups over old backups, where the new backups may contain compromising code. Remember my caveat: There are no magic bullets against losing your data online. Everybody is ALWAYS at risk.

If yours is an SMB (Small or Mid-size Business, as generally defined), the backup handling discussed above for a micro-business is NOT sufficient protection against cybercrime, or even against data damaged by less sinister causes. I won’t presume to recommend a backups policy without detailed information on your exposure to unexpected disruptions to your network or website.

My newsletter is intended to trigger your awareness of an enormous increase in IT security risks when using the Internet for businesses of any size. It is likely that many, and perhaps all, of the risks now defined have been around for some time. What has changed dramatically is an awareness of profitability when exploiting wildly unprotected data on the Internet. More to come on this, but bad actors range from hugely talented IT techs on the dark web, to script kiddies with a laptop in their bedroom.

CIT Secured online threats curated to those we see as most relevant to a small or mid-sized business

  • Insider attack: Somebody with access to your network has maliciously or carelessly divulged log-in access credentials.
  • Compromised, privileged upload: Bad software or data has been added to your website or network by design.
  • Trusted software or hardware update breached: An update contained code or links that compromised your installation.
  • A successful phishing attack. Usually, a link in a email to someone with network credentials was clicked.
  • Inattention to system maintenance, especially blog comments or unpatched applications on your network or website.
  • Allowed or unsupervised Internet searches from your business Internet connection. Unintended malware was installed.
  • Training failures and backend or server access was granted with overly permissive credentials.
  • Remote access poorly secured, or invoked with only rudimentary security precautions.
  • Software is or was misconfigured, usually by accepting default settings.
  • Inadequate backup maintenance, or compromised backups.