In working with over 1,200 law firms through the years, I have observed that few lawyers really seem to know what’s actually going on with the backup process. Earlier in my career, I was generally fine with that reality; but times have changed. The backup process is now a security process that needs to take center stage and it is the solo and small firm setting that I’m most concerned about. Such firms must make sure their process isn’t something some guy like me might describe as state of the art for 1999 because it’s just too easy to get comfortable with the way it’s always been. Incremental backups, digital tapes, rotate off site, check. I don’t think so. Not good enough anymore and much of it is due to the threat of ransomware.
You’ve got a very serious problem on your hands should your firm’s computer network ever become infected with ransomware. Basically, your data will be encrypted and then you will be told how much you will need to pay in order to receive the decryption key which may or may not allow your IT staff to successfully recover all your files. Whether you pay the ransom or not, and I advise not, you are going to need the services of an IT specialist and understand there are no guarantees here, she may or may not be able to restore the network.
It’s important to also realize that ransomware can infect your network via multiple channels, many of which involve some form of social engineering. A common attack vector currently looks like this. Someone in your firm is tricked into opening an attachment in an email that purports to be a business document or invoice. That’s all it takes. Once enabled, the malware will start to encrypt your data.
Making matters worse and depending upon the specific family of ransomware you’ve been hit with, the ransomware can replicate itself and spread across an entire network, can scramble the file names of all encrypted files, can run several different encryption programs in a single attack, can identify and erase restore points, can erase all the data on the hard drives, can be programmed to delay executing in order to infect backups, and the list goes on. In short, any IT specialist brought in will have to overcome all kinds of problems in the effort to try and recover anything.
Again, there are no guarantees in terms of having the ability to recover from a ransomware attack. Cybercriminals continually work to improve the effectiveness of their tools. Certain strains of malware can now jump to the cloud, many have been engineered to evade detection by antivirus software, and as stated above, can be programmed to delay running. In light of all this, the institution of an effective backup process has become a critical component to an overall defensive strategy against ransomware and other forms of cybercrime.
Best practices today dictate having at least three copies of all your data, utilizing two different media formats and maintaining one backup off site. Think 3, 2, 1. For example, you might utilize two external hard drives and a cloud backup provider. An approach like this would allow you to have access to a copy stored locally in case your internet connection is down, and post-ransomware attack, the cloud backup is sometimes the only good backup available. That said, a few side notes are in order.
1) Since ransomware can map drives and infect everything connected to the network, always disconnect backup drives (e.g. any external USB drives) from the network once the backup process has completed.
2) While cloud backups can be your salvation in the event of a ransomware attack, as with any backup process, sometimes the backup data set becomes corrupted. Thus, having multiple versions of the backup in the cloud is a good idea.
3) Given the rise of time-delayed attacks, maintaining an archive of backups locally or in the cloud would be a prudent step to take. While losing a month or two’s worth of data might be difficult, that’s going to be far better than losing everything.
4) Look for cloud backup providers that allow you to control the encryption key as a way to prevent anyone else from accessing your data.
Even with a well-designed backup process in play, the best defense to threats such as ransomware is an effective offense because, and for the last time, there are no guarantees that a full recovery is going to be possible. Often, it’s not. So, in addition to instituting a backup process along the lines presented above, every firm regardless of size should prioritize mandatory ongoing training for all staff and attorneys. The training should focus on social engineering awareness to include presenting real-world examples that not only demonstrate how these types of attacks continue to evolve but also provide tips on how to spot them. Finding quality training like this, however, can be a bit of a challenge for some. To help with this, consider working with a security company like KnowBe4, whose entire focus is geared toward this kind of training. When you stop to think about what’s really at stake, such training should no longer be optional.