Cybersecurity Basics: The importance of reliable and tested data backups
June 10, 2016
At a recent cybersecurity breakfast hosted by BOMA/NY (Building Owners and Managers Association of NY), the panelists including: Todd Januzzi, CIO Paramount Group, FBI’s SSA Albert Murray and Raj Goel CISSP, CEO or Brainlink, discussed “How Vulnerable Are Your Building & Company Operations?”.
Throughout the event, the panelists covered a range of relevant cybersecurity topics, which ended with a discussion on the importance of security testing, and how to combat ransomware.
When it comes to the vitally important practice of backing up files, Raj spoke to the equally necessary process of testing the effectiveness and timeliness of the operation.
“First off, conduct a desktop exercise,” said Raj. “Create a couple of dummy files with no valuable data, then delete them. How fast can IT restore it? Pull the plugs in your critical systems. Schedule a weekday or a weekend to do this as part of your annual risk management exercise and literally turn it off. Do you have an instruction for turning it back on?”
With more than 25 years’ experience in the IT industry, Raj explained that businesses often have what seem to be reliable business continuity and disaster recovery measures, but haven’t bothered to ever test how quickly they can get their business running again after an emergency situation.
“What we find in more and more organizations, and this is across industries, is people don’t even have the basic steps necessary to turn something off and turn it back on,” said Raj. “If nothing else, turn it off, see how fast you can turn it back on again and in what order. That’s the other thing we find most people don’t know, is if they lose power right now — it’s happened in Sandy — what is the right order for turning things back on so they don’t make things worse? Most people don’t have that documented.”
Albert followed this up by explaining how the many available resources (many of which are provided online by the FBI) can be very helpful in developing effective business continuity.
“We don’t really give specific plans but the biggest takeaway is to make sure you have a plan and have tested that plan like Raj said here earlier,” added Albert. “Just take the basic steps, make sure you have the patching of your systems, and make sure you have updated software.”
As the discussion moved towards ransomware and other threats to businesses today, Todd talked on how to properly budget for security.
“Cybersecurity scares people, it scares the board and public companies,” said Todd. “When I need money for cybersecurity it’s usually not a question because it’s so vital to a company, but what I try to do is take 25% of my budget and earmark that for cybersecurity. There’s a lot of cyber security people out there now pitching and trying to make money. It’s a big business right now.”
When it comes to how to invest that money, the panel agreed that the best defense against ransomware, other types of malware, and similar cybersecurity threats is a robust data backup contingency.
“We practice onsite and offsite, and multiple stage backups; by the time the client notices the attacks, yes, all the files are encrypted, and some of the onsite backups are also encrypted and we ended up with data recovered from them off the cloud because we’re not just keeping one copy of it,” explained Raj. “Depending on the client and the risk threshold we’re keeping 5 to 20 copies of the data. In all three incidents, we have 100% recovery.”
The major recommendations imparted by the panel included:
- Make a considerable investment in a comprehensive backup data recovery solution.
- Test your backup and cybersecurity measures thoroughly and regularly.
- Be sure to make the most of available resources (both provided online and through expert IT consultants) to ensure that you’re not overlooking vulnerabilities in your IT security methodology.
Want to ensure your employees have a confident grasp of their role in cybersecurity? Get in touch with Raj today at (917) 685-7731 or firstname.lastname@example.org to have him work with your employees directly through a Lunch & Learn event, or at your next conference.