A Core Part of Cybersecurity Are Backups and Resilience
A Core Part of Cybersecurity Are Backups and Resilience
While banks may have 24x7 SOC (Security Operations Centre) support, there are other companies that do not quite have the same support for their IT infrastructure, especially around holiday periods.
Within the last year, two car dealers have been hacked: Pendragon and Holdcroft Motor Group. In Oct 2022, Pendragon was faced with a $60 million ransom demand [here], while Holdcroft’s systems were beyond repair after a ransomware attack [here]. Now, Arnold Clark is reported to have faced a serious cyber attack before Christmas:
In response to a suspected attack, the company cut off access to the Internet, and where they are currently trying to re-establish connections to their dealerships and other parties. A report from the company is:
Late on the evening of 23rd December, the Group was notified by our external cyber security consultants of suspicious…www.linkedin.com
Some news sources are reporting that files were deleted, but this has not been confirmed yet.
Hopefully, everything will be back up-and-running soon, and the company’s business will not be seriously affected. It should be remembered that an attack around a holiday break is just as likely as at other times, so make sure your company makes plans for an emergency response when key staff are on leave.
Overall these attacks are a lesson in keeping good backups and knowing how quickly you can recover all your data. Every CEO should be able to define the number of hours, day or weeks it will take to completely rebuild the IT infrastructure, and for the likelihood of lost data in the recovery process.
Remember, too, to have at least one warm backup (and on different media storage, such as in the Cloud and disk storage) and a cold backup (along with a glacier one) … and take snapshots on a regular basis and script your rebuild and test it continually. In AWS, for example, when you take a snapshot, you only pay for the different between one snapshot and another, and you can delete intermediate snapshots (and where AWS will move the data from the deleted snapshot to the one before it — so nothing is lost).
And, a play book needs to be instigated in a non-production environment, and fully tested. If possible, you have at least three running systems: full production; development; and security testing. The security testing area is the place to run play books and investigate response procedures. In running a playbook of an attack, the infrastructure could be destroyed, but where it can then be rebuild (in order to showcase the rebuilding process for full production).
If you can afford immutable storage, then use it — as this will stop someone from deleting all our files, along with a transaction log. And, a well-maintained GitHub can also help with version control, and recover previous versions. Overall, this should all be rehearsed and continually tested.
And, remember, dealing a system rebuild is often a great deal less serious than dealing with a breach of customer data. So, make sure you encrypt customer data, and that there is multifactor authentication and logs on the access to key parts of the system.