Cybercriminals would like nothing more than to hold your housing organization’s system and sensitive data hostage.
Their goal is to force you to pay a ransom to regain access and prevent data leaks. Even if you train employees on the signs of common cybersecurity attacks, keep your systems patched, manage access to vital assets, and use the most sophisticated antivirus detection system, the risk of a cybersecurity breach remains.
If cybercriminals breach your system, all isn’t necessarily lost, as long as you have the right backup system in place. Jonathan Hochman, founder of Hochman Consultants, a firm specializing in website development and internet security, sat down with HAI Group to explain how backups work and how housing organizations should approach backing up data.
A backup service provides the ability to recover data you need in the state you need it in. Backups are essential to your organization for more reasons than you might think.
“You have at least three big risks that you can take out by having a good backup for each computer,” Hochman said.
Ransomware/Cyber Breach: If you get ransomware or malware in your system, you can wipe the system and restore everything from backup. While you should never rely on backups alone for cybersecurity, they’re a must-have. Here’s a fictional yet feasible scenario:
An employee at Yada Yada Housing Authority receives what appears to be an email from the housing authority’s executive director asking the employee to download and review a file. There’s a warning that the email came from someone outside of the organization, and the executive director’s email is slightly different. Still, the employee isn’t paying attention and clicks the link. Unfortunately, the link includes ransomware. A cybercriminal encrypts the housing authority’s system, rendering it useless unless the ransom is paid. The housing authority is prepared for such an attack. Instead of paying the ransom, which doesn’t guarantee the breach will be resolved, the housing authority reverts to a backup stored on a cloud service. The organization regains access to its system and can continue operations.
User Error: An employee might accidentally delete an important file or forget to save a file before closing it. If your organization has a backup process in place, the file can be quickly restored. While this scenario isn’t as devastating as a cybersecurity breach, it can save valuable time and effort.
Failure Point: If your hardware experiences any failure, you can rest assured that your files are safe in the cloud and can be restored to new hardware.
In addition to the above, backups can also be helpful during litigation. If you need to prove what data you did or didn’t have at any given time, you can use your backup to recreate your system as of that date.
“It could actually be evidence that’s useful to you,” Hochman said.
There’s no shortage of backup vendors available to your organization, but not all services are created equal. There are several attributes housing organizations should be on the lookout for, Hochman said.
“A good backup is done automatically without human intervention,” Hochman said. “Any system that depends on discipline is inevitably going to break down.”
For example, if an IT employee or consultant who manages the backup process leaves, responsibility may not transfer smoothly.
“Then, suddenly you discover when you have a ransomware attack that your system hasn’t been backed up in nine months,” Hochman said.
Your backed-up data should be offsite and completely disconnected from your system, so it’s not exposed to the same risks as your network. In other words, your backup should be in the cloud (i.e., an internet-based data center).
“That way, if your network is overrun with malware, your backup is not affected,” Hochman said.
Cloud services such as Azure and AWS allow you to store data without any common network dependencies. Different people should manage your onsite system and offsite backup.
“One risk you’re backing up against is a disgruntled employee or an employee with malicious intent,” Hochman said. “You have to assume that your head of IT might go rogue and decide to delete every sever, and you need to protect yourself against that.”
Preferably, the backup is remote and run by a reliable and responsive vendor.
“You want to make sure they’re doing these regular backups,” Hochman said of backup vendors. “Make it part of their contract. You want to have a service level agreement that says in the event of a catastrophic failure, the vendor guarantees to restore your data from backup within a designated timeframe. If you can get that assurance, that’s ideal.”
At the very least, he added, the vendor should commit to responding to any issues within a specific timeframe.
If your backup vendor doesn’t store older versions of your organization’s system long enough, you could find yourself in a predicament. Cybercriminals don’t always make it obvious when they’ve breached a system.
“Your data could be infected, and you may not know about it for some time,” Hochman said.
If a breach occurred 31 days ago and your backup service only stores 30 days of your system’s version history, your backup won’t to a clean, breach-free state.
“You want to have at least 90 days worth of backups, and maybe more,” Hochman said.
He noted that you don’t necessarily need to back up your system every day during those 90 days. There are also backup solutions on the market that can save a file for its entire lifespan.
“It’s called an incremental backup,” Hochman said. “They just store the base file and backup any changes to the file.”
After a cyberattack, you want to restore your system from backup as quickly as possible. How long will that take? That’s precisely what you should ask your backup vendor, Hochman said.
Your backup vendor should be able to provide a restoration estimate based on the amount of data they’re storing. You only need to back up data and settings, Hochman noted. You don’t need to back up operating systems and application files (e.g., Microsoft Windows, Microsoft Office, etc.), which your IT team can reinstall.
“You need to have the actual step-by-step process in place to do a full restore,” Hochman said. “In that moment of panic, you don’t want to be starting your planning. You want to have it all written down.”
If you know ahead of time how long it takes to restore your system, you can plan around that downtime and any potential negative impacts.
A backup of your system isn’t much help if it fails when you need it most. Backup testing isn’t something your organization necessarily needs to worry about, but it’s something to discuss with your backup vendor.
“You don’t need to test your backups if you have a good vendor who specializes in backups because they test their system all the time,” Hochman said.
A backup service with self-service capability is ideal. It’s common to rely on your backup to recover a mistakenly deleted Word document or Excel spreadsheet.
“There are many times you’ll use it just to grab a handful of files,” Hochman said.
Your IT team should be able to manage this process for your organization.
Whether your organization uses Windows or Mac software on its workstations, you have readily available cloud-based backup solutions at your disposal.
On the Windows side, take advantage of Microsoft OneDrive, said Hochman. For Mac workstations, iCloud (which you’re probably familiar with if you have an iPhone) is a great backup option.
“Every computer eventually gets replaced,” Hochman said. “When you replace your computer, you can erase it and restore the files and data from your backup on the new computer. It makes your migration from an old computer to a new computer very simple.”
For backing up web applications such as your organization’s website, Hochman designed a system called CodeGuard.
“It’s designed for doing automatic backups of web server data, websites, web applications,” he said. “It can back up the code and the database.”
Given the growth in cybercrime, there’s a sense of peace of mind in having a backed-up system.
“When you get attacked by some malware scumbags, and they send you the ransom demand, you can say ‘go to hell, I’ve got backups—I’m going to restore everything, and I don’t need you,'” Hochman said.
But it’s not that simple, unfortunately.
“You don’t want to rely on backups as your only defense against ransomware,” Hochman said. “You should be doing everything you can to stop that because not only will cybercriminals lock up your data; they will also leak your data. The backup is half the problem solved. It still doesn’t stop them from leaking your data. Just because you have backups doesn’t mean you don’t have to worry about other types of network security.”
Often, attacks occur when software isn’t patched or updated to protect against the latest vulnerabilities.
“If you pair your backing up with one other process that will keep you safe, it is automatic application of patches and updates,” Hochman said. “You want to be aggressive about applying updates and patches as soon as they come out. Backing up allows you to do that. If the patch somehow goes wrong and causes problems with your data, you have your backup. A backup allows you to be very aggressive with updating. Being aggressive with updates keeps you safe.”
Regular penetration tests should be conducted on your website, especially if the website is public-facing, accepts login and payment info, and stores any sensitive information. Your in-house IT team or consultant should facilitate these tests.
“As a general rule, if a website hasn’t been tested before, and it’s the first test, the website has vulnerabilities,” Hochman said.
Organizations should be proactive in their approach to cybersecurity. There are costs to hiring vendors and funding security enhancements, but those costs should be considered an investment.
“If you’re not proactive in doing this type of security, inevitably you will be hit, and you will have major expenses responding to a data breach,” Hochman said. “You have a loss of reputation. You have all kinds of problems. It saves money to do this. This is part of the cost of having data systems. You have to pay for good security because it’s the cheapest way to get along.”
Contact our Risk Control and Consulting team for more resources and answers to your housing organization’s risk-related questions.
\Interested in Working With HAI Group? Our Account Services team is ready to assist you.
Includes copyrighted material from a company under the HAI Group family, with its permission. This post is for informational purposes only and is not intended to provide legal advice, and shall not be relied on as such. We strongly recommend consulting with legal counsel or an appropriate subject matter expert.