Over the past several years, governments, businesses, research centers and hospitals dealt with ransomware and data exfiltration in two ways: paying ransoms, or attempting to restore their systems and information through traditional disaster recovery approaches. The first approach is painful, and the second often doesn't work because traditional methods aren't architected for resilience of this sort.

Let’s get nerdy and talk about the appropriate way to defeat ransomware.

One of the first challenges is that rebuilding the traditional way can actually help threat actors, because it's likely that the threats are also lurking in the backup. Thus, as organizations attempt to recover from ransomware using traditional disaster recovery “backup and restore” processes, they are likely re-introducing the threat—even for recoveries that reach back six to eight weeks.

This can lead to the false confidence that comes from relying on compliance-driven resilience. Not good.

Move away from compliance-driven resiliency

Unfortunately, business impact assessments done via surveys rarely provide the three main things necessary for architecting any true recovery: recovery time objective, recovery point objective and inventory. Survey-driven impact assessments usually portray a process’s value to the organization, rather than measuring the real recovery objectives. This may produce poor or outdated impact assessments, which in turn lead to poorly constructed recovery approaches. Add in issues related to data and you have the perception of confidence as opposed to real capabilities. The lesson: Compliance-driven resiliency rarely works. Business-driven resiliency does.   

Data integrity: Encryption and access

Industries that have significant data integrity requirements such as healthcare, pharmaceuticals and food are concerned with data manipulation or even worse, that their data may be taken hostage and sold at auction. Encrypting and using additional cybersecurity controls in production data can help alleviate risks around data hostage situations or manipulation, but these controls should be in place as part of recovery itself, which would increase the infrastructure recovery time objective. Even worse, when the system providing additional cybersecurity controls is breached, it can then actually become a barrier to recovery.

Rethinking the overall approach

Ransomware resiliency and data integrity require a whole new approach to disaster recovery, one that elevates the importance of protecting data across people, processes, and technology—with no silos. This is because no single technology or “thing to plug in” can solve ransomware; nor can any amount of money protect against it.

Rebuild: A new no-silo approach

Accenture has developed a new approach we call 'Ransomware Resilience.' It combines the benefits of on-premises ownership (immediate response) and the scalability, performance and security of cloud. We've also stopped focusing on secure backups and restoration as a part of recovery and instead are focusing on a new approach that rearchitects, strengthens and fortifies the entire environment.

In our experience, this helps organizations avoid paying ransomware and rebuild and get back into business much faster. We've helped clients restore within hours* with this new approach. Clients love it, since it's more reasonable to rebuild than to figure out how to send Bitcoins and/or file reimbursement claims with a cyber insurance provider.

As a community, we should merge incident response, data security, digital identity, network security and disaster recovery to be able to quickly rebuild after a ransomware attack. Whether we call this approach “Disaster Recovery 2.0” or Ransomware Resilience the time has come to think about data and to architect better.

Actually, that time came about four years ago with Bitcoin, it's time to get moving. I like ransomware resilience myself.

*Rebuild timeframe is dependent upon individual client risk tolerance, industry, rebuild architecture, project scope and resources.

 

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this article is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

Copyright © 2021 Accenture. All rights reserved.

Rouzbeh Hashemi

Senior Manager

Subscribe to Accenture's Cyber Defense Blog Subscribe to Accenture's Cyber Defense Blog