In late 2016, Los Angeles Valley College paid a record $28,000 to hackers that had frozen the college’s data and information systems with a ransomware program that locked all users out of their files and shut down all internal operations. The college’s president explained that the decision to make the payment was driven in large by a fear that all of its data would be lost forever if the ransom was not paid.
By one estimate, data losses cost businesses at least $1.7 trillion in losses annually. A substantial portion of that amount could be saved if businesses instituted a regular program of backing up their data onto standalone servers and devices that are not connected to any networks. In that vein, cloud data storage can improve data security, but it is not synonymous with data backup. Cloud storage systems are susceptible to cyberattacks and server failures, and some risk of loss is always present with current cloud technology.
Redundancy is a commonly-cited parallel strategy to regular data backups. Experts recommend that an organization maintain at least three copies of its data and utilize at least two different types of media for backup data storage. At least one of those copies should be maintained at a location away from an organization’s main network server facilities.
Restoring data from a backup system is generally a last resort because it can be time-consuming and disruptive. To avoid this disruption, an organization might extend its redundancy strategy to include redundant servers. A redundant server is generally kept offline until a primary server fails or is infected, in which event the backup server can be brought up as a replacement with a set of data replicated from an earlier time. Some data might still be lost with this strategy, but an organization will save significant downtime with server redundancy.
Formulating a backup strategy will force an organization to answer two questions: which of its files should it back up, and how often should it implement a backup routine. Backing up every single file on an organization’s internal network may not be feasible, practical, or cost-effective. Still, an organization might opt to do a global file backup rather than devoting scarce resources to distinguish critical files from less important material.
With respect to frequency, files should be backed up at least daily to avoid losses of data that originated on any given day. Data recovery from a backup system will not include any changes that were made to files between backup and a ransomware attack, for example, and some data may not be recoverable in the process.
News reports about the ransomware attack on Los Angeles Valley College did not reveal whether the college maintained any backup systems that it could have used to recover its frozen data. Those reports did state that the college carried cyber liability insurance, which made it possible for the college to pay the ransom demanded by the hackers to release its data. Insurance that provides data breach protection is not a substitute for a good data backup strategy, but it should be a key component in every organization’s broader cyber protection strategy.
Cyber liability insurance makes resources available to procure new servers and systems that are damages in a cyberattack. An organization that loses customer data may face financial liabilities, fines, and penalties as a result of its failure to adequately protect that data. The magnitude of those financial losses can mean the death of a small business. Cyber liability insurance can keep the business in operation while allowing it to maintain solid relationships with its customers and clients.