Incidents that have been made public about ransomware have garnered a great deal of attention – from the general public, company executives, and from those charged with protecting and recovering from attacks. Products used in Information Technology have been improved or newly developed to address some different aspects regarding ransomware. And, as would be expected, vendor marketing has highlighted characteristics for their products that would seem to be relevant.
Based on our experience at the Evaluator Group with our clients and other affected companies, one thing that has become very apparent with ransomware is that IT needs to understand the data they are responsible for protecting and making available for legitimate use. Understanding of the data is more complicated than many would think. Some of this understanding is a need to know:
- What is the profile for the data (usage, owner, priorities)? This seems simple but it involves knowing where data is stored, what are the different pieces (related elements) that are considered to be a set, and whether there are successive generations of data as part of its usage.
- Which applications use the data? This may be more than one application in some more complicated operational environments.
- What is the value of the data? Not all data has the same value. This can make a big difference in the sequence of the recovery of ransomware or even a disaster. The valuable or crucial data gets recovered first – setting the Recovery Time Objective by the value of the data.
- What attributes of the data determine the decisions about recovery? This could be related to how much does it change over time which would affect the recovery point and the sequence for recovery. Other attributes might be in regard to some dependencies for use affecting the recovery and other specific cases. There may be a number of factors to understand regarding use and availability of data.
Key individuals in IT who understand the data must be included in a ransomware response plan. This understanding is typically learned from experience with applications and normal processes of storing, protecting, and making the data available. These individuals:
- Are highly valuable to organizations,
- Really are information asset managers,
- Must be included in any strategy for ransomware recovery,
- Need tools to be more effective and to enable others to gain similar knowledge and proficiency.
Lessons learned from working through precipitous events are hard-earned. Needing to understand the data is one of those lessons required for recovering from ransomware in a timely manner.