Showing results for 
Search instead for 
Did you mean: 

Understand, Plan and Rehearse Ransomware Resilience series - Strategy

Level 1

Today, organizations of all types and sizes face similar problems: defending against ransomware attacks. Ransom attacks are increasing in numbers and sophistication.  Customers have recognized that their current method for the backup and restoration of business data and applications are not ransomware readiness. They must have the capability and the process of ensuring that IT and Cyber Incident Response Teams are well-equipped with the right tools and knowledge to manage a ransomware attack to ensure recover the services to meet the expectations of the business, its customers, and its regulators.

I am writing a series of blogs on the five elements: strategy & organization, policy and process, information security & DR integration, automated flexible recovery architecture to share how to prevent, protect and recover from a cyber security attack and prepare you for ransomware resiliency with effective data protection strategies and plans. And remember rehearsal and follow the best practices!






Ransomware Recovery Strategy and Organization

Understand the difference between normal disasters and cyber attacks, 

Organizations should consider the following steps to define an effective recovery strategy.

  • Enforce Default “2FA Everywhere” strategy across attack surfaces to reduce blast radius of an attack and avoid credential compromise or misuse.
  • Drive Immutability and default enterprise mode during deployments and customer conversations for lockdown Access
  • Remove destructive operations from product maintenance interfaces. 
  •  Implement 2 Person rule while performing destructive operations.


Recovery vs Survival


 Nature disaster like wildfires, hurricanes, and earthquake do real damage. A cyber-disaster like a ransomware attack that encrypts your data or malware is different from a natural disaster. Both can have significant impacts but the restore focuses and approaches are different. 

The traditional disaster recovery is to keep data loss to minimum and get the business online. Cyber recovery is only to run the essential application and maintain minimum data.


Traditional DR

Cyber recovery


Backup Online

Survival – essential for keeping business move


Minimum loss

Maintain the minimum data, applications and infrastructure


Speed and availability

Security and data integrity


Identify Business Critical Functions with MTD


Recovery Time and Recovery Point objectives (RTO and RPO) are traditionally used as goals to frame a conversation for over-all recovery.  

  • Recovery point objective (RPO) is the maximum sustainable data loss based on backup schedules, data needs and system availability.
  • Recovery time objective. This is the amount of time an organization needs to bring critical systems back online. This is where disaster recovery activities typically occur.

Maximum Tolerable Downtime (MTD) is simply how long the key revenue-flow applications can be offline before your organization is filing for insurance payments or even worse, closing the doors. Determine MTD is the REAL objective. MTD brings focus to the critical functions an organization needs to get up and running to avoid a business disaster.

Business function downtime is based on two elements: the systems or technology recovery time objective (RTO) and the people-based work recovery time (WRT). As such, the formula for maximum allowable downtime is the following:

Maximum allowable downtime = RTO + WRT



Orchestrate restore technologies: Based on the MTD and business critical functions, choose the appropriate restore technologies and orchestrate a flexible recovery strategy. 


Awareness, Training and Collaboration


Organizations need to align internal stakeholders and outside experts in advance of a ransomware attack, to make sure all the necessary people are on notice to respond to an attack. 

Below are the roles of the internal teams, they need to get training and work together to understand the priority of data and applications to run the essential business. Understanding the right priority can speed up the restore.

Backup admin is responsible to create and manage protection plans, backup schedules and manage storage. They should work with system admin to understand the data priority and what data, or applications are essential to keep business survive.

Security admin monitor networks for security breaches, invest violations, conduct penetration, report on security breaches, and implement update software to protect information. They don’t know what was being backup

System application admin supports the computing environment of a company and ensures the continuous and optimal performance of its IT services and support systems. Work with Security admin to secure the systems and provide the backup admin the essential data and application to be backed up in WORM storage.

These include external forensics firms, external counsel as well as key executives from human resources, communications, business continuity, business application owners, help desk personnel and others, according to the panel. It is recommended to use Veritas consultants when Ransomware attacks happen.

Organization would benefit with a resiliency project manager and hold tabletop exercises with all key stakeholders involved.


Control and Compliance

Compliance with the relevant ransomware law and regulations is an extremely critical aspect of ransomware response and it should therefore be part of any ransomware readiness program. Different national regulatory bodies may have varying standards and requirements of compliance. Make sure your protection and retention policies are aligned with