For financial services companies, regular data back-ups are about much more than having the ability to recover after a failure or loss. They’re also a vital part of meeting compliance requirements from those of a general nature, such as General Data Protection Regulation (GDPR), to myriad others specific to different aspects and services, such as MiFID II.
By their very nature, financial services companies need to be up and running continuously. Any unplanned breaks in service, due to anything from a ransomware attack, systems failure, or even state-sponsored attacks, simply must be avoided. Financial services companies can’t afford the monetary losses or the reputational damage that would result from downtime of services that allow customers to access their money.
Back-up management and compliance essential
When it comes to compliance, there are requirements for back-ups as well as for live production systems. Consider the GDPR, for example. It requires that organisations must not keep personal data for longer than it is needed, and data must be regularly reviewed to be sure it is still needed. Individuals also have a right to ask for their personal data to be removed, too. How this is done varies from application to application, but ensuring you don’t re-populate an application with data that is no longer required from a back-up is a necessity.
There is also a requirement under GDPR to respond to individuals’ requests within a month [SV1] of them being made. That is a fair period of time, but issues such as ransomware attacks can leave an organisation without access to its complete data for considerable periods, and as we have seen recently, backups are not immune from attack, in fact they are now a focus for certain attack types, especially those stored on a network attached storage device.
Back-up and recovery
In this context, the National Cyber Security Centre [SV2] advises organisations to maintain recent offline back-ups of all their most important files and data. Still, the evidence suggests that not all organisations have the kind of back-up systems in place that will allow data recovery. Sophos surveyed 5,000 IT managers in 26 countries for its The State of Ransomware 2020 [SV3] report. It found that just 56 per cent of organisations undergoing a ransomware attack got their data back via back-ups (26 per cent paid the ransom, 12 per cent used ‘other means’, and 6 per cent didn’t get their data back at all).
The implication in all of this is that the back-up is the tool of last resort. But even in that role, it isn’t necessarily fulfilling its purpose. You could infer from this research that most enterprise back-ups are only able to do the job just over half of the time. But it doesn’t have to be like this, and for financial services companies that really can’t afford downtime whatever its cause, there is a strong argument that back-ups need to assume a much wider role.
Beyond the back-up
It is perfectly possible for a back-up system to analyse the production environment versus the data it holds in order to detect if any major changes have been made that could in turn signify an attack being made. A modern system can also scan VMs for open vulnerabilities even if there is no attack, to ensure threat prevention can take place.
As mentioned, to ensure a payout, cyber criminals are not just attacking the production environment now, but increasingly targeting backup data and infrastructure. This effectively hobbles the “insurance policy” organisations depend upon when disaster strikes. The attackers are often exploiting weaknesses associated with legacy back-up solutions architected before the advent of the ransomware industry. Before encrypting the production environment, sophisticated malware is known to destroy shadow copies and restore-point data. Due to its underlying architecture these malware make legacy back-up infrastructure easy prey rather than a solid defence against ransomware attacks.
It might seem a little strange to suggest that financial services companies reinvent their approach to data management by paying closer attention to their back-ups. But it is time to realise that data back-ups are much more than the ‘necessary evil’ that you create as an insurance policy and file away, never to revisit. Especially if these back-ups sit on legacy infrastructure, architected many years previous.
Since the financial crisis, there has been a wave of regulation with a significant part of it aimed at ensuring banks have sufficient capital and liquidity.
Now, in 2020, back-ups are both a living insurance policy against the times when the worst happens (and in some shape or form it inevitably will), and a part of your data management system that is as relevant to regulatory compliance requirements as your live systems are.
These improvements to modern data management will bring financial services companies and banking systems through the COVID-19-related economic crisis in reasonable shape, and afford themselves a head start for future data-driven innovation. Let’s hope it doesn’t take a specific problem before the community realises this and gets its act together.
Kathryn Ramanathan, ANZ channel and distribution manager, Cohesity
