If cyber crime pays, shouldn’t you pay for disaster recovery?

TechHQ talks to Cohesity CSO Brian Spanswick, about how cybersecurity investment is becoming easier to extract, and why that's increasingly the case.
26 November 2021

Authorities on the Spanish island of La Palma lifted a lockdown order affecting 3,000 people, imposed for fear lava from an erupting volcano could release toxic gases as it hit the sea. (Photo by Luismi Ortiz / UME / AFP)

Crime pays. If it didn’t, there would be no crime. Cybercrime is no different from any other form of crime, except that there’s very little risk of getting caught for hacking groups or individuals. And that means there are no incentives to stop extorting money from badly- or un-protected organizations. As potential victims, we can go further than protect ourselves by getting more sophisticated about how we think about cyberdefense, as well as when backup recovery and the RPO (or recovery point objective) become palpably necessary.

The increasing need to be more sophisticated stems from the fact that hacking has become a great deal more established. As Brian Spanswick, the CISO of Cohesity, said recently in an exclusive interview with TechHQ, “[Bad actors] are just getting more and more sophisticated and better funded. And we see them running like businesses, which is really, really crazy! We’re seeing examples where they’re actually recruiting kids – students out of college – and they’re paying them salaries, and they’re taking money and reinvesting in their tools.”

We often hear that tools to make ransomware attacks easier are readily accessible, and in some ways, they always have been. Defense experts’ cybersecurity methods and tools (Metasploit, Maltego, Burp Suite, et al.) can work just as easily for bad than good. But we often hear the phrase “hacking-as-a-service.” That may be an oversimplification, Spanswick said. But he added, “It’s no longer just a guy trying to figure out stuff in his room, there are actually tools out there that [he] can subscribe to that [he] can utilize.”

If that’s the case, therefore there’s more than a grain of truth in the other oft-repeated piece of media hype: it’s not if you’re attacked, it’s when. So protection is very important, and the nature of protection has to evolve, in line with the evolution of the tools used to attack. But, Spanswick said, there has to be a change in balance in line with the “not if but when” statement.

“Yes, you should have those employee protections in place, you should have an aggressive patching program, you should have network segmentation, where it’s possible, all those things are going to help you in a ransomware situation. But all of those things are protection controls. We need to be as aggressive with the controls that minimize the impact.

“How quickly can I recover from backup? How aggressive is my recovery point that I’m recovering from?” mused Spanswick. “Those two attributes significantly impact if my defenses fail.”

Coming to grips with RPO and RTO

Selling the message of cybersecurity’s costs has maybe got easier? “Back five years ago, the board thought of [cybersecurity] as a compliance program. And that’s not very sexy to invest in. [Now] it’s easier to sell it up up the food chain, with these really public ransomware attacks like Colonial Pipeline, it’s scaring these boards to their core.”

That’s not to say that the company CISO gets access to bottomless resources to protect the company and provide suitable backups and failover facilities. In practical terms, Brian told us, “The trick is to balance the cost with how aggressive you could be on those RPO targets.”

According to Druva’s glossary, “Recovery point objective (RPO) is defined as the maximum amount of data – as measured by time – that can be lost after a recovery from a disaster, failure, or comparable event before data loss will exceed what is acceptable to an organization. An RPOs determines the maximum age of the data or files in backup storage needed to be able to meet the objective specified by the RPO, should a network or computer system failure occur.”

Aggressive RPO and RTO (recovery time objective) targets might be primary business metrics, but depending on where an organization is based, statutory targets also have to be hit. And while that might be another deeply unsexy topic to discuss, it’s certainly one that should be of major concern at the board level. Cybersecurity is, after all, now part of the larger political discourse at the highest levels.

These are steps towards a situation in which it becomes mandatory to protect and have backups, which, depending on your notions of how ‘big’ a government should be, may be a good or bad thing. But according to Microsoft’s figures, 1.26% of the world’s computers (1.26% of two billion computers is over 25 million installs) currently run the nearly 20-year old Windows XP, an operating system so insecure its password login can be bypassed by users pressing key combinations during boot.

A large proportion of the cost of doing business today comprises the IT bill. That bill could and should comprise updating software to run on a later (and supported) operating system, investing in hourly snapshot backups of critical systems, or cybersecurity’s best-in-class protective measures. Like an investment in a building’s infrastructure to ensure it doesn’t fall down, technology investment keeps the show on the road.

And should part of the IT budget be earmarked to pay ransomware demands when (not if) hackers hit? Brian told us, “My opinion as a CSO is that if you pay, you’re adding to the problem, you’re funding those groups for future attacks, and this is how they’re getting more sophisticated [by] reinvesting that money in their attack techniques. But it’s a decision for each company.”