Introducing a new set of NCSC principles to strengthen the resilience of organisations' cloud backups from ransomware attackers.
Every month there are press reports of a global organisation experiencing a ransomware attack. In the NCSC we see the real-world effects of ransomware when we support UK organisations going through an incident. While there is a lot that organisations can do to minimise the chance of becoming a victim in the first place, everyone agrees that a backup capability is absolutely key to resilience. Not having this in place hampers your ability to get back on your feet and worsens the consequences to you, your business and in many cases, your customers or service users.
Every organisation should have a solid response plan in place which should include making regular backups. And testing your backup regime is equally important to make sure you can restore your data as planned. We’re aware of cases where organisations believe they have a backup regime in place but aren’t sure what it looks like in practice.
But in a destructive ransomware attack, actors are known to specifically target backups, making it harder for the victim to recover their data and to try and force them to pay the ransom. This can happen to backups stored on connected USB and network storage drives, or in a cloud-based service, an increasingly common option these days. In the NCSC we’ve worked with victim organisations whose backups are compromised, and this cruel tactic makes a difficult time even worse.
These days, organisations of all sizes use the cloud to manage their data, and there are huge advantages to doing so. This is especially true when it comes to backups, where the option to store large amounts of data and also to automate on a regular basis can be really valuable to a busy organisation. But we need to collectively acknowledge that for all their advantages, cloud-based backups can be vulnerable to a determined attacker who knows where to look.
That’s why we’ve come up with a new set of principles which lay out the best practice to make sure cloud backups are more resistant to ransomware. In essence, they describe the features a service should offer for backups to be resilient to ransomware actors. These principles are designed to be useful to both vendors of cloud services, and also for system owners who are procuring a new service, or assuring themselves that their existing service meets certain standards.
It’s important to say that while these principles provide a solid foundation to help prevent an actor deleting your cloud backups, they won’t protect your organisation from all the effects of ransomware – we’re thinking particularly here of the extortion threat, where an actor threatens to release your stolen data unless you pay a ransom.
Using these principles to secure backups in the cloud is just one of the ways you can improve your organisational resilience. The good news is there is a lot your organisation can do to prevent becoming a ransomware victim in the first place – defence-in-depth measures like putting in place technical controls, physical security and a solid incident response plan are all important steps. But if the worst happens, you need to be confident that your data is secure, accessible, and ready to restore in a realistic timeframe. Large organisations should review our mitigating malware and ransomware guidance to make sure you’ve taken the right measures, and for smaller organisations, there are useful pages in the NCSC small business guide.
And look out for more from the NCSC in the future about how you can further improve resilience, and mitigate the risks associated with ransomware.
October 4, 2023
September 11, 2023