Before we get started, it’s important to define what the term backup means. In the cybersecurity world, a backup is the process in which the state, files and data of a computer system are duplicated to be used as a data substitute when the primary system data is corrupted, deleted or lost.Copies of backups in most cases should be taken partially daily and then fully at least weekly depending on the specific environment.

SpearTip encounters backups most frequently during Incident Response cases. These are used to recover or restore from an incident in the case of something malicious occurring within the network or something suspicious. While backups are extremely important for IT teams, relying solely on backups to battle ransomware is not a recommended security move.

If your company is taking backups regularly, make sure you are doing it correctly. One of the biggest mistakes SpearTip encounters during Incident Response and data breach cases is backups connected to the physical network. This can be facilitated many ways through taking a weekly offline full backup, or from simply looking into a solution where the only time it is connected to the network is during the backup. Bad actors first target, in many cases, after securing domain administrator credentials, connected backups. The reason bad actors look for backups is because they know if your company can’t restore their system data, the likelihood of paying the bad actors ransom is increased.


Some further ways to ransom-proof your backups include:

  • Test your offline backups – an untested backup is not truly a backup.
  • Collect logs and create alerts around your backup infrastructure. If a backup fails to run, this could be an early indicator of a ransomware compromise.
  • Improve frequency of backups. Many companies are taking immediate backups of key organizational data replicated immediately and taken offline daily. Depending on your customer and the importance of the data you collect, this could be critical.

While maintaining proper backups is crucial in an Incident Response plan, and overall information technology strategy, never getting encrypted in the first place should always be the goal. The large majority of ransomware attacks happen overnight and during the weekend. This means having a 24/7 security operations center monitoring your environment to protect from ransomware attacks is one strong way to deliver security to your environment.

When your environment is monitored 24/7 by a cybersecurity firm like SpearTip, you and your organization can feel confident when an incident occurs, elite cybersecurity engineers are quick to respond, avoiding a cyberattack in your environment. Remember, your backups aren’t enough. Check the architecture of your backups and reevaluate to avoid headlines news, business disruption and a ruined reputation.