Risk Management Rethinking Backup Strategies in Light of Ransomware Threats by Mark Bassingthwaighte In working with over 1,200 law ﬁ rms over the years, I have observed that few lawyers really understand the computer backup process. Today, the backup pro-cess is a security process that must take center stage, and it is the solo and small ﬁ rm setting that I’m most concerned about. Smaller ﬁ rms must make sure their process isn’t something that was state of the art in 1999 because today we have the very serious threat of ransom-ware. With ransomware, your data will be encrypted and then you will be forced to pay a ransom in order to obtain the decryption key, which may or may not allow you to successfully recover all your ﬁ les. Regardless of whether you pay the ransom, you are going to need the services of an IT specialist, and under-stand there are no guarantees here: The network may not be able to be restored. It’s important to also realize that ransomware can infect your network via multiple channels, many of which involve some form of social engineer-ing. A common attack vector currently looks like this: Someone in your ﬁ rm is tricked into opening an attachment in an email that purports to be a business document or invoice. That’s all it takes. Once enabled, the malware will start to encrypt your data. Making matters worse, and depend-ing upon the speciﬁ c family of ransom-ware you’re hit with, the ransomware may replicate itself and spread across your entire network, may scramble the ﬁ le names of all encrypted ﬁ les, may run several different encryption programs in a single attack, may identify and erase system restore points, may erase all data on all hard drives, may be programmed to delay executing in order to infect backups, and the list goes on. In short, any IT specialists brought in will have to 44 VIRGINIA LAWYER | August 2019 | Vol. 68 overcome all kinds of problems in their effort to try and recover anything. Cybercriminals continually work to improve the effectiveness of their tools. Certain strains of malware can now jump to the cloud, and many have been engineered to evade detection by antivi-rus software and can be programmed to delay running. Thus, an effective backup process has become a critical compo-nent to an overall defensive strategy against ransomware and other forms of cybercrime. Best practices today dictate having at least three copies of all your data, utilizing two different media formats, and maintaining one backup offsite. For example, you might utilize two external hard drives and a cloud backup provider. An approach like this would allow you to have access to a copy stored locally in case your internet connection is down, and after a ransomware attack, the cloud backup is sometimes the only good backup available to IT support as they try to help you recover. That said, a few side notes are in order. 1) Since ransomware can map drives and infect everything connected to the network, always disconnect back-up drives (e.g. any external USB drives) from the network once the backup process has completed. 2) While cloud backups can be your salvation in the event of a ransomware attack, as with any backup process, sometimes the backup data set be-comes corrupted. Thus, having multiple versions of the backup in the cloud is a good idea. 3) Given the rise of time-delayed attacks, also maintaining an archive of backups locally and in the cloud would be a prudent step to take. Yes, you may end up losing a month or two’s worth of data in a time-delayed attack; but having the ability to recover from an archived backup of data that’s several months out of date is going to be far better than losing everything. 4) Look for cloud backup providers that allow you to control the encryption key as a way to prevent anyone else from accessing your data. Even with a well-designed back-up process in play, the best defense to threats such as ransomware is an effective offense because, and for the last time, there are no guarantees that a full recovery is going to be possible. So, in addition to instituting a backup process along the lines presented above, every ﬁ rm regardless of size should prioritize mandatory ongoing training for all staff and attorneys that develops social engineering awareness with re-al-world examples of cyber-attacks and tips on how to spot them. To help with this training, consider working with a security company like KnowBe4 (www .knowbe4.com), whose entire focus is geared toward cyber training. When you stop to think about what’s really at stake, such training should no longer be optional. Mark Bassingthwaighte , ALPS risk manager, has conducted more than 1,000 law ﬁ rm risk management assessment visits, presented numerous continuing legal education seminars throughout the United States, and written extensively on risk management and technol-ogy. His webinar on Best Practices for Client Selection in the ALPS CLE library is at http://alps.inreachce.com. He can be contacted at: mbass@alpsnet.com. www.vsb.org