5 Questions Your Data Protection Vendor Hopes You Don’t Ask

When the Irish Health Care System (HSE)’s data was ransom attacked,  80% of their data became corrupted and unusable. In July, the city of Columbus experienced a ransomware attack that disrupted various municipal services, and months later, it is still working towards recovery.

Ransomware attacks are becoming more frequent and causing unprecedented chaos and financial distress.

Few organizations have been this transparent following a ransomware attack, but HSE and Columbus are far from alone. Following ransomware attacks, organizations rely on their data protection solution to recover and restore business operations as quickly as possible.

However, instead of providing a timely and confident recovery, the limitations of traditional data protection and storage solutions become exposed, and organizations are left paying the ransom, and even then, only 4% get all of their data back (Sophos, States of Ransomware, 2022).

This demonstrates how traditional data protection solutions fail to fully support cyber resiliency, despite having added "cyber" features to their products. Features like immutability, isolation, virus scanning, and multi-factor authentication are often easily integrated. Some vendors even rely on marketing hype, attempting to position themselves as security vendors rather than delivering real value.

Key Questions to Ask About Data Protection

Here are key questions that traditional data protection solutions struggle to answer regarding cyber resiliency:

1. What was the Impact of the Attack?

Data protection vendors often rely on high-level analysis to detect unusual activity in backups or snapshots. This includes threshold analysis, identifying unusual file changes, or detecting changes in compression rates that may suggest ransomware encryption.

These methods are essentially guesses prone to false positives. During a ransomware attack, details matter. Leveraging advanced AI engines to detect patterns indicative of cyberattacks offers more accuracy, reduces false alerts, and provides the critical details of exactly what files and databases were impacted to support smarter recovery.

2. How can Data Loss be Minimized?

Organizations snapshot or back up data regularly, ranging from hourly to daily intervals. When an attack occurs, restoring a snapshot or backup overwrites production data—some of which may have been corrupted by ransomware—with clean data.

If only 20% of the data in the backup has been manipulated by bad actors, recovering the full backup or snapshot will result in overwriting 80% of data that did not need restoration. This will include valuable business information that could be lost forever. Detailed forensic insight into which specific files were impacted is essential to minimizing data loss.

3. Do I Need to Validate Databases from Ransomware Corruption?

Cybercriminals understand that databases are the backbone of many businesses, making them prime targets for extortion. By corrupting these databases, they can pressure organizations into paying ransoms. Using common variants, such as ransomware that intermittently encrypts data, attackers can disrupt both user files and critical databases.

Although some vendors suggest that there’s no need to validate database integrity—arguing that corrupted databases will simply cease to function—this is misleading and will result in significant impact following an attack. Regular validation of production databases, including their content and structure, is essential to ensure cybersecurity resilience and mitigate potential damage.

4. Is the AI Engine Smart Enough?

 AI is now a mainstream topic, but understanding how an AI engine is trained is critical to evaluating its effectiveness. When dealing with ransomware, it's important that the AI is trained on real ransomware variants and how they impact data.

If the AI is only trained to look for threshold changes or compression rate fluctuations, cybercriminals can adjust their tactics to bypass detection. Many modern encryption algorithms do not affect compression rates, and certain ransomware variants avoid triggering metadata-based threshold alerts.

AI engines must be trained on actual ransomware behaviors and constantly updated with new variants to ensure the accuracy and relevance to support smart recovery.

5. Can you Keep Up with Modern Ransomware Variants?

 Ransomware evolves quickly, with bad actors introducing new encryption algorithms and altering how files are corrupted. Signature scanning and other methods based on specific indicators of compromise struggle to keep up with these rapid changes.

 What’s needed is an automated approach that continually tests against the latest ransomware variants and provides a service-level agreement (SLA), ensuring reliability and accuracy in detecting data corruption caused by attacks.

Demand Trust-Worthy Resilience

Organizations need to demand AI data integrity engines that can accurately detect corruption due to cyberattacks, detailed forensic insights to minimize data loss, regular validation of data at rest to ensure reliability, and continuously updated AI to keep up with evolving ransomware variants.

Traditional methods often fail to provide effective cyber resiliency. Challenge good enough methods and implement an integrated storage and data protection solution you can trust.