The following is adapted from Fire Doesn’t Innovate.
Ransomware is one of the nastiest types of cyberattacks.
When ransomware infects your computer, its first directive is to encrypt all of your files, meaning your device can no longer read and access them. The criminal behind the virus will then hold your files hostage until you pay for him to unencrypt them.
Regularly backing up your data is your best defense against this kind of attack, because if you have a second copy of all your data somewhere beyond the reach of the ransomware, then you won’t lose it forever if an attacker compromises your computer. You can wipe your machine clean, reinstall your operating system and programs, and restore your data. Yes, you will lose some time, but your ability to get back in business is entirely under your control.
Modern versions of ransomware can actually detect local backups—even on external hard drives—and it will encrypt all of that data as well. Because of how sophisticated modern ransomware is, it’s essential to maintain two different types of backups:
- A local backup on your computer or an external hard drive
- A second backup not connected to your computer (i.e. a cloud backup)
You may ask, “Can I back everything up to the cloud and skip the local backup?” It’s a fair question, but there is a good reason to maintain both types of backups.
You never know what type of computer disaster may strike. What happens if your house catches fire and your local backup is destroyed? Or say your home is robbed and the burglars take the local copy of your data? With a cloud backup, you can restore your data to a new computer even if you lost the physical copy of your backup.
On the flip side, if your cloud-based data is compromised or your cloud services company goes under, you still have a local copy to restore.
Having two backups is simply the smart thing to do.
Don’t Skip This Important Step with Cloud Backups
There are two major risks inherent to storing data with a cloud services provider:
- The company’s integrity
- The threat of data theft
Any company can say it will protect your data at all costs, but do they really follow through on that claim? Also, it’s always a possibility that someone could break into your backup with the cloud services company and steal your data.
To neutralize any concerns about the competency of a cloud provider, the threat of theft, and even the possibility of the government taking it under a court-approved warrant, encrypt your data before you upload it to the cloud.
If you encrypt it first, no one can make any sense of it, even if they access it.
How to Encrypt Your Data
How do you encrypt your data? First, make sure you use a cloud backup service that gives you complete control over the private encryption key. SpiderOak One is one of the few providers I’ve found that will give you control over your private encryption key.
You’ll want to store the encryption key in two places. Keep one copy in a password manager such as LastPass or 1Password. Then print it on a piece of paper (without your user ID and password on it) and put it wherever you store other vital documents, such as your certified copy of your birth certificate and your passport.
If you are ever burglarized and that paper is stolen, you’ll have to contact your cloud services provider and follow the process to change the encryption key. If you get struck with terrible luck, and your computer gets stolen at the same time your paper version of the private key is stolen, you will still be able to retrieve your encryption key in your password manager. That’s the virtue of having multiple copies of your data.
Consider Your Company’s Backups
You’ll want to back up your company’s computers and devices as well.
Talk to your IT team about how they execute data backups, where those backups are stored, if they have multiple copies, whether they use encryption, and how they use it.
Once you establish a consistent backup process, make sure you continue to backup your company’s data at regular intervals. An ideal backup cadence might be between once and three times a day for the best results.
Finally, be sure to do a test data restoration once per quarter. There have been too many incidents of data backups that fail to work when they’re needed that you have to take this precaution.
For more advice on backing up and encrypting your personal and company computer data, you can find Fire Doesn’t Innovate on Amazon.
Kip Boyle is founder and CEO of Cyber Risk Opportunities, whose mission is to enable executives to become more proficient cyber risk managers. His customers have included the U.S. Federal Reserve Bank, Boeing, Visa, Intuit, Mitsubishi, DuPont, and many others. A cybersecurity expert since 1992, he was previously the director of wide area network security for the Air Force’s F-22 Raptor program and a senior consultant for Stanford Research Institute (SRI).