Ransomware continues to be a big concern for IT professionals and corporate stakeholders as this lucrative criminal activity promises to be with us for the long term. Research from Kroll found that the financial toll suffered courtesy of a significant cyberattack amounts to at least $5 million per attack. In about one-third of cases, it cost organizations between $10 million and $25 million. 16% said it amounted to more than $25 million. This total includes loss of market valuation. When a company is attacked, there is widespread PR fallout to contend with. Customers, partners, and investors hear about it and become wary. Stock prices fall, attrition rates increase, and new business is difficult to obtain. It takes time to ride the wave of negative publicity.
It’s no wonder that the Security and Exchange Commission has taken action. It has made it clear that simply having a disaster recovery plan in place is no longer enough. Instead, the SEC is mandating that publicly traded corporations have specific ransomware prevention and recovery plans in place. The SEC is holding corporate board members responsible for the management of cybersecurity risk, the implementation of appropriate policies and technology safeguards, the reporting of breaches, and the creation of comprehensive business continuity plans to ensure rapid recovery from any cyber-incidents.
According to the Veeam 2022 Data Protection Trends report, 76% of organizations have already suffered at least one ransomware attack. What isn’t so well know is the fact that the cybercriminals targeted backups in 94% of these attacks. They know that if they infect backups, organizations are far more likely to pay the ransom.
The obvious solution to this problem is to ensure that any and all backups are safeguarded effectively from malware. That is easier said than done. The only sure way is to create a backup, verify that it is free of ransomware, and then move it offline using a removable media such as LTO tape to provide an air gap between online and offline systems – in other words, there is no direct network connection possible between online hackers and where the data is securely stored.
For those that already have tape in use in the enterprise, the tape air gap provides the ultimate protection against ransomware. But per the report, only 22% of organizations are using this approach so far. What about the rest? Is it a question of cost?
For those that don’t possess a tape infrastructure that is used for enterprise backup, a common consideration on why they don’t implement an air gap is cost. They may view the price tag for adding tape drives, enterprise tape libraries, tape cartridges, software, and offsite storage as being too high to implement.
This may be the case for smaller organizations dealing with a limited quantity of backup. But once capacity needs for backup grow beyond say, 200 TB, the economics of tape make more and more sense. And the entire process is far easier and more affordable than most CIOs, CISOs, and CFOs realize. So what would it cost to put a PB on easily removable and portable tape, and get it offsite and offline?
Consultant and TCO economics expert Brad Johns has studied the cost of storing one PB with 25% annual growth rate over 5 years and 10 years using the latest generation 18.0 TB LTO-9 cartridges with a 2.5:1 compression ratio, yielding 45 TB per cartridge. He also compares the LTO option to economy HDD and cold cloud storage as a point of reference. Brad’s analysis includes the cost of hardware acquisition (a 3U rack-mountable autoloader, two tape drives, and tape cartridges), a 5-year extended warranty, energy usage over the five years, offsite vaulting costs, and system management of 1 PB of mission-critical data on physical tape and then stored offsite. Johns estimates that just 23 LTO-9 cartridges would be needed to store 1 PB initially. He came up with the price tag for 5 years as only $60,000! (see table above). $60,000 seems like a minimal insurance policy compared to the potential millions in ransomware-related costs as detailed by Kroll. And the TCO is significantly lower than HDD or cloud for that matter.
The allure of the cloud has long been that it eliminates CAPEX. Instead of buying all the hardware and software, the organization pays a monthly subscription. This has been promoted so effectively that most organizations have bought into the idea that it is simpler, easier, and cheaper to throw everything into the cloud. Yet as time goes on, and as in-depth costing analyses show, the price tag soon mounts. Over a five-year term, however, the cloud can no longer claim to be the inexpensive choice. And merely by the fact that the data is stored online, cloud backups are always potentially exposed to infiltration, infection, and ransom by cybercriminals. All it takes is the access credentials of one user and the data can be compromised.
When ransomware is factored in, failure to include a tape air gap as part of any protection strategy could turn out to be a very expensive mistake. Is that a risk any prudent board member really needs to take? A tape air gap is not only smart from a data protection perspective; it makes sound financial sense when storage and backup costs are compared to the staggering costs of an attack.
The Spectra Logic Ransomware Recovery Story
For a practical implementation of tape air gap and other best practices, check out this video of Spectra Logic IT director Tony Mendoza who recounts how Spectra Logic was attacked and how tape air gap supported their recovery effort:
With the SEC demanding effective action on cyber threats, ransomware, and business continuity, it appears likely that we will continue to see far more organizations implementing affordable LTO tape to take advantage of its air gap capabilities.