What Backup & Data Protection Professionals Can Learn from the Colonial Pipeline Ransomware Attack

The Bocada Team | June 1, 2021

In early May, global news was made when Colonial Pipeline, operators of an oil pipeline responsible for carrying 45% of the United States’ East Coast supply of diesel, petrol, and jet fuel admitted that their network data was being held hostage by cybercriminals. For nearly a week, the pipeline remained offline, resulting in increased fuel prices and scrambles by consumers and businesses alike for fuel.

Eventually the pipeline went back into operation, but not before Colonial paid $4.4 million to the hackers to release their data.

This is only the latest major cyberattack hitting the news, and certainly not the first where companies were extorted out of millions in exchange for their data. As backup and data protection professionals, we should use these hallmark events to understand the underlying factors behind them and assess how we can better safeguard our organizations because of them.

1. Evaluate Your Backup Policy Schedule

IT teams have become increasingly cost conscious through the years, with a push to do more and manage more data with the exact same budgets. Backup policies that call for partial backups, or for backups to occur every few days, are protocols that have historically blended the holistic need for data protection with organizational demands for cost management.

Yet put in the context of the Colonial Pipeline attack, these types of procedures may not have been sufficient. CNET reported that the hackers stole 100 GB of data as part of the attack. What hasn’t been made public is the speed with which hackers secured that data. While Colonial did spin up their backup data to bring systems back online, we likely will never know how much data was lost due to the backup cycle in place.

It’s a cautionary reminder to evaluate the speed with which critical data is produced, and therefore the frequency with which data should be backed up.

2. Respect Audits (And Audit Findings)

One especially disappointing fact about Colonial’s situation is that they were made aware of their cybersecurity vulnerabilities following an IT audit performed three years prior to the attack. The head of the consulting firm performing the audit is quoted as saying, “We found glaring deficiencies and big problems…I mean an eighth-grader could have hacked into that system.”

Notably, the audit included recommendations to ensure that critical data on how the pipeline operates could not be stolen. The irony is that while the hackers ultimately targeted business systems rather than operations systems, Colonial was forced to suspend operations as they evaluated the extent of the data theft.

Though Colonial did implement some of the audit’s recommendations, they didn’t follow the recommendations in full. Failure to address the audit’s full recommendations, and determine how those recommendations applied across their systems, was a likely pitfall in this scenario.

Audits can often feel like a burden. After all, they take critical resources away from day-to-day operations and safeguards. However, our data protection operations would be better strengthened if we thought about audits as a major cyberattack defense weapon. They afford us the opportunity to proactively evaluate systems, identify data protection holes, and plug them up before critical data gets lost.

3. Implement Real-Time Ransomware Identification

It hasn’t been made public how the hackers initially penetrated Colonial’s systems, though some speculate that it was through an age-old phishing email scam. Further, we don’t know exactly when that event happened or how long the data theft was occurring. However, with some research showing that it takes an average of 196 days to identify a data breach, the data theft doors were likely open for a very long time.

This dynamic begs the question: how do we stay ahead of these bad actors?

While the ideal scenario is to prevent all ransomware penetration, that’s often easier said than done. It’s why always having a follow-up line of defense like tools that identify if and when data theft is in progress, is so key. Pinpointing unusual changes in data volume can be the difference between one day’s worth of lost data and finding yourself with an unexpected $4.4 million data restoration cost.

What Do We Do Next? The financial, operational, and reputational damage caused by cyberattacks is almost impossible to truly measure. As data protection professionals, we know this. And yet, nearly 80% of senior IT and IT security leaders believe their organizations lack sufficient protections against cyberattacks.

Confidence in cyberattack preparedness will come with confidence in backup data health. After all, with the right backup protections in place, a bad actor can’t prevent you from accessing your business-critical data when you know with certainty that you can spin up that data the moment you need it.