The sector of banking, financial services, and insurance (BFSI) is becoming highly digitally enabled as financial and banking activities are core to any society. In particular, digital adoption has become fundamental for banks to stay relevant and in business, causing an increase in data volume. Data is the lifeblood of every financial organization and is experiencing this exponential growth due to the digital enablement of financial services. For instance, COVID-19 provided the impetus to online trading through UPI, which doubled from the previous year’s 2.1 lakh crore rupees to 4.3 lakh, crore rupees in January 2021.
Unfortunately, there are also many downsides from digital dependence. For instance, banks have become an attractive target for cyber-attacks. In December 2020, two Indian banks were reported to have suffered from two different ransomware attacks, namely the Egregor ransomware and the Everest ransomware.
Trouble in the IT infrastructure is another type of disruption caused by digital dependence. A leading private sector bank had multiple instances of downtime in the last few months in its internet banking, mobile banking, and payment utility services. As a result, India’s Reserve Bank of India (RBI) asked the bank to temporarily shut down its digitization initiative and stop sourcing new credit card customers.
Many other similar disruptions dotted the Indian banking sector last year since the pandemic catapulted digital transformation to a new height. Therefore, to keep India’s financial backbone up and running in March 2021, the RBI asked banks to share and implement their business contingency plans (BCPs). A standard BCP includes measures to prepare for anticipated disruptions, ensure smooth flow of operations and staffing, identify critical resources, and form crisis management groups. To show the criticality of the existence of a BCP for the banking industry, RBI shared its BCP before it issued the directive for other banks.
RBI also emphasized the criticality of having cybersecurity and IT resilience for banks and asked them to have a distinguished, focused approach for each.
Protection from Multi-fold Increase in Ransomware Attacks
The year 2020 was razed by two major crises, the COVID-19 pandemic and ransomware attacks, a specific kind of cyberattack. Unfortunately, nothing is stopping the ransomware attacks in today’s pro-digital world. Criminals are always on the lookout to breach an organizations’ IT network. They either steal its data or sell it on the darknet. Or they steal and trade but also hold the network to ransom, demanding large sums before releasing it.
In addition to banks and financial institutions, several other large governments and private organizations such as the National Highways Authority of India (NHAI), Cognizant, and Honda were also attacked by ransomware in the last year. It is noteworthy that these organizations were also not without any security measures like the banking industry. For instance, Honda had spent millions on its cybersecurity protocol, creating layers of security to protect its invaluable asset: data.
A Cybersecurity Ventures’ 2020 report estimates cybercrime damage to be around US$6 trillion by the end of this year, with a cyberattack occurring every 40 seconds in 2016 to every 11 seconds in 2021, equivalent to about 3 million businesses being affected by ransomware attacks in a year. The average ransom payout has also nearly tripled over the last year.
With that, the question arises, how do organizations protect their data despite having security measures? What if the first line of defense (cybersecurity) fails? Will it still be possible to retrieve data seamlessly within minutes to ensure business continuity? Would the last line of defense stand? Can data protect itself when all security measures have failed?
Critical Data Protection Objectives That Need Consideration
Two main objectives drive the data protection space: Recovery Point Objective (RPO) and Recovery Time Objective (RTO). RPO is the amount of data you can afford to lose when you bring back your system online after a disaster, and RTO is the minimum amount of time you can allow to bring up your plans after a disaster.
The value of data a company protects is not always the same. For example, data such as email that has not been accessed in the last 5-6 months is more for archival purpose, while fast data can be used by bank executives to quickly access a customer’s records to see their current financial standing and past purchases with the bank, allowing the bank to offer new products. Another example is data under the human resources department. It is not as crucial as customer data for business continuation. So why use the exact solutions to protect all data with equal priority?
It is crucial to segregate data and have different measures to protect it, as shown here:
- Data and Secondary Systems (RPO/RTO > 24 hours)
- Business Critical Systems (RPO/RTO – 1 to 4 hours), and
- Mission Critical Systems (RPO/RTO – Near Zero).
Daily backup is not good enough when it comes to mission-critical data that needs a near-zero downtime. You need to look beyond “backup” that can give you RTO of hours to a day.
It would be best to have DC DR solutions with replication capabilities that should be platform-agnostic and seamless to transcend between physical, virtual, cloud, multi-cloud, on-premise, off-premise, or hybrid environments. Keep the mission-critical data continuously available between DC and DR.
Again, most solutions fail as they are not application aware but merely a snapshot of replication between storage devices on JBODs or VM-level replication. This is not good enough when every transaction, every row of your database, is essential, and you need solutions that go far beyond that point.
Follow a Holistic Ransomware Protection Approach
As India prepares for a full-throttle adoption of a digital-only world, it is essential to identify what you are trying to protect and what needs actual protection. Do your cybersecurity measures protect your data, and what are the stakes in case of a failure?
Ransomware prevention requires multi-fold strategies. Remember, there are no “silver bullets” to prevent ransomware attacks. It is possible to reduce the probability of an attack with cybersecurity measures, yet an orchestrated recovery is crucial if one still takes place.
Banks should look at creating multimodal strategies that can give a solid last line of defense. One of the most successful strategies has been the 3-2-1-1 Backup Strategy. In this, three different copies of data are created, one primary and two backups. The backups are then separately stored locally on two different storage media. One of these is kept in offsite storage (secure storage, cloud, etc.), and the other copy is on immutable storage, which can be a separate safe cloud.
Whenever a data protection and recovery solution with proper cybersecurity in place is implemented and aligned with the 3-2-1-1 best practice approach, one or more copies of your data will always be available for recovery in the event of a ransomware attack. The strategy can also enable you to spin up virtual machines so that your vital business applications can start immediately while data is being restored in parallel.
It is commendable that RBI has initiated a highly process-oriented strategy building for Indian banks and is leading from the front. It remains to see how quickly the Indian banking sector can implement it. Important to note here is that the same data protection and recovery strategy can apply to any enterprise that deals with huge volumes of customer data and cannot afford business downtimes, even seconds. This brings us back to the importance of having a functional BCP that ensures all organization’s critical functions continue to be available to individuals, businesses, and governments under all circumstances.
By Nikhil Korgaonkar, Regional Director, Arcserve India & SAARC