intelligent

A KEY PART

OF THE SME ’ S RECOVERY STRATEGY

SHOULD INCORPORATE RANSOMWARE

PROTECTION USING

IMMUTABLE BACKUPS .

Ben Koppelman , Research and Innovation lead at CyberSmart external bad actors and that internal malicious threats should be addressed as well .

Likewise , not all vulnerabilities from inside the company are hostile , many are simply due to mistakes , miscalculations or misconfigurations on the part of employees and even managers . In some cases , insider trouble stems from something as simple as workers not using IT-approved devices , which in turn opens the door to external bad actors .

Third , I would recommend that as important as it is to be able to protect against and detect data protection threats , it ’ s even more important to ensure the ability to recover and maintain operations .

A key part of the SME ’ s recovery strategy should incorporate ransomware protection using immutable backups . Immutable backups are a perfect solution for when external threats are the issue – and this type of backup is just as useful to guard against insider threats . The goal here is for SMEs to employ a backup target that lets them lock their backups for a predetermined period , called an immutable retention period .

It effectively creates virtual WORM ( Write Once Read Many ) storage for that period of time , preventing file alteration before the end of the period , and this type of mechanism is offered by many public cloud providers today . The result is the creation of immutable backups that no user can delete , even if a bad internal actor gets a hold of the root credentials .

BEN KOPPELMAN , RESEARCH AND INNOVATION LEAD AT CYBERSMART

The issues surrounding data management for SMEs are myriad . While the high-profile regulatory incidents surrounding data management often involve large , global brands , the reality is that SMEs need to ensure they are aware and compliant too .

There are common misperceptions ; for example , that data protection and GDPR doesn ’ t apply to SMEs ; and that large fines are only for large companies . These misperceptions need to be dispelled through effective communications , education and / or training .

Security is a core GDPR principle and GDPR adopts a risk-based approach to it ; however , it ’ s not clear to SMEs how to carry this out . For example , GDPR requires organisations to implement ‘ appropriate technical or organisational measures ’ that ensures personal data are processed in a secure manner , but it does not define what ‘ appropriate ’ means . Rather , this is left up to each organisation to define this for itself , having assessed the specific risks facing its data processing .

In 2018 , NCSC ( with the ICO ) published guidance about how risks should be identified and assessed according to the impact and likelihood of threats in light of the nature , scope , context and purpose of the data processing . So , in order to ensure that they remain in line with the latest guidance , SMEs would benefit from thirdparty expertise to support them and to suggest the tools required .