How to be cyber-resilient and protect your business from ransomware, from 65 cents per day

Yes, absolutely it is possible to be cyber-resilient, to mitigate all common cyber risks, and to do it for less than a dollar per day. In this blog, we explain how to get the right backup within a budget.
Share on email
Share on print
Share on facebook
Share on google
Share on twitter
Share on linkedin

Many of our small business and government clients are in a tricky space. They need to be cyber-resilient, but they also run on a very limited budget. (FYI, I explain what cyber-resilience is in this article.)

If budget is your #1 priority, how can you still be cyber-resilient? That’s the focus of this article.

As the owner of a small business myself, I know that most budget planning is on staff, sales and marketing and operational efficiency – not on things like electricity. And the reality for most businesses is that cyber-resilience is looked at as a sunk cost, as boring as electricity, yet 100% critical for existence.

So given a limited budget, how can we achieve a high level of protection that effectively mitigates all common cyber risks?

In this article, I’ll handle these two user scenarios:

Scenario 1: essential resilience for a small business’ file server.Scenario 2: enhanced resilience for a small business’ Windows server with Exchange and Hyper-V.
• You run a single on-premise Windows machine, which acts as a file server and Active Directory controller.
• You have up to 500GB of data + system.
• You run a single on-premise Windows server, with Hyper-V and Exchange installed.
• You have up to 500GB of total data + system.
• You have an unused machine that can act as a “private cloud” to host backup data offsite.
Total daily cost: 65 cents per dayTotal daily cost: 1 dollar per day (literally!)

Let’s break this down into 4 parts:

  1. Recap what we require to be cyber-resilient.
  2. Essential resilience – setup and costings
  3. Enhanced resilience – the setup and costings
  4. Variations and additional options – if you have special constraints or requirements.

And yes, you can even implement either of these two scenarios directly and achieve excellent protection.

Part 1 – Quick recap: what does it mean to be cyber-resilient?

As discussed in my other blog article, you’ll need a mixture of backups that are:

  • Onsite – for fast recoveries
  • Offsite – to mitigate against destruction of your premises (natural disaster), theft and ransomware
  • Offline – to mitigate against hacking attacks and ransomware

We’ll also assume that someone in your business is happy to swap out backup disks each day. (In Part 4, we’ll discuss alternative setups that can avoid this.) Although this sounds antiquated, it’s still the most practical way to take backups offline and offsite.

Part 2 – essential cyber-resilience for our small business file server

Decision 1: the backup software

Naturally, we choose BackupAssist, and include BackupCare subscription in our purchase. BackupCare is important because it enables the CryptoSafeGuard feature in the software – and this will shield the backup device from ransomware, while also enabling the detector which will notify the administrator if possible ransomware-corrupted files are on the file system.

We also take advantage of BackupAssist’s 5-year pricing guarantee. To get the lowest price possible, we subscribe BackupCare in two year blocks, renewing twice before the 5-year guarantee is up. This locks in the price of BackupCare for 6 years.

Although we only have to pay for the BackupCare subscription 24 and 48 months in the future, I include them in the costing tables.

Decision 2: the type of backups

We choose “System Protection” backups, which enable full system recovery via drive imaging. It also allows for granular restore of files.

This is a great choice for essential cyber-resilience. If you only do one backup, this is what I’d recommend.

Decision 3: the backup destination

Because we’re on a budget, we’ll back up to USB Hard Drives (for instance, as opposed to RDX disks). Given the importance of the data, we won’t use just any USB external drive. We’ll pay a little extra to get the LaCie Rugged Mini, which is a far more durable disk that comes with a 2 year warranty. We think it’s worth paying the extra 50% premium for this drive, because it is “ruggedized” to withstand drops, dust, and water.

We will choose an 8-drive rotation scheme. That will give us 4 daily backup disks for Tuesday – Friday, plus 4 weekly backup disks for each Monday. (Or if you prefer monthly / yearly backups, you can also customize the scheme to your needs.)

The LaCie drives are currently available on Amazon for $73.99 each. 1TB is sufficient for our needs, but upgrading to 2TB is only $5 extra per disk.

Costings

We therefore end up with this outlay (prices given in USD):

Table 1: essential cyber-resilience including backup software and hardware
SoftwareCost
BackupAssist Classic, with 24 months of BackupCare (for years 1 & 2)$449.00
Renewal 24 months less 35% disc (for years 3 & 4)$183.40
Renewal 24 months less 35% disc (for years 5 & 6)$183.40
Total cost:$815.80
Hardware
LaCie Rugged Mini 1TB – Drop Shock Dust Rain$73.99 each
Total cost for 8 drives:$591.92
Total cost – over 6 years:$1,407.72
Average cost per day$ 0.65

Summary of essential cyber-resilience

This option provides a very cost-effective level of essential cyber-resilience. You’ll be protected against these cases:

Table 2: essential cyber-resilience recovery performance
Event Corrective Action Max window of data loss Max time to recover *
User deletion Restore from last backup 1 day A few minutes
Hardware failure Restore from last backup 1 day ~ 2 hours
Theft Restore from last offsite backup 2 days ~ 2 hours
Physical premises destruction Restore from last offsite backup 2 days ~ 2 hours
Ransomware** Restore from last backup 1 days ~ 2 hours
Hacking (worst case) Restore from last offline backup 2 days ~ 2 hours

The maximum times quoted are worst-case scenarios based on our experience.

* We assume the worst case Bare Metal Disaster Recovery situation, pulling 500GB of backup data from USB disk for a full server rebuild.

** We assume that CryptoSafeGuard successfully shielded the backups from corruption, so any backup disk currently connected will not be corrupted.

Part 3 – implementing enhanced cyber-resilience

In this scenario, we’re “upgrading” the backup system to cater for some extra requirements.

  1. The system being backed up now includes Hyper-V and Exchange. The server is now configured as a Hyper-V host, while a guest runs as the Exchange Server and another guest runs as the file server.
  2. We want to deliver better cyber-resilience, and include automated offsite backups to the cloud.
  3. We also assume that recordkeeping is important, and the business wants to retain data for 6 years.

Decision 1: the backup software

Again we choose BackupAssist Classic, and also purchase three add-ons:

  • Exchange Granular Add-on – to enable easy and fast restore of individual mailbox items
  • Hyper-V Advanced Add-on – for rapid VM recovery and Hyper-V Granular file restore
  • Cloud Offsite Add-on – for cloud-based offsite file backups.

This will increase the price of the backup software as reflected in Table 3.

Decision 2: the type of backups

Essential protection

We will retain our “System Protection” backups (which use drive imaging) as our baseline protection. From this type of backup, you can:

  • Recover the entire system
  • Recover individual Hyper-V guests
  • Restore Exchange mailbox items
  • Restore files – even if they are in guest machines

Enhanced protection – automatic offsite backups

In addition to drive imaging, we also do file based backups. Using the Cloud Offsite features, we set up a 2nd job in BackupAssist Classic to back up files from the Hyper-V guest and also from key workstations. We do this by using network shares – simply add a read-only share on the Hyper-V guest, and configure BackupAssist Classic to back up those shares.

We also choose to perform the backups in the middle of the work day, and at the end. By doing two backups per day, this reduces the window of data loss down to half a day – or 4 hours.

Data retention – File Archiving backup

Finally, we add a 3rd backup job for file archiving. Given that some data needed to be retained for up to 6 years, we set up a File Archiving job for this. This job generates a ZIP file. However, this job does not need to be run each night – instead it can be run manually whenever a long-term record needs to be created.

Decision 3: the backup destination

Essential protection – to USB hard drives

Once again, we choose USB hard drives for essential protection. We have reserved 8 USB hard drives for this – same as in Scenario 1.

Enhanced protection – to private cloud

In this example, the business has existing infrastructure to support an automated offsite backup of files. This can be a very cost effective way to achieve “cloud” backups without having to pay for ongoing hosting fees.

  1. Existing unused machine is reprovisioned as a WebDAV server
  2. It is placed in a remote office
  3. VPN or Firewall rules are applied to enable secure access to this machine from the main office.

Data retention – to USB hard drives

We have reserved an additional 2 USB hard drives that can be used to store ZIP file backups. These hard drives should be stored offsite in a safe location for long term archiving.

Costings

We therefore end up with this outlay (prices given in USD):

Table 3: enhanced cyber-resilience including backup software and hardware
SoftwareCost
BackupAssist Classic, with 24 months of BackupCare (for years 1 & 2) $ 449.00
Renewal 24 months less 35% discount (for years 3 & 4) $ 183.40
Renewal 24 months less 35% discount (for years 5 & 6)$ 183.40
Exchange Granular Add-on $ 199.00
Hyper-V Advanced Add-on $ 249.00
Cloud Offsite Add-on $ 179.00
Total cost: $ 1,442.80
Hardware
LaCie Rugged Mini 1TB – Drop Shock Dust Rain $ 73.99 each
Total cost for 10 drives: $ 739.00
Total cost – over 6 years:$ 2,182.70
Average cost per day$ 1.00

Summary of enhanced cyber-resilience

This option provides a very cost-effective level of enhanced cyber-resilience. The maximum window of data loss is reduced, and you have additional restore options.

Table 4: enhanced cyber-resilience recovery performance
Event Action Max window of data loss Max time to recover *
User deletion Restore from last backup. ~4 hours A few minutes
Hardware failure Run Hyper-V Rapid VM Recovery from last backup. Update files from last cloud backup. ~4 hours ~ 5 minutes
Theft Run Hyper-V Rapid VM Recovery from last offsite backup. Update files from last cloud backup. ~4 hours ~ 5 minutes + cloud download time for 24 hours of changes
Physical premises destruction Run Hyper-V Rapid VM Recovery from last offsite backup. Update files from last cloud backup. ~4 hours ~ 5 minutes + cloud download time for 24 hours of changes
Ransomware** Run Hyper-V Rapid VM Recovery from last backup. Update files from last cloud backup. ~4 hours ~ 5 minutes + cloud download time for 24 hours of changes
Hacking (worst case) Run Hyper-V Rapid VM Recovery from last offline backup. Update files from last cloud backup. ~4 hours ~ 5 minutes + cloud download time for 24 hours of changes

In the example above, we use Hyper-V Rapid VM recovery to get systems running almost instantly. In the worst case, we might have to use a backup from 2 days ago (the last offsite / offline USB disk backup), and then update the files to the most recent backup from the cloud backup. Only newer files not already on the system will be downloaded, so the download time will be minimal.

Part 4 – varying the setup while retaining enhanced cyber-resilience

If your business operates an a different way to the examples, there are variations you can make to the setup of BackupAssist Classic, to better suit your specific needs.

For example, here are some constraints and alternative solutions.

  1. If you cannot swap hard drives daily: then we would still recommend that you take periodic offsite drive images (e.g. weekly, or upon an important configuration change) but you could also add in backups to a NAS or permanently connected HDD. However, any online backup is potentially vulnerable to hacking, so you should also perform cloud offsite backups.
  2. If you need large amounts of version history: then we recommend setting up a File Protection job to back up selected directories to a NAS or permanently connected HDD.
  3. If you run a SQL server: we recommend using our SQL Continuous Add-on to take near-continuous backups, and then push those backups offsite using the Cloud Offsite Add-on, or back them up as part of your drive image backups.
  4. If you use Office 365: then you can use BackupAssist 365 to download your cloud data and get local backups of mailboxes, SharePoint documents and OneDrive for Business. These data files can be included in your main on-premise server backups, giving you extra protection and peace of mind.

Where possible, we do recommend that your backup strategy has a mixture of onsite, offsite and offline backups.

Conclusions

We’ve shown here that cyber-resilience does not have to be expensive. Although the emphasis has been achieving protection at a low cost, we have not had to sacrifice the quality of the solution – and indeed we’ve chosen some premium options when it comes to the backup USB disks.

Yes, it is possible to do it cheaper – but we don’t recommend it. And of course it’s possible to spend megabucks, but no one has an unlimited budget.

With BackupAssist, you can get the right backup that meets your needs and and budget.

Leave a Comment

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email. Join 1,874 other subscribers