Nearly anybody with a mobile phone and internet access is aware that ransomware attacks have become more frequent, damaging and costly for businesses to endure. High-profile incidents against companies in healthcare, leisure and more have seared the ransomware threat into the public consciousness.

To their credit, businesses have largely taken note of the growing threat and implemented additional security measures to protect themselves and their data. One of these practices is zero-trust, a security model that requires every user to verify themselves as if they came from an open network, regardless of where they are operating. Zero-trust adds a layer of protection for IT systems and is an essential part of a modern, effective cybersecurity strategy.

However, one particularly troubling omission from most zero-trust frameworks is the protection of data backup and recovery systems. Let’s look at why zero-trust has become such a core tenet of modern cybersecurity and how we can further apply its principles to arguably the most important asset an organization has: Its data.

Just How Bad Has Ransomware Become?

As technology improves and provides more benefits to society, it also has the adverse effect of arming bad actors with the tools needed to succeed. Recent tech innovations like generative AI, paired with sophisticated tactics such as triple extortion and ransomware-as-a-service (RaaS), have only made ransomware defense more complex and challenging. A study of 1,200 IT professionals found that three out of four organizations were hit by at least one ransomware attack over the past year, while a quarter were attacked four or more times. What’s more, cyberattacks were the most common cause of server outages, as well as the most impactful and damaging.

The rapid evolution of ransomware tactics and effectiveness requires stringent security practices, such as zero-trust policies, to become immune to its impacts. But the key here is data backup and recovery, especially because bad actors have become wise about how important these systems are to the organization.

Applying to Backup & Recovery

A startling 93% of ransomware attacks directly targeted backup repositories, according to a similar study one year before, as attackers try to cause the most damage and thus improve their chances of collecting a ransom. Of these successful attacks, a whopping 75% of victims lost some of their backup data and 39% completely lost their backup repositories. Backup infrastructure is also especially appealing to attackers due to its large attack surface, including access to production on-premises and in the cloud.

The data is conclusive: Attackers are going after data backups, so the best way to mitigate potential damage is to apply stringent zero-trust principles. Think about it this way: The average time-to-recovery of a ransomware attack is 3.4 weeks or 136 business hours of downtime. While it’s important to apply zero-trust policies to cybersecurity systems that keep intruders out, the numbers show that successful intrusions are more than likely to occur, making the protection of data backups the utmost priority.

Currently, the Cybersecurity & Infrastructure Security Agency (CISA) doesn’t include backup and recovery as part of its zero-trust maturity model. While CISA’s framework is comprehensive and a great starting point for businesses looking to implement zero-trust policies, an update is needed. Fortunately, the new zero-trust data resilience model seeks to address the issue by folding in zero-trust principles to backup and recovery, separating backup management systems and their storage tiers into distinct resilience zones to reduce the attack surface from potential breaches.

Rather than viewing zero-trust as a massive overhaul to existing security practices, organizations should take small, tangible steps to begin their journey by learning core principles and the recommended architecture.

To Understand What’s Next, Look at What’s Happened

The ransomware threat has become more severe, both anecdotally (in terms of high-profile attacks) and quantitatively. But rather than looking to the next shiny new tool claiming to protect against attacks, keeping an eye on the past is crucial for businesses to set themselves up for success.

Zero-trust policies are part of a comprehensive, balanced approach to cybersecurity, and a best practice all businesses should follow. However, the past shows us that data backup and recovery systems need the same care and attention – if not more – as other mission-critical systems.

As an industry, we need to begin viewing ransomware as an inevitable occurrence and prepare for cyber resilience when an attack occurs – and it all begins with the data. Applying these concepts to backup repositories is a powerful, yet simple way to achieve radical resilience and ensure you’re ready to push back when an attacker comes calling.