Cybersecurity Awareness Month—a time to raise awareness on a national level about the importance of cybersecurity—is wrapping up this week. So, I thought this would be an ideal time to underscore once more how modern data protection capabilities can help organizations be more resilient before, during, and after an attack—and how the right IT infrastructure can make them more and resilient, overall.

We explored these topics with several of our customers at our Pure//Accelerate® Digital conference. One customer was Martin Littman, chief technology and information security officer at Kelsey-Seybold Clinic. Littman helped build a world-class infrastructure for Kelsey-Seybold Clinic based on Pure Storage® FlashBlade® to ensure medical records and data are always available to the healthcare workers who support the patients of this large, multi-specialty clinic system serving the Houston area.

About six years ago, Kelsey-Seybold Clinic was hit with and recovered quickly from a ransomware attack that prompted the organization to reassess its security strategy and create an environment of immutable data snapshots and backups, which it developed in collaboration with Pure Storage. Following are a few highlights from the recent Q&A session I had with Littman, where we talked about the clinic system’s ransomware experience and the lessons that were learned:*

AS: As you think about ransomware and other threats that might affect your environment, how does a data protection strategy play into your overall plan?

ML: I jokingly say that we had ransomware before ransomware was cool. Fortunately, because of the data protection strategy we had at that time, we had snapshots and multiple copies of backups so employees could keep working while we responded. And thankfully, it was a slow-moving piece of malware and a small file share. About 44,000 files had been ransomed that we were able to cue up and restore. In the end, we recovered everything and walked away from the situation whole.

That event alerted us more to the threat of ransomware, though, and the need to be prepared to deal with it. As a result, we beefed up our data protection program, and we started to think about not just doing our backups to disk but creating multiple copies on multiple storage systems.

AS: How long did the cleanup process take?

ML: Frankly, because of all the backups we had, it literally took us a couple of hours. In the subsequent days, we continued to look for copies of the ransomware notes. Years later, we still occasionally come across some. As we’ve brought in new technologies, we’ve discovered that some of these notes weren’t cleaned up initially. But we haven’t had another ransomware event since that attack.”

AS: What do you view as the core components of your data protection toolkit now?

ML: We do multiple types of backups today, so that if we end up with a compromised account, the other systems are protected. But when we talk about the components of data protection, it’s not just about the technology for doing backups. Data protection requires a holistic approach. How do you protect your accounts? Do you have individuals with domain access rights? Do you use service accounts? How do you cycle those service accounts? Do you use privileged access management? Do you have privileged account management? Do you have two-factor authentication? When do you apply that?

AS: That makes perfect sense — you have to do the upfront prep and hygiene to make sure you’re ready for when an event occurs. It’s important to get visibility and control, decrease the surface area of the attack, and be able to adapt, respond and recover quickly.

ML: Exactly. And you should know what data you have and where and why you should protect it. If you have “golden jewels” that should be protected differently from “the pearls,” then you need to have protection at those multiple levels and not necessarily mix all your backups together.

In a holistic information security program, you also need to understand that the edge of the network today is a flexible, malleable edge to wherever your endpoints are. That’s super-critical.

AS: Do you think there’s anything an organization can truly do to protect itself from a malware infection or ransomware attack?

ML: We have really strong security, but we need to remember to stay vigilant. As strong as our program is, we constantly need to improve it. We do see malware getting into our environment sometimes because people do things that aren’t smart — like clicking on things they shouldn’t. So, you want to create, maintain and sustain a security-focused DNA in the organizational culture.

AS: Is there anything you wish you could have done differently before the ransomware attack?

ML: You can always look back and say, “If we’d only known this was going to happen, then we might have had this protection.” There hasn’t been much looking back that I regret. But I will throw this out: In the context of data protection, I think that any architecture you develop must take into account monitoring, recoverability and shared responsibility, so that you’re protected from both external and internal threats — as even trusted insiders can pose a risk.”


*Note: Quotes have been edited for readability and conciseness.