From risk to resilience: Disaster recovery planning for IT teams

I’m excited to be moderating this session today. I’m going to be joined by two esteemed experts who will talk to us about their experience with data and disaster recovery. But just before we get started, if you still haven’t grabbed your coffee or your water, this is the time to do it. We’ll give attendees two more minutes to join us, and then we will kick this off. So, two minutes while we wait for additional attendees to join. Let’s do our standard Atera ritual: please feel free to share with us in the chat where you’re joining us from this morning or this afternoon. Hello, we’ve got people from Canada today. Welcome, thank you for joining. Wonderful. Okay, welcome from LA, Virginia, Munich. Hi Markus, thank you for joining us and sharing. Wonderful, so we’ll just get started in a minute. We’ve got people here from a very much US audience this morning. Very exciting. Thank you all for joining. Wonderful, okay, so I think that we can get started. Again, thanks everyone, and thank you for checking out the chat. This is your opportunity and place to share with us any questions or comments that you want to put forward to our speakers.

As I said, today we’re going to be talking with two esteemed experts about risk to resilience: disaster recovery planning for IT teams. In this discussion, our speakers will elaborate on what they’re seeing as the primary risks for IT infrastructures today, how to go about designing a comprehensive backup and disaster recovery plan, and then hopefully you won’t need it, but how to approach an incident response. So, without further ado, I’m very excited to introduce our speakers. Gentlemen, welcome, feel free to get on camera. 

Oren: Hi. 

Muna: Hi Oren. 

Oren: Hello, how are you? 

Muna: Great, thank you for joining us today. Oren, please go ahead and introduce yourself. Tell us a little bit about what you do. 

Oren: Thank you, Muna. First of all, thank you everyone. It’s my privilege and honor to take part in this amazing session with such cool members with me. Hi Markus, glad to have you here. I am the current CISO and DPO at Atera. I have a very long background in cybersecurity. I was an adviser for the Israeli National Cyber Security Authority, responsible for eight years for critical infrastructure in the Ministry of Transportation. I’ve been teaching cybersecurity in Israel at the Technion Institute for over 21 years. I’ve trained about 1,500-1,600 CISOs worldwide. I’m a CISSP, CISM, and hold another 20 other acronyms, but mostly I love security. I’ve been working in forensics and incident response on the government level for over 10 years, and I am highly, highly an advocate for research and working on protecting yourself against cyber threats. As someone who started in the old ages of CPM, DOS, VAC, and Mainframe, I’ve seen this field grow immensely, and it only gets better. I think it’s the only profession in the world that you wake up and every day there’s something new, and you learn something. So again, it’s my honor, and I want to share with you as much as I can. Thank you. 

Muna: Oren, thank you very much. We’re really looking forward to hearing your expertise and bringing from what you have seen also against other industries into our topic for today. So thank you for that. Markus, welcome, thank you for joining us today. Please go ahead, introduce yourself, tell us a little bit about yourself and your background. 

Markus: Sure, sure. So first of all, thanks for joining, and thanks Atera for having me here. It’s really a pleasure to do this session together with a person like Oren. I was impressed about your intro, wow. I cannot give the same, unfortunately. Maybe I’m a bit younger, no, just kidding. I’m also old. When you talked about BASIC and VAC and stuff like this, I remember my first virus I produced—shame on me—was in Turbo Pascal, so a long time ago. In the meantime, I’m eight years at Acronis as a Senior Evangelist in the EMEA region. I’m the speaker for Acronis and tell the story about cybersecurity and how important it is to be protected and to be prepared. The good thing about this session is it’s a topic which is often not seen as necessary. Unfortunately, everybody’s talking about backup, last line of defense, but in my eyes, it’s more about disaster recovery and even disaster recovery together with security. This makes the story round, and yeah, happy to talk about this important topic. As said, often people don’t see the necessity of it and totally forget about disaster recovery. Then if things happen—and trust me, they will happen—then they are in deep trouble. I have an example here in Germany which happened recently.

Muna: Welcome Markus, and we’re really looking forward to hearing about that example and any insights that our audience can get today in order to prepare themselves and hopefully not have to go through any of those disaster recovery scenarios.

Before we dig into the topic, just briefly some housekeeping, reminding the audience this webinar is being recorded and will be made available to you to share with your team within the next 24 hours. I do invite you throughout the webinar to feel free to post any questions or comments for our speakers. We will be addressing them at the end of the session in an open Q&A discussion. And then right at the end of the webinar, we will be launching a brief survey. It helps us improve, it helps us bring the topics of interest, and it also helps us ensure that we are delivering the right level of content for our speakers. So please take the time to respond to the one-minute survey. 

Again, as we talked about our agenda, I want to quickly dive straight into the topic because it’s very exciting. We’re here to talk about risks and challenges, and I want to start with you, Oren. As a CISO at Atera, but with various different hats also that you play within other roles that you’ve just mentioned earlier, what are you seeing in the industry as some of those primary risks for IT infrastructure today? 

Oren: Thank you. There are many risks today that an IT administrator faces or an organization faces. The risks are mostly first of all in business continuity, which means it doesn’t matter where you’re from, where you’re located, or what type of business you have. Today, we are mostly dependent on IT infrastructure. Whether I can be a bookstore, sell flowers, do something online, a startup, a big company, a food chain—it doesn’t matter. We’re reliant on our IT. The first risk is business continuity. If the IT goes down, the business goes down. This is a direct operational risk to the business, and this is something that today sits at the top level for both senior management and board of directors to continue business operations. That’s number one. The second one is data leakage and damaging the data. We talked about availability first, so the second one refers to the integrity of the data and the confidentiality of the data. If somebody goes into our infrastructure and damages it, they can not only stop the business, they can also alter the data. In the end, even money is data—it’s numbers, it’s files, it’s just equivalent data. They can damage that, and second, it can be leaked or exfiltrated from the organization. These are the most top risks that I think are today’s primary risks for IT infrastructure. 

Muna: Thank you, Oren. Markus, again with your hat as an evangelist, a research specialist, and also from what you’re hearing from your clients through Acronis, what are you seeing as the primary risks for IT infrastructures today? 

Markus: I will be the rude boy now because I’m saying humans. The biggest risk for our IT are we. The issue is always in front of the PC. But Oren makes a really important point, and we all depend on IT nowadays. It’s not a matter of your business. There is a recent attack which happened last year to a pub, and normally I would say a pub and IT are two things I would never consider together. But hey, they are also using IT, and they were hit by ransomware. The pub was closed down, and they asked for ransom and blah blah blah. It can hit everybody. I have a colleague in Italy who always says ransomware is not discriminating, and this is the fact. Long story short, all of this leads to business continuity. We need to keep our systems up and running, and this is topic number one. I would bring this really on CEO level. This is a CEO topic, not just an IT topic. The other point Oren raised with data leaks—I know it from myself and maybe you as well. When you open your browser, you have your passwords normally stored in the browser. My browser is always warning me, “Hey, you have 150 compromised passwords, please change them.” Did I change them so far? No. Will I change them today? No. But yeah, that’s the risk. To be honest, a password in the dark web is around $150 up to $10 for a password. Normally, hackers don’t hack anymore; they log into the system, and this is really the risk. We need to be aware that it’s not this kind of guy we always see in the movies—the hoodie guy you see from the back, the energy drink on the desk, and a black screen with weird crypto stuff on the display. It’s not the case. This is a big business, and this makes it so risky. 

Muna: Thank you, Markus. I absolutely agree. From our perspective and from what you’re seeing, with those specific challenges, is there anything unique or different if we look at MSPs versus internal corporate IT departments? 

Markus: For sure, it is. Unfortunately for the MSP, it’s even harder; it’s a bigger challenge. As an internal IT, I’m only in charge of my IT, so decisions may be faster, maybe easier, depending on the budget as always. But as an MSP, I’m in charge of many customers, and sometimes even systems get hijacked. Deployment models get hijacked, so cybercriminals can use my own tools to infect my customers, which means reputation-wise, if something happens—even if I’m not really the cause—it can be seen as that I missed something. At the end, customers talk to each other and say, “Hey, this MSP failed on my system, we got ransomware, we were not protected.” Then he’s telling his friend at a conference, and he says, “Hey, I’m using the same MSP, so let’s cancel and move on.” For them, there’s even a higher risk, not only on IT-wise but also on reputation. For sure, they need to do more because they need to look and monitor all their customers, which means normally this is really a 24/7 job. As a global partner, maybe you have different time zones you need to deal with, so you need to be aware, you need to have a good team, and you need to have a fast team. In all these kinds of attacks, whatever it is, time matters. This is a big topic. So yeah, again, the risk for MSPs is way higher, but not for themselves—it’s more about their reputation if their customer faces something. They need to do even more than the internal IT, not saying that they are easy to handle or just install something and you’re good to go. People often think, “I install something, I heard just last week on a conference somebody told me this funny story: ‘Hey, now we have a solution using AI, so we are safe, we don’t need to do anything else anymore.’ Really? Okay, I wouldn’t trust AI to be honest.” 

Muna: I would say we wouldn’t trust AI to do all of the solutions, but definitely one of the elements and the values that AI is bringing into this domain is itself a topic that I’d love to run with you, and I know Acronis is also investing in that space. Is there anything you’d like to add to this, Oren, in terms of the challenges that you’re seeing unique to MSPs? 

Oren: Yes, I totally agree with Markus, but I’ll put more emphasis on this. We are relying upon MSPs and we’re giving them almost full access, unlimited. Hence, they are becoming a major threat to us due to supply chain, and we’ve seen what happened in supply chain. We need to validate, and we mostly don’t validate that. So if I’m an internal IT, I need to protect and educate my employees against phishing, which might damage my organization. But if an MSP has access to my platforms, my IT, or anything else, and if his employees fall victim to a phishing attack, that can damage all his customers. All his customers depend on him as a supply chain. This emphasizes even more the common threats for MSPs. For example, adversaries are targeting MSPs because they are high-value targets. Once they get access, they can multiply their impact hundreds or thousands of times. We’ve seen this happening in many incidents over the last two to three years. So yes, the supply chain and the human element that Markus mentioned earlier are even stronger here. The MSP needs to educate against phishing, social engineering, and insider threats, and be more vigilant about protecting its own infrastructure because of its responsibility. If something happens to the MSP and there’s an open door, it can damage its own customers, leading to a cascading effect. So definitely, Markus is on the money, and this is very important. In any supply chain where we’re relying on an MSP, we need to validate their security, their compliance, and also check how their security measures up. I think this is the best approach. 

Muna: Wonderful, thank you Oren. And I think Markus, you had hoped to elaborate a little better around considering the expected and the unexpected. What are we talking about? 

Markus: Yeah, that’s the old story in IT. You always need to consider the unexpected. This is the point when it comes to cybersecurity, backup, and disaster recovery. You always need to be prepared for the unexpected, which is the hardest part because you cannot anticipate what’s going to happen. Therefore, and I think we will talk later a bit more about testing, for example, always testing. People rely on technologies like ours for backup and disaster recovery, but they never test what happens in a real case, if it’s working. Nowadays, we saw it in the COVID situation. People moved to home offices immediately. They had their own devices, own firewalls—mostly no firewalls at home, just a router from their provider or whatever. The new world gets more complicated. Remote workers, you don’t know what devices they are using, is it protected, is there network protection, what applications are on these systems. If it’s a personal device, bring your own device, maybe this guy has a weird game or whatever, and this game has a tracker and creates a connection somewhere to the web and infiltrates his private system. Then he connects to the VPN to the company, and suddenly the system is infected from his private PC. These things are happening and this is what I mean by the unexpected. Think about it—it’s a weird phrase, I don’t like it really, but in this case, maybe it fits—think out of the box. Don’t think about your traditional IT like it is. You need to deal with way more unplanned and unexpected things. Oren said it, and it’s also here a point: communication and training. The more you communicate openly with your colleagues and customers as an MSP, the more you train them, the easier it is at the end. If you communicate openly with customers, say, “Hey, there could be something,” and inform them in time. Even if something happens, I’m a big fan of informing them rather than letting them hear it from the press. Recently, I used a solution, and from the press, I heard that they had a data leakage, and my password was leaked. I didn’t hear it from the company. So be open in communication in any direction. Also, what I see often with partners, MSPs, is to really talk with your customers openly—not to create fears but to talk openly about what could happen, what is the worst case. 

Say, “Okay, if we do only this, dear customer, then this might happen,” and set up a plan, a multi-step plan. We can protect you here, here, here, and the level goes up. SLAs go up, and at the end, you have the perfect protection for your business. As Oren said in the beginning, it’s all about keeping the business up and running, keeping the machines up and running because this is how we earn money. 

Muna: Wonderful, so let’s move on from this topic. Oren, back to you. Developing a comprehensive backup strategy—where do we start? 

Oren: Thank you. It all begins with understanding what is important to the business. In the many years that I’ve been in this area of IT, cybersecurity, information security, privacy, resiliency, I’ve found that almost all organizations are not prepared because they do not understand what is really important to the business. The IT looks at the information through IT eyes, but you need to look through the business eyes. This is highly important because, as Markus said, you need to be prepared for the unexpected. But what is important to the business makes it more focused on what is really important. Every business has a strategy, targets, goals, and objectives. Whether I’m an insurance company, a bank, or a startup, I have business processes. For example, paying salaries, tracking money, receiving funds—anything. Whatever business processes they are relying on, the IT that we’ve mentioned, whether that’s an ERP, a CRM, any platform, it all boils down to a business process that is important to the business and relies on IT. So, you need to start by understanding what are the most critical business processes. I’m going to give an example. In a bank, or I’ve been a CISO for two Fortune 500 companies in the US, there are dozens of business processes. You need to do what is called a BIA—Business Impact Analysis. This means that an incident has happened, a crisis has occurred. For example, you disconnected the power outlet from the storage, from the Active Directory, from the Exchange, from the ERP, from the web service, from the SQL—doesn’t matter. Now, what is broken? Once you understand the impact, now what are you going to do? You need to check, for example, let’s take one business process: receiving money, money tracking, budget to cash. This is more important when you need to pay. After you have all the liquidity, it doesn’t matter if you have 20 plus days, so there’s more stress time. 

But this depends on storage, switches, a certain ERP platform, a certain vendor, and a certain data center. Once you map all that, you understand what is at risk. Then you check what is your capability to recover. Do I have high availability? Do I have full tolerance? Do I have another site? Do I have only a backup? Does it take to restore 14 hours, three days? Because sometimes you have a five terabyte storage that you need to restore, and that can take days. Then you see with the right business manager that is responsible for that platform, the finance, the HR, for example, this order to cash or this money, you understand what is his recommendation that he can live with. He can stay down for one day, two days, a week, three hours. Then you match that number from the business perspective because he has zero understanding of IT, and what you actually have. The gap between the current state and the desired state is the plan, and this is the gap that you need to mitigate. So, I think the most important part is to understand exactly what the critical business processes are. I’m going to give you my two cents on this. Throughout my 20 plus years of experience, what I’ve seen is that in all organizations, and I’ve worked on incidents that had 11,000 servers in 24 data centers globally, and I’ve worked on companies as small as 50 servers. So, 20% of most businesses’ IT platforms are responsible for over 80% of the income of the business itself. The operational is 20 to 80. You need to find out what is the top 20%, sometimes even 10%, that are responsible for the 80 or plus even 90% of the income. Once you know that, that is what is most important for senior management, the board of directors, and the company, and this is what you need to protect first. 

Muna: Thank you, Oren. I think that is great homework for everybody to go back and really map out those important processes. Markus, it’s happened. Disaster recovery strategies—what are we talking about?

Markus: Yeah, Oren made a really good point about the BIA, the Business Impact Analysis, and it’s also part of a strategy I would suggest. First of all, and this is part of this analysis, you need to evaluate your risk. This depends on your mission-critical systems. Oren named the bank money transfer—this is mission-critical because this is the main purpose of the bank. So, this is my first number one top risk. But there are also other subsystems that also need to be evaluated. What I love is people saying, “Okay, the email server is down, but we can still call our customers.” And I say, “Okay, but your voice over IP system—is it not on a server? Is it not IP-based? What if this is down?” “Ah, yeah, okay, then we cannot call.” “Okay, we cannot write per email.” So, you need to really go through your systems and evaluate the risk for every system and, as Oren said, how important they are. From there, you have to identify the critical assets. Then, because we talk about disaster recovery, the next step is backup. Backup here in this context does not just mean backup. This is about the importance of the system. The most important system needs to have more frequent backups than maybe the workstation of the worker at the end. Also, this needs to be considered. Often, when it comes to backup, people have an easy strategy, saying, “Okay, let’s do a backup once a day.” But sometimes it’s not enough. 

I call it RTO—Recovery Time Objective. How long does it take to bring back a system, and how much data loss is within this recovery? The data loss is always from the incident back to the last backup. If it’s 24 hours because I do a daily backup, then I’m losing 24 hours. You can imagine if we come back to a bank or broker, 24 hours is massive in terms of money. Therefore, maybe you need to do twice a day a backup. I know customers with really important systems that do hourly or even 30-minute backups to have this gap as small as possible. Then you need to test your backups. Without testing, backup is useless because you can back up for years, and then if something happens, you cannot recover because the backup is broken, because nobody really tested it. Even worse, I know a case from an IT company where they just didn’t know how to recover because they never did it. They created a backup and then left it at that. Testing it is crucial. From there, you need to optimize. What most people are not getting or maybe doing wrong is they create a strategy, a plan, and leave it as it is. But no, it’s an ongoing process. Your business processes change, so the whole IT needs to change. You need to always optimize. Maybe today’s important system is not that important tomorrow because your business changed. So, you need to optimize this strategy as well. At the end, because business continuity is always in circles, we need to keep an eye on it because this is the pure money of the company at the end.

Muna: Thank you for that, Markus. Oren, back to you. How important are risk assessments and business impact analysis? 

Oren: Thank you, Muna. As we’ve just mentioned, and Markus put it in a perfect context, the business impact analysis is very, very important because it actually enables IT and security to reaffirm the importance of business processes and critical platforms. The risk assessment is highly critical to understand what can threaten, damage, and cause impact to those key business processes and dependencies on IT platforms that are at risk. IT needs to work with the business to conduct the business impact analysis and risk assessment. The business impact analysis considers only the impact; it doesn’t take into consideration the probability. The risk assessment actually goes into understanding the probability and what can happen due to a certain process, threat, or something that can go wrong—a specific threat damaging that key business process, whether that’s malware, ransomware, phishing, missing updates, missing patching, bad access control, outdated components, etc. The risk assessment can identify those key impacts, and this is highly important to do. 

Muna: Thank you for that. Moving on here, Markus, let’s get to the tools. We’ve talked about the strategy, the need, and how to go about it, but there are tools out there to help, specifically with backup and disaster recovery. Can you recommend some specific tools and resources, and obviously talk from your specific space within Acronis? 

Markus: Yeah, I can. It’s not a really fair question because, for sure, I recommend the Acronis solutions. But in general, what I often discuss is that people try to do something by themselves to save costs, but disaster recovery inside my own organization makes no sense. The purpose of disaster recovery is to have a second site. Therefore, I need a tool that brings the data from A to B, and B needs to be in another location—at least across the street, but ideally in another city or even cross-country. With a normal tool for replication, it’s not doable. On the other hand, if you talk about disaster recovery, the main purpose is to have a quick failover because we want to maintain business continuity—the downtime should be minimal. With self-made tools, it’s just not doable to make an easy switch over to a second site. Traditional disaster recovery means creating a second data center from scratch, doubling the hardware, software, and maintenance, which is absolutely expensive. The management overhead is dramatic, and it’s not easy to set up. In my eyes, the only tool that makes sense is a cloud solution. The cloud is perfect for disaster recovery. At Acronis, we rely on our own backups, which means we don’t replicate the data; we use a backup for disaster recovery. In case of a disaster, we take a backup file, mount it, and start it up as a virtual machine in our data center. This way, I don’t need to double my hardware, software, or replicate the data somewhere. As long as there are backups, we can use them for disaster recovery. Our data center is not in the customer’s data center, so we have this offsite capability. If the data center is down, you can start it at another location. This is the main purpose of disaster recovery, and we call it “turnkey” because it is turnkey. If you use our solution out of the Atera platform, you will see it’s mostly one click to activate disaster recovery because we don’t need anything else. If we have backups, we can use them for disaster recovery, and this makes the system really easy. Traditional disaster recovery is pretty complex, and the maintenance overhead is massive. It’s not feasible for small customers, so you need an easy solution. Cloud solutions and virtual machines make this possible, allowing you to have your workload ready.

Muna: Perfect. I see some questions coming in about the “better together” of Atera and Acronis and how together, as a solution, we’re helping MSPs reduce risk. But a question for you, Oren, on a slightly different note: Being the CISO of Atera, there are questions here about Atera as a solution. How do we reassure clients that Atera is protected? 

Oren: Thank you, that’s a great question. For everyone considering Atera, current customers and future ones, Atera has a Trust Center. You can go to the Trust Center and see that Atera places a strong emphasis on its security and cybersecurity—hence my role in the last three years. Atera has several accreditations and certifications for security, including NIST, HIPAA, ISO 27001, ISO 27701, ISO 22301, and SOC 2 Type II by a third-party independent auditor. These certifications reaffirm and validate our own security. On top of that, Atera has numerous security tools protecting both its production environment and its development and product environments. We have security teams, our own SOC team, and different teams monitoring for production and corporate IT. Atera places the utmost importance on security, from the simplest employee to top-tier management. This importance extends to processes, development, product, and everything else. There is a continuous process to improve security and take it to the next step every quarter. We validate this not only by compliance but also through penetration testing, vulnerability scanning, and bug bounties. We ensure that we are constantly improving our security practices. 

Muna: Thank you, Oren. I can affirm as an employee of Atera that we get tested quite often. As Markus said, we are the entry point to most of these potential risks. So thank you for that, Oren, and also I’ll just say you’re part of the human firewall that we’re having at Atera. Thankfully, we have all the checks and balances in place, and we pride ourselves on transparency and keeping our clients informed of any and every state within the product and notifications we put out. 

Moving on here, Markus, you did mention briefly about Acronis, but how can we train for these multiple disaster scenarios? Is it even an option? 

Markus: Good point, and I saw something similar in the Q&A already. Sometimes IT people are lazy and they don’t test. Either you force them to, which makes no sense, or you build it into a tool, and we did it. We can set up automatic testing for disaster recovery, which means the system takes the backup, starts up the disaster recovery server, checks if the server is running, and even takes a screenshot of the running machine and stores it in the log. This provides proof that everything is working. Another thing I really encourage every MSP and customer to do is a hard test. For example, having one machine that is not business-critical, maybe just a test server, and then do the hard test—unplug the power and start up the disaster recovery machine to see what happens. Can you reach it? Is it working? The good thing about this is you are prepared because, trust me, in a stress situation where you face a real disaster, you forget about everything. Adrenaline is in your head, you’re shaking, you’re stressed, and you don’t know what to do. Therefore, you need to train and test regularly. If you repeat things and train regularly, you are prepared. You can wake me up in the night, and I know to click this button to invoke disaster recovery and start up the machines. If you never did it and then face a disaster, then you’re in deep trouble because you don’t know what to click. 

Muna: I don’t know, Oren, if you want to add to that or if it’s pretty straightforward.

Oren: We’re good, thank you. 

Muna: I will go back to a product question, Markus. I see that we’re getting closer to the hour. Back to Acronis backup for Office— is the backup done per endpoint or is it per gigabyte? A little product question here. 

Markus: It depends on customers like Atera and how you bring it to the market, but I know from you guys, you can do it both. Normally, what people do is per seat, which makes sense. You license the seats you want to protect. Let’s say I’m a company with 100 seats, and I need to protect 80 of them. Then you license 80, do a backup of those 80, and you pay for those 80. It’s pretty straightforward and easy. 

Muna: Perfect. So within Atera, we offer both options. You can do it per seat or per gigabyte of storage that you’re protecting, and both of those can be subscribed to within the product. Let’s talk a little bit about where scalability factors into your planning. Oren, maybe you want to talk a little bit about that again. 

Oren: Sure. Scalability is when you’re talking about scalability, you need to consider three aspects from my perspective, based on my own experience. First, if you understand the entire data encompassing what you need to back up, you need to also think about how many backups you want to keep. Markus mentioned that earlier. Do you want to back up every week, day, six hours, or every hour, or every 30 minutes? This has an impact when you’re talking about scalability. Does the backup target, if you’re going for the cloud, how does it compress and store the data? In terms of scalability, you also need to consider how long you’re going to keep that backup. If I’m keeping a backup every 30 minutes, one hour, a day, six hours, or a week, am I going to keep that for half a year, a year, three years, seven years? Do I have any regulatory compliance that I’m adhering to? Additionally, you need to check scalability not only for the backup but also for the recovery. How long is it going to take me to restore that entire backup? Can I restore everything, or just a part? Do I need everything? For everything I’ve mentioned, you need to test it. You don’t want to reach D-Day and find out that it doesn’t work correctly. 

You need to verify and test its operational capabilities and also your familiarity with the solution. When there is an incident or a disaster, time is of the essence. If I know the solution well, know where to go, and have done this before, I will take much less time and be less prone to mistakes. Humans tend to make mistakes when they’re under stress. So, I have the capability to test that out, not when my organization is in the most stressful and worst time having a disaster. I want to prepare for that in advance and check that out before there’s an incident. Then I can check my backup program and disaster recovery capability plan to ensure it adheres to everything I’ve thought it would in terms of time constraints, capabilities, operation, and having the right data available to me. 

Muna: Great. I want to fast forward, Markus, to you with a question about cloud or on-premises solutions. What are some of the deciding factors, and then tell us a little bit about Acronis and how and where you store the data? 

Markus: Yeah, it’s already written that the answer is to select the right solution for you. Customers need to decide. For me, cloud-first is especially important in disaster recovery. Why? Because I don’t need the extra infrastructure, and it needs to be always offsite. By the way, backups should also be offsite. Our strategy, which is not founded by Acronis, is always the 3-2-1 rule, which means keeping three data copies, two locations, and one location offsite. In this case, you see it’s somehow hybrid, and this is what we see. Also, coming to the point before, it fits again with scalability and selecting the right solution—cloud or on-premises. It’s all about flexibility. What I expect from a system like Acronis is high flexibility, which means my business is changing, my systems are changing. Maybe I worked with an on-premises server, and now I moved into Azure. The system needs to give me the same flexibility in safeguarding this system from a backup perspective and a disaster recovery perspective. Therefore, we support everything. You see it on the screen what we support on backups. There was a question in the Q&A about moving a backup to Azure. For sure, we can take a backup from a physical machine or virtual machine on Hyper-V, whatever it is, and restore it on Azure. But this is not a real disaster recovery, by the way, because you miss the automatic failover and failback. But we can do things like this. If someone prefers to have Azure in the backend, why not? We have our own data center, but this is not the holy grail. If you want to have something in the backend that is not Acronis, go for it. This is the flexibility I mean. We give you a kind of vehicle in regards to data protection, and where you drive is up to you—the MSP or customer. Mostly, you end up with a hybrid scenario. You cannot say 100% cloud or 100% on-premises. It’s always a mixture of everything, and this flexibility needs to be projected to your tool. I think we have it with our solution, which is highly flexible. 

Muna: I can testify to you being a great solution, and Atera is having this session because it believes in Acronis. From my own personal experience, I have the utmost respect for Acronis. 

Markus: Thanks a lot. This is always good to hear.

Muna: Thank you, Oren. I think there’s a question here about what is the relationship between Atera and Acronis. We are also a user of Acronis as a company for our product. We are also a reseller of Acronis within our platform with tight integration. If you’re an MSP or a corporate IT that wants to deploy to different machines, you can do that mass deployment through Atera. You can also see any alerts through the Atera dashboard. On top of that, you’re purchasing it through the Atera platform. For more details, we invite you to reach out, and we’d be happy to explain. 

 I want to fast forward. I know we’re almost out of time. I want to talk about incident response. That is part of our topic. How do we develop an incident response plan? Maybe we’ll start with you, Oren, and then move to Markus from there. 

Oren: Thank you. Cybersecurity incident response is not a question of if it’s going to happen; it’s going to happen sooner or later. The question is, are you prepared or not? Backup and disaster recovery are part of the plan, and second, how hard it’s going to hit you. The backup and disaster recovery planning is part of preparing for that imminent D-Day. On the screen, some of the steps are displayed that are important to prepare, but again, this is just a recommendation. First of all, as I mentioned earlier and Markus also did, you need to understand what can happen. If you map all the critical processes, you protect those first. Second, you’re getting approval. You need to understand the priorities of what’s happening in the organization. If something is happening, it’s going to happen. Sometimes you break it up into what you can handle immediately—you have the right resources, people, skill set, tools, and things that you put later on that you’re going to deal with after you have the resources and the people. Then the last thing is what you’re not going to handle now. It’s very important to have proper ways of communication between various people, between you and customers, having a proper cadence to update your customers, having a proper communication channel between you and IT, and between you and management. Usually, in a cybersecurity incident response plan, you have two rooms. One room is for senior management, which includes negotiation, legal, compliance, audit, and all the right business processes. The other room is a technical round table involving IT, security, monitoring, SOC, technical teams, backup, and resiliency. These two rooms communicate with each other. For example, when talking about communication, having a different line of communication not on the Slack channel, not on the email, having a backup communication channel could be a different platform—Telegram, WhatsApp, Signal—anything that is outside of your internal channels. If someone is inside your organization listening to the traffic on your internal email or anything, you need a covert channel. You also need to understand if there’s an incident, who do you escalate it to? For example, if there’s something that requires closing the internet, that’s not a decision for the CISO; that’s a decision for senior management because there’s an operational impact here. You need certain playbooks prepared, and there are many lists on the internet. You can find playbooks on GitLab, GitHub, etc., on preparing for phishing attacks, malware attacks, ransomware attacks, data exfiltration, anything. I would recommend reading NIST (National Institute of Standards and Technology) 861 R2 and R3. R3 was recently released as a draft; R2 has been around since 2012. This is the incident response playbook that is the best I’ve ever read, and it gives you the entire inside information. Once you understand and are prepared with the right playbooks, you need to test them out. Backup and recovery and disaster planning are very important, but I would take it a step further by having a tabletop exercise for the management table and the technology part, ensuring people know what to do, what the key steps are, how to approach communication inside first, then outside to the public, testing the capabilities of the backup, making sure it’s adequate. Then you know you are prepared for D-Day, more prepared for battle. Like we say in Israel, when it’s hard in training, it’s easier in real life, and we are very adequate in doing so. This is my two cents, and I hope that just by taking part in this session, you are more prepared for the next incident that you might encounter. 

Muna: Absolutely. Thank you for those insights and detailed explanation, Oren. I know we’re just at the top of the hour, and we’ve had a lot of questions which we promised to address and get back to you via email. Markus, any final words on your end? 

Markus: I just want to add something here. It was perfectly explained by Oren. One piece of advice: when you have your plan ready, print it on paper and put it somewhere. I had a case here in Germany—a big company got encrypted by ransomware, and the rescue plan was also encrypted. They didn’t know what to do. So print it out, maybe have two copies—one at home as the IT leader or whatever, and one in the office. 

Muna: All right, Markus. Perfect. Any final words on your end, Oren? Last piece of advice? 

Oren: Just stay safe. That’s all. 

Muna: Wonderful. Stay secure. Gentlemen, thank you so much for sharing your insights and your knowledge. As you said, I hope from this session everybody goes away with a little more knowledge about how to keep your company and clients secure. I invite you to stay in touch, look at our website—we keep doing these webinars. Let us know what else you’d like us to discuss, and we will bring the experts to the table to share the insights. A final comment: please, as we end the session, fill in the survey. It helps us improve and bring those topics of relevance. Thanks again, everyone, for joining. This session is being recorded and will be sent out. Have a great rest of the week, and thanks again. 

Markus: Thank you. 

Oren: Thank you.

Muna: Bye. 

Markus: Bye.