One early morning in August 2015, on my birthday, I decided to give myself the gift of backing up everything I needed to survive the complete loss or hijacking of my digital life. Given four decades of "don't forget your scarf", and "do you have enough money for a cab?" and "may I confirm your AV is operational and up to date?", it seemed like a perfect day to focus all my attention on me. "Do you have a backup for all of your data?"
It's a tradition. I'm my own best mother each year, on my birthday.
Usually, my birthday choice is something more punitive than data, like giving up cigarettes or electing to take the stairs and stop asking people to hand me things. This year, taking my own security medicine was overdue.
I discovered 479,338 items on the root of C, and that was just my home PC. With work laptop, phones, tablets, thumb drives and a full PC graveyard, who could really say how much or how far and wide I'd have to search for all of my data.
And then, there was the duplication and commingling.
I really didn't want to pick through it.
But it was my birthday, my annual stop and take care of me day.
You may be thinking this is going to be a morality story about preparing for a ransomware attack, but you'd be wrong.
Not long after fixing my own carbonite backup process, deleting a few terabytes of unnecessary information that I likely shouldn't have copied in the first place, and organizing records that were long overdue for proper classification and storage, it became time again to do my job, to guide a client through annual controls.
I contacted all of the management and affirmed the commitment to our business recovery objectives. I notified managers that their team was likely not backing up their local directories. The approach was a simple report to compare the number of files in backup per headcount to a reasonable approximation of what those employees probably should sending to offsite for emergency recovery.
I was reasonable the first four times I sent reports and suggestions. As I became more aware of what some people had at stake, I may have gotten a little aggressive in my approach.
A number of people were extremely offended when I pointed out to their management that they were probably not backing up their data and in the event of a cyber attack, malware, theft or damage, this employee would likely lose information that was necessary to maintaining their job function. Simply, we think it's all in the cloud, but in reality, a lot of stuff is still stored on our local drive.
People felt like they were being targetted. Managers felt the information was not important.
Do I feel sorry for the effort to bring awareness to the company?
I am not sorry.
Do I wish I'd used other means to communicate my concerns?
Focussing on mechanisms to increase adoption and validation of external backup was a good thing. Imagining that this is how management saw the problem of individual backups was not.
Even though a lot of us are talking about how the current cyber threat is vindication over what we've all been saying for the last ten years, it's really a wake-up call to our own efforts. We need to be better communicators, promote the use of the right automation, reduce the complexity of too much data and wrongly classified data, and remember to take our own medicine first.
Now is a really good time for all of us to empathize with the difficulty of recovering from ransomware, to show good practices and help with the cleanup. We need to be accountable to how we communicated risk and what prevented adoption. We also need to measure impact and honestly assess the damage.
When we are good leaders, people will naturally follow.