Enterprise Password Management

Almost 81% of hacking-related data breaches involve either a weak or stolen employee password. How an organization manages and protects credentials is critical to cybersecurity, which is why a growing number of companies are investing time and funds into enterprise password management.

This article is a complete guide to enterprise password management (EPM). We explain the basics of EPM, present go-to strategies and best practices, plus offer detailed reviews of the 12 best EPM tools currently available on the market.

Enterprise password management explained

Our guide to strong passwords explains how to create credentials that are easy to remember and impossible to crack. You can also use PNAP's Password Generator to create a unique password instantly.

What Is Enterprise Password Management (EPM)?

Enterprise Password Management (EPM) is a set of policies and tools organizations use to manage, protect, and control access to authentication credentials. EPM enables companies to:

Define, centrally manage, and enforce company-wide password policies.
Ensure employees use strong and unique passwords for every account.
Automate various password-related tasks (creation, sharing, resets, syncs, etc.).
Monitor and audit password usage across the organization.

The goal of EPM is to keep passwords safe without overly inconveniencing the workforce. An EPM tool must ensure security, but also provide a simple way to create, store, and access passwords.

The core feature of all EPM tools is so-called password vaulting. Each employee gets a personalized virtual "locker" for storing credentials. Users access the vault with a master key, which is the only password employees must remember. Once you log into the vault, the tool provides access to all other credentials.

Here's a list of other common features you should expect from an average EPM tool:

The ability to control and enforce password-related rules (e.g., complexity requirements and expiration periods).
Multi-factor authentication (MFA).
Synchronization of usernames and passwords across multiple devices.
Reports on how employees use passwords.
Auto-filling of forms.
Automatic credential resets.
Prevention of suspicious log-ins.

In addition to improving the security posture, enterprise password management also helps meet compliance requirements. Many industry and regulatory standards (PCI-DSS, HIPAA, GDPR, etc.) insist on tight control over user and employee credentials.

Interested in learning about compliance? Here are a few helpful reads:

Why Is Enterprise Password Management Important?

Here's why implementing enterprise password management should be at the top of a company's to-do list:

Keep sensitive data and systems safe: Passwords are the most common way of authenticating employees accessing files and systems. High levels of EPM ensure everyone uses strong and unique passwords, lowering the likelihood of intruders reaching valuable data and assets.
Enforce company-wide policies: An EPM platform enables you to set password-related policies. You control the minimum length and complexity for each password, plus ensure no one reuses the same credentials for different accounts or services.
Counter password-based attacks: Strong credentials are the most effective way of countering password-based attacks. You lower the risk of successful brute force, dictionary, and spraying attacks.
Take the burden off employees: An average employee has 27 work-related passwords, which is the main reason why people reuse credentials and create easy-to-remember passwords. An EPM tool takes away the burden of having to remember credentials for each account, making it easier for employees to use unique, complex passwords.
Lower risk of human error: An EPM tool helps prevent errors that lead to a compromised password. For example, a tool helps recognize fake phishing websites that ask for login info and prevents employees from storing and sharing passwords in plain text files.
Boost team productivity: A password manager makes it significantly easier for employees to create and use passwords. Teams spend less time on password-related tasks and access resources with more speed.
Monitor password usage: EPM platforms track how employees use, store, and share passwords. Such oversight boosts security and helps identify vulnerabilities you can address with training sessions and policy updates.

Recent studies reveal that between 20% and 50% of all help desk calls are for password resets (a process that takes 2-30 minutes to complete depending on what went wrong and general tech-savviness). The average cost of each reset is $70, so EPM tools also reduces day-to-day costs for your organization.

Concerning enterprise password managment stats

Enterprise Password Management Best Practices

Here's a list of the best practices for managing, storing, and protecting passwords (with or without an EPM tool):

Enforce the use of strong passwords with rules for minimum length (at least 12 characters long) and complexity requirements (a mix of upper and lowercase letters, numbers, punctuation, and special symbols).
Ensure every employee changes their password regularly, either biweekly or monthly (and without reverting to a previously used password).
Never use the same password for different accounts or services.
Ensure employees do not store or share passwords in plain-text files.
Use multi-factor authentication to require employees to provide additional verification beyond their password (e.g., a token on a mobile device or a biometric scan).
Lock accounts after 3-5 unsuccessful password guesses (a leading brute force prevention measure).
Conduct regular audits of password-related policies, procedures, and usage rules.
Keep all EPM software up to date with the latest patches.
Change default passwords before deploying new software.
Ensure employees know how to use and make the most out of password vaults.
Monitor for suspicious login attempts (e.g., someone logging in in the middle of the night or from a different state).
Use at-rest encryption and in-transit encryption to keep passwords safe.
Organize regular training to ensure everyone is up to date with the latest password-related threats and rules.

Check out our article on security awareness training to get tips on making your sessions as streamlined and effective as possible.

12 Best Enterprise Password Management Solutions

Below is an in-depth look at the best enterprise password management tools currently on the market. We reviewed both free and paid platforms, so you'll find the right fit regardless of your budget.

Free Enterprise Password Management Solutions

Let's first check out the best EPM tools that offer enough "freemium" features to significantly improve password management and security at your organization.

KeePass

KeePass is an open-source password management tool that relies on AES 256-bit encryption with plugins that support additional algorithms (GOST, Twofish, ChaCha20, and Serpent).

Despite being completely free, KeePass is rich in features. Here's an overview of what the tool offers:

The ability to store all your passwords in one database locked with a master key.
Encryption of the complete vault, not only the password fields.
Password edit controls.
The freedom to use either a master password or a key file (or combine both methods).
A feature for exporting the password list to various formats (TXT, HTML, XML, and CSV).
Simple database transfers and imports from other password managers.
The ability to create, modify, and delete password groups.
Time fields (creation, last modification, last access, and expiration times).
Multi-factor authentication.
Auto-type capability.
A strong password generator.

KeePass also enables you to write custom plug-ins (or download plug-ins from other users) to extend the tool's functionality.

Compatibility: Windows, macOS, and Linux (there are unofficial editions for Android, iOS, and all major browsers).

Who should use it: Companies on the market for a free EPM tool and with teams experienced in open-source coding.

Main pros of KeePass

The tool is completely free and open source (OSI certified).
Compatible with most operating systems, browsers, and smart devices thanks to various unofficial versions of the tool.
High levels of security.
Very customizable.
Has a portable version you carry on an external device and just plug in without installation.

Main cons of KeePass

A steep learning curve for less tech-savvy users.
An outdated interface.
No live user support, so users must rely on community forums for help.

Bitwarden

Bitwarden is an open-source password manager that uses AES-CBC 256-bit encryption for vaults and PBKDF2 SHA-256 for encryption keys. Unlike KeePass, Bitwarden has both a free and paid edition.

The main trait behind Bitwarden's security is that the tool does not store your passwords. Instead, the platform keeps encrypted versions of passwords, and users are the only ones with the decryption key.

Bitwarden's free tier is limited compared to the paid version of the tool, but the free edition offers a well-rounded set of features:

Free to use across multiple devices.
Data breach reports.
Multiple logins for the same applications.
Storage for unlimited passwords on an unlimited number of synced devices.
Auto-fill and auto-capture capabilities.
One gigabyte of available storage.
Two-factor authentication.
Simple password sharing.
The option to use a physical security key.

Bitwarden's Teams edition costs $3/month per user and the Enterprise tier charges $5/month per user. Premium versions of the tool provide extra features, such as 2FA via YubiKey and FIDO2, priority support, custom management roles, and single sign-on (SSO).

Compatibility: Windows, macOS, Linux, Android, and iOS (plus extensions for Chrome, Firefox, Safari, Edge, Opera, Vivaldi, Brave, DuckDuck Go, and Tor).

Who should use it: Smaller, tech-savvy teams looking for a free or low-cost EPM tool.

Main pros of Bitwarden

An open-source tool.
The free version allows unlimited vault items across unlimited synced devices.
Only keeps encrypted versions of passwords.
An intuitive, easy-to-use interface.
A track record of quickly detecting and updating errors (mainly due to the tool's bug bounty program).

Main cons of Bitwarden

Limited customer support for the free version of the tool.
No dark web monitoring or biometric 2FA for any version of the tool.
The Send feature enables users to share passwords insecurely.

Norton Password Manager

Norton Password Manager is one of the most streamlined free password managers on the market. The tool provides users with:

Highly secure password vaults protected with 256-bit AES encryption and TLS secure connections.
Basic two-factor authentication (including biometric login for mobile users).
A zero-knowledge policy.
Unlimited password storage.
A Safety Dashboard that helps track accounts, make updates, and prevent duplicate or weak passwords.
Vault auditor.
Automatic password changer.

Norton also offers a free password generator that helps quickly and easily create hard-to-crack credentials.

Compatibility: Android and iOS (plus extensions for Chrome, Firefox, Safari, and Edge).

Who should use it: Sole proprietors and small businesses looking for a free and easy-to-use password manager.

Main pros of Norton Password Manager

The tool is completely free and does not "lock" any features behind a premium edition.
Stores an unlimited number of passwords.
A sleek, easy-to-navigate interface.
Creates strong passwords automatically.
Syncs accounts across multiple devices.

Main cons of Norton Password Manager

Does not allow users to share passwords one-on-one.
Lackluster documentation.
Can't set up multiple users under the same account.

Dashlane

Dashlane is a password manager that has both free and paid editions. The main selling point of this tool is its high levels of safety as Dashlane uses the following measures to keep vaults safe:

End-to-end AES-256 encryption.
A zero-knowledge architecture.
Both 2FA and universal 2FA verification.
A built-in VPN.

The free version of Dashlane offers the following features:

Storage of up to 50 passwords (available for up to 5 accounts).
Password sharing for up to 5 accounts.
A password generator.
Health checker that searches for weak, reused, and compromised passwords.
Form auto-fill.
Alerts in case of incidents.
Biometric account recovery.

Paid versions of Dashlane (which start at $4.99/month per user) include extra features, such as:

Dark web monitoring.
Unlimited password sharing.
1GB of encrypted file storage.
An excellent dashboard that helps pinpoint password-related problems and monitor usage.
Enforceable policy settings.
Advanced account monitoring and reporting.
SSO options.
Active Directory integration.
Remote account deletion.

High levels of security and a built-in VPN make Dashlane a sound choice for companies with remote-first workforces.

Compatibility: Windows, MacOS, iOS, and Android (plus extensions for Edge, Chrome, Firefox, and Safari).

Who should use it: Companies that rely on remote teams and are worried about login security.

Main pros of Dashlane

Easy to set up and use.
High levels of cybersecurity.
Unlimited password storage and device syncing for all editions of the tool.
A powerful and easy-to-use admin console.
Detailed reporting.

Main cons of Dashlane

The free plan limits users to one device.
Too many features locked behind a "paywall."

Learn about shadow IT and see why the use of unsanctioned devices is a common cause of password-related incidents.

Paid Enterprise Password Management Solutions

Let's now explore the market's top paid enterprise password management tools that offer the most value for your money.

1Password

1Password is a popular password manager with a range of excellent EPM features, such as:

Creation of multiple vaults to store passwords, credit card data, API tokens, etc.
Customizable controls with granular-access features (permissions by category, group, role, etc.).
Creation of temporary guest credentials with flexible expiration options (one view, one hour, one day, 7 days, 14 days, or 30 days).
The Watchtower feature that monitors for reused passwords, vulnerable credentials, and compromised accounts.
Integration with identity and access management (IAM) platforms (Okta, Active Directory, and Rippling).
Detailed health reporting.
Biometric login options and multi-factor authentication using Duo.

This EPM tool has a detailed knowledge base that helps users set up and use the tool. 1Password also integrates with Have I Been Pwned to monitor for data breaches.

1Password Business tier pricing is $7.99/month per user, but there's also the Team Starter Pack option that costs $19.95/month for up to 10 users. The tool has a 14-day free trial for all plans.

Compatibility: Windows, macOS, Linux, Android, and iOS (plus extensions for Chrome, Firefox, Edge, Brave, and Safari).

Who should use it: SMBs that want granular password controls and in-depth monitoring.

Main pros of 1Password

Excellent admin dashboards.
Proactively helps employees maintain good password hygiene.
Encrypts passwords both at rest and in transit.
Granular security controls.
An unlimited number of users and passwords.
A bonus Family plan for every Business user.

Main cons of 1Password

Only allows 20 guest accounts at one time.
Expensive for larger teams.
Limited import options.

NordPass

NordPass is an excellent tool that encodes all sensitive data with the xChaCha20 encryption protocol. Other security-related capabilities offered by the tool include:

Mandatory multi-factor authentication.
The capability to identify weak, reused, and old passwords.
A data breach scanner that monitors the web for leaked data.
Guaranteed GDPR and HIPAA compliance.

Additionally, NordPass keeps user activity logs that enable an organization to track password usage and overall health. You also get cross-platform support, auto-fill capabilities, and the ability to store different types of credentials.

NordPass Business tier pricing starts from $3.59/month per employee (up to 250 users). The Enterprise edition allows more than 250 users, plus has SSO with Azure AD, MS ADFS, and Okta. Both tiers have trial periods.

Compatibility: Windows, macOS, Linux, iOS, and Android (plus extensions for Chrome, Firefox, Edge, and Opera).

Who should use it: Organizations chiefly worried about data security compliance rules (e.g., healthcare providers or companies operating in the E.U.).

Main pros of NordPass

Unlimited users and password storage.
A complete overview of password-related activities.
Premium 24/7 customer support.
Easy user management.
Quick and secure group password sharing.
Detailed user activity logs.
Actionable password health report.

Main cons of NordPass

The Business plan does not support SSO.
Unknown prices for the Enterprise tier.
You cannot use the free version of the tool on multiple devices simultaneously.

LastPass

LastPass is a password manager that uses AES 256-bit encryption and operates under a zero-knowledge policy. The tool is also SOC2, SOC3, C5, ISO27001, and GDPR compliant.

LastPass's main selling point is its ease of use. The tool is very simple and convenient for employees as it enables them to easily:

Create, store, and organize passwords.
Perform one-to-one password sharing.
Access work apps from anywhere and any device.
Use the SSO feature and enable multiple platform sign-ins with a single ID.
Use auto-fill to speed up logins.
Go "passwordless" and get seamless access to vaults.

LastPass also emphasizes proactive security with features such as:

Immediate alerts if a company or personal data is at risk.
Over 100 customizable policies for personalizing security rules.
Reports on employee password management behavior.
Dark web monitoring.

LastPass has two tiers: the Teams edition (which costs $4.25/month per user) and the Business edition (which charges $6.25/month per user). The Teams tier limits you to under 50 users, while the Business version has no user cap. Both tiers have a trial period.

Compatibility: Windows, macOS, Linux, iOS, and Android (plus extensions for Chrome, Firefox, Safari, Edge, and Opera).

Who should use it: Teams looking for an easy-to-use password manager with well-rounded features.

Main pros of LastPass

Unlimited passwords.
Emphasizes user convenience.
Over 100 customizable policies.
In-depth admin security reports.
Over 1,200 pre-integrated SSO apps.
Extra free Family package licenses for each employee.

Main cons of LastPass

The Teams tier has a limit of only 50 users.
Only gives 3 SSO apps with MFA and requires an extra $2/month per seat for more.
While the company bounced back, LastPass suffered a concerning data breach in August 2022.

Zoho Vault

Zoho Vault is an affordable password manager that comes in several editions. Even the free version is okay for individual users, but the Team tier (which charges $0.90/month per user) has solid EPM features, including:

Dedicated password vaults for teams (protected with the AES 256-bit cipher).
Centralized admin controls.
Multi-factor authentication.
Simplified sign-ins and password sharing.
Password policy enforcement.
Credential expiration alerts.
IP address restrictions.
Password imports from browsers.
Integration with G Suite and Office 365.

The more feature-rich Enterprise edition charges a minimum of $4.50/month per user and adds additional capabilities, such as:

User group management.
A "break glass" account for emergency access.
SSO for cloud apps.
Custom alerts for password-related events.
Detailed reports on user access, sharing behavior, and general password hygiene.
Integration with Okta and OneLogin.
Helpdesk integration.

Zoho also offers a range of other business apps (such as CRM and sales software), all of which integrate seamlessly with Zoho Vault.

Compatibility: Windows, macOS, Linux, iOS, and Android (plus extensions for Chrome, Firefox, Safari, Edge, Brave, and Vivaldi).

Who should use it: Companies on the market for feature-rich and affordable EPM services.

Main pros of Zoho Vault

The Team tier is among the most affordable EPM solutions on the market, yet still has decent features.
Advanced 256-bit encryption and zero-knowledge architecture.
In-depth password security reports.
Great transparency of password usage.
Integration with other Zoho solutions.
Syncs across Windows, macOS, Android, and iOS devices.

Main cons of Zoho Vault

Monthly subscriptions are considerably more expensive than yearly plans.
Users cannot import saved Safari passwords.
Weekday-only 24h support.

Passbolt

Passbolt is an open-source password manager known for its flexibility and customization. The tool's Community tier is free to use for an unlimited number of users and has the following features:

Passwords management and sharing.
Private and shared folders.
User and group management.
Two-factor and 3-step authentication.
Open API.

The Business tier (which costs $3/month per user) adds the following features:

LDAP provisioning.
Account recovery (escrow).
Tags management.
Activity logs for tracking changes.
SSO with Microsoft.

Finally, the Enterprise tier (which has custom prices) offers additional features you won't find in many other EPM tools, such as:

High availability consulting.
Disaster recovery consulting.
White glove migration.
Custom features development.

Passbolt enables users to choose whether to self-host the tool on their servers or use the platform's cloud services.

Compatibility: The team behind Passbolt recommends you run the tool on a stable version of a major Linux distribution, such as Debian or Ubuntu. There are browser extensions for Edge, Chrome, and Firefox.

Who should use it: Organizations with teams experienced in open-source tools and looking to host an EPM on an in-house server.

Main pros of Passbolt

Open source (under AGPLV3 license).
A rich selection of features, some of which are rare in the EPM niche.
A flexible number of users for the Business tier.
Highly customizable and extensible thanks to its restful API.
The freedom to choose whether you want to host the tool on-prem or in the cloud.

Main cons of Passbolt

No mobile or desktop apps.
Doesn't support advanced logs for audits.
The Enterprise tier does not have transparent prices.

Keeper

Keeper is a password management tool that offers top-tier security and EPM services. The tool is highly secure thanks to a zero-trust and zero-knowledge architecture.

Keeper has three paid tiers, all of which allow an unlimited number of devices. The Starter plan (which costs $2.00/month per user) offers:

Encrypted vault for every user (for passwords and other files).
Folders and subfolders (shared and personal).
Policy enforcement.
Security audits and activity reporting.
Team management.
Two-factor authentication.

The Business tier (which costs $3.75/month per user) adds delegated administration, share admins, and advanced organizational structure. Finally, the Enterprise edition (which has custom prices) adds advanced features like:

SSO (SAML 2.0) authentication.
Automation features.
AD and LDAP syncs.
SCIM and CLI provisioning.
Developer APIs.
Dark web protection.
Advanced reporting.

All tiers have access to a helpful password generator that enables users to quickly create strong and unique credentials.

Compatibility: Windows, macOS, Linux, iOS, and Android (plus extensions for Chrome, Firefox, Brave, Safari, Edge, and Opera).

Who should use it: Sizable companies looking for advanced EPM services and good per-user prices.

Main pros of Keeper

Highly secure and rich with features.
Very customizable.
Excellent UI/UX.
Free family plan for every user.
Smooth password capture and replay.
Multiple forms of MFA.

Main cons of Keeper

You need a skilled in-house team to make the most out of the tool.
Unknown prices for the Enterprise tier.
Relatively small storage limits.

Roboform

RoboForm is an excellent password manager that excels at enforcing EPM rules at larger companies thanks to:

Centralized employee onboarding and company-wide policy deployment features.
An unlimited number of admins.
The capability to easily monitor and customize access to passwords based on employee roles.
Excellent SSO support.
Highly customizable policies.

This EPM tool enables users to store various data in their vaults (passwords, usernames, bookmarks, business-related files, etc.). All stored data is easily sharable across teams.

Teams with 1 to 10 members will have to pay $39.95/year per user for RoboForm. The tool does have 3-year and 5-year subscription options that bring the per-user price down, plus larger teams get significant discounts.

Compatibility: Windows, macOS, iOS, and Android (plus extensions for Chrome, Firefox, Safari, Edge, and Opera).

Who should use it: Bigger companies looking for top-tier EPM for large teams spread across multiple departments.

Main pros of Roboform

End-to-end AES256-bit encryption for password creation, storing, and sharing.
The tool decrypts data locally.
Enables companies to easily manage large numbers of people.
Intuitive and easy-to-use password automation.
Excellent onboarding and training materials.
Detailed knowledge base and 24/7/365 support.

Main cons of Roboform

On the expensive side for smaller teams.
Clients outside the USA occasionally have problems getting quick tech support.
Limited importing options.

Sticky Password

Sticky Passwords is a cost-friendly password manager with a solid offering that includes:

Simple and safe password sharing.
2FA.
Auto-fill capabilities.
Customizable permissions.
A built-in password generator.
Various syncing options.
USB password vaults (so-called Portable Passwords).

One of Sticky Password's main selling points is that the tool guarantees clients never permanently lose employees' credentials. In case of an incident or a disgruntled employee, there's an Emergency Access feature that allows admins to gain access to a specific account.

Sticky Password charges clients $29.99/year per user. The tool has a free edition, but that version of Sticky Password does not allow syncing or password sharing. There is also the premium version that charges $39.99/year per user and adds syncing across devices and dark web monitoring.

Compatibility: Windows, macOS, iOS, and Android (plus extensions for Chrome, Firefox, Safari, Edge, Opera, and Brave).

Who should use it: Less tech-savvy teams with many shared machines that wish to ensure there's no way to permanently lose credentials.

Main pros of Sticky Passwords

Simple to use and cost-effective.
Users can use a flash drive as a plug-and-play password management device.
A helpful Emergency Access feature.
Excellent form filling.
Each license includes a donation to save endangered manatees.

Main cons of Sticky Passwords

The Premium version does not add enough features to justify the price difference.
No password inheritance.
If you forget your master password, the account is gone for good.

Challenges of enterprise password management

Which Enterprise Password Management Solution Should You Choose?

The first decision you must make is whether you'll use a free or paid enterprise password management tool. Most platforms keep advanced features behind a "paywall," but basic features are enough for some companies and use cases.

If you opt for a paid EPM tool, remember to both consider the initial purchase and ongoing maintenance costs. Other factors you must account for when choosing a tool are:

Specific security features offered by the tool (e.g., end-to-end encryption or MFA).
How much you'll have to customize the tool.
Any relevant compliance requirements.
Your in-house team's preference and previous experience.
Whether the tool will be able to scale alongside your needs without impacting performance.
Integrations with existing IT infrastructure and systems.
The level of required customer support.
How much time the tool requires for day-to-day maintenance.

Consider these factors and go with one of the enterprise password management tools discussed above. Every tool we covered here is a worthwhile choice, but some fit certain use cases better than others.

We also recommend you test the tool before going all-in on a paid edition. All the platforms discussed above have some form of trial, so there's no harm in giving several tools a go and seeing which one performs the best before choosing a long-term solution.

Free or Paid, an EPM Tool is a Must

Manual management of your company's passwords is too complex, time-consuming, and outright risky. Even a single password falling into the wrong hands is enough to cause a data leakage or breach, so invest in EPM and ensure your credentials are safe from prying eyes.

Ransomware in Healthcare: Stats and Recommendations

In 2022, healthcare organizations across the world collectively suffered an average of 1.463 cyberattacks per week (up 74% from 2021). Of all these incidents, ransomware is by far the most devastating, both in terms of finances and patient safety.

This article goes through everything you need to know about ransomware attacks targeting healthcare providers. We analyze the most recent statistics, explain exactly why so many criminals go after hospitals, and present the best ways for healthcare organizations to protect themselves against ransomware attacks.

Ransomware attacks are constantly becoming more varied, so learning about different types of ransomware is a must for any security team hoping to stay a step ahead of cybercriminals.

Healthcare Ransomware Statistics

The statistics below highlight the seriousness of the ransomware threat in the healthcare industry:

In 2022, 24 US-based healthcare organizations were the target of successful ransomware attacks. These incidents affected a total of 289 hospitals.
Organizations in the healthcare sector paid the ransom in about 61% of ransomware incidents in 2022, the highest rate of any industry.
While healthcare tops the list for the willingness to meet hackers' demands, the industry is at the bottom in terms of ransom amounts. Hospitals paid an average ransom of around $197,000 in 2022, the lowest of any sector.
Healthcare providers were the most targeted industry for ransomware attacks during the third quarter of 2022. One in 42 organizations was the target of an attack at that time.
Around 66% of hospitals in the US were the target of a ransomware attack at some point in 2022 (an increase of almost 50% from 2021).
In 2022, the average post-ransomware recovery time for a healthcare provider was one week. The average remediation cost (the price of fully restoring services and systems to a pre-incident state) was $1.85 million.
While the average remediation price is $1.85 million, high-profile ransomware attacks cost significantly more. For example, Dallas-based Tenet Healthcare reported a loss of about $100 million due to ransomware in April 2022. Similarly, San Diego-based Scripps Health state that attacks in May and June 2022 cost the organization $113 million.
Almost 22% of healthcare organizations believe that ransomware caused an increase in patient mortality rates in 2022.
Over 36% of facilities report an increase in serious medical complications due to disruptions of ransomware attacks.
Three in four ransomware attacks on hospitals result in operational disruptions (disabled electronic health records, canceled surgeries, extended hospital stays, delays in procedures. ambulance diversion, etc.).

Criminals stole data in 17 out of 24 confirmed ransomware attacks on US-based healthcare organizations in 2022. Stealing data before encrypting files enables hackers to pressure victims with the threat of data leakage (either by selling the data to the highest bidder or posting it online).

Why Are Hospitals a Target for Ransomware?

Here's why hospitals are among the most common targets for ransomware attacks:

Valuable data: Healthcare organizations store a large amount of sensitive data (medical records, financial info, PII, etc.). This data is a goldmine for identity theft, which makes hospital databases a lucrative target for criminals.
Criticality of data: Losing access to data often has serious consequences for patient care. Hospitals are far more likely to pay the ransom since the compromised data is critical to treating patients (i.e., records that determine somebody's allergies or blood type).
Vulnerable to disruption: Healthcare providers are easier to disrupt than organizations in other industries. For example, a single attack on CommonSpirit Health in October 2022 forced more than 140 hospitals across the country to shut down all digital health records. Some hospitals did not fully recover their systems even a month after the attack.
Lackluster cybersecurity: Over 40% of US-based hospitals spend less than 6% of their IT budget on cybersecurity. Additionally, most security teams are understaffed and many facilities rely on outdated legacy software that's an easy target for experienced hackers.
The sheer number of devices: A single hospital has tens of thousands of Internet of Medical Things (IoMT) devices a hacker could use to breach the network. This attack surface is highly challenging to defend. Also, when an attack occurs, it's typically difficult to identify the source of infection and stop malware from moving to other systems.
Proneness to human error: Hospitals rely on a large number of employees that typically work long hours, operate in high-pressure settings, and communicate with various people. Such circumstances make doctors and nurses vulnerable to social engineering attacks such as phishing or CEO fraud.

Learn how to prevent social engineering attacks and ensure criminals cannot easily trick your staff into sharing valuable info or installing malicious software.

How to Prevent Ransomware Attacks in Healthcare

While you can't prevent criminals from attempting attacks, organizations can improve their ransomware resilience in numerous ways. Let's see the most effective methods healthcare providers use to lower the likelihood of successful ransomware attacks.

No matter what industry you do business in, PNAP's ransomware protection will significantly boost your security posture against this cyber threat. Keep your files safe with a mix of cutting-edge cloud solutions, disaster recovery, and immutable data backups.

Build Employee Awareness

Hospital staff is the first and the most vulnerable line of defense against ransomware attacks. Provide regular and mandatory security awareness training to all employees to ensure everyone understands their role in preventing ransomware. All team members must know how to:

Identify signs of phishing attacks in emails, social media messages, and phone calls.
Safely download and install applications.
Recognize malicious attachments and links.
Create unique and strong passwords.
Keep their credentials safe.
Report suspected incidents to security personnel.
Safely use Bring-Your-Own-Device (BYOD) hardware.
Keep all apps and operating systems up to date with the latest patches and security updates.

Hospital staff members have different roles and responsibilities, so employees have different levels of exposure to threats. Account for those differences during threat modeling and tailor the training program to specific positions.

Boost Overall Cybersecurity

High levels of cybersecurity help a hospital detect and contain threats before they escalate. Most ransomware attacks take days or even weeks to execute after the initial infection, so your team has ample opportunities to detect suspicious activity before malicious software reaches data.

A healthcare provider should focus on improving:

Endpoint security: Protecting the devices hospital staff use to do their jobs (laptops, smartphones, PCs, IoT medical devices, etc.) is a must since most ransomware attacks start on this attack vector. Endpoint security also helps detect suspicious user behavior, such as in the case of insider threats.
Strict access controls: Secure the way hospital staff accesses sensitive data. Enforce the use of hard-to-guess passwords, set up multi-factor authentication, and rely on zero trust security (granting staff members access to the minimum necessary data required to perform their duties).
Network security: The goal of a ransomware hacker is to breach a network and then move laterally between IT systems to reach valuable data. Make this process as difficult as possible by boosting network security with firewalls, anti-malware and anti-virus programs, real-time monitoring, and intrusion detection systems (IDSes).
Data encryption: Use encryption at rest for all sensitive data. Such a precaution does not stop a hacker from stealing and scrambling files, but you prevent data breaches even if criminals reach something of value.
Secure email communications: Email security is vital to preventing phishing and other similar social engineering attacks. Set your email server to recognize messages containing files with suspicious extensions (such as .vbs and .scr) and automatically flag addresses of possible spammers.

Continue learning about cybersecurity best practices and see what else a team can do to boost hospital security.

Segment Your Networks

Segment networks into multiple subnetworks to prevent lateral movement and build a "wall" around critical systems and files. That way, even if ransomware strikes, you minimize the so-called blast radius and contain the threat within a particular network segment.

Each subnetwork should have separate security controls, access policies, and firewalls. These precautions make it difficult for hackers and malicious software to break into each segment, giving the security staff more time and opportunities to recognize and isolate the threat.

Perform Regular Data Backups

Up-to-date data backups do not prevent ransomware attacks, but they ensure the hospital:

Always has a way to restore compromised data.
Does not have to pay a ransom to get its data back.
Quickly restarts patient care in case of an attack.

Ensure the hospital regularly backs up all valuable data. Back up files multiple times a day and use at least two backups (keep one instance offline). Ensure the team also tests backups regularly to ensure there's no accidental data corruption.

As an extra precaution, consider using immutable backups. This type of backup prevents any form of editing (including encryption), so hackers cannot scramble files even if they reach the backup storage.

Learn how to create an effective data backup strategy that ensures you never permanently lose valuable files no matter what goes wrong.

Have a Go-To Incident Response Plan

You require a comprehensive incident response plan in case a hacker manages to break through your cyber defenses. Here's a rough outline of a step-by-step anti-ransomware plan:

Isolate the infected systems and devices from the rest of the network.
Determine what type of ransomware infected the system (if possible).
Report the attack to the authorities and see whether they possess a decryption key.
Identify which data the attacker managed to encrypt.
Search for signs of data exfiltration (unauthorized copying, transfer, or retrieval of unencrypted data).
Restore data from the most recent backup available, transfer files to an unaffected subnetwork, and restart patient care.
Uninstall everything on infected devices and reinstall their operating systems. Remember to keep devices offline as you clean their memory.
Perform in-depth IT forensics and search for signs of back doors.
Make improvements to your security strategy to ensure the same attack does not happen again.

The more in-depth your disaster recovery plan goes, the better you'll handle the actual attack. Just remember that the response team requires clear go-to steps to respond to a threat quickly, so also prepare a shorter version of the plan staff members will use in times of crisis.

Once you have a plan in place, it's time to test it for flaws. Occasionally run penetration tests to simulate real-life attempts to inject ransomware and see how your team responds to realistic attack simulations.

Perform Regular Vulnerability Assessments

Vulnerability assessments check your systems, devices, and staff for exploitable weaknesses. These types of tests inspect the hospital for flaws that could lead to ransomware attacks, including:

System misconfigurations.
Problems in staff behavior (using the same password on different devices, unlocked PCs, interacting with patients via personal email, using shadow IT devices, etc.).
Issues with account privileges and authentication mechanisms.
Unpatched firewalls, apps, and operating systems.
Database errors (such as those that allow SQL injections, another popular method of spreading ransomware).
Technical debt, outdated permissions, and other liabilities in IT systems.

Regular scans for vulnerabilities help ensure every staff member is on their toes in terms of security and that the IT (both hardware and software) is as ready for ransomware attacks as possible.

Learn more about ransomware prevention and get further tips on how to protect your business from this cyber threat.

Why you should not pay the ransom in case of an ransomware attack

Ransomware Attacks on Healthcare Providers Aren’t Going Anywhere

If you work at a healthcare organization, it's only a matter of time before you'll have to deal with a ransomware attack. Whether the attempt ends up being successful is primarily up to your readiness level, so counter the threat of ransomware with a mix of employee training and a robust cybersecurity strategy.

What Is Shadow IT?

While relatively harmless at first sight, shadow IT causes major risks for companies. In 2022, nearly 7 out of 10 organizations experienced a security incident due to employees using unsanctioned hardware or software.

In addition to security concerns, shadow IT is also among the leading causes of app sprawl, operational inefficiencies, and compliance violations.

This article explains the dangers of shadow IT and its potentially devastating effects on security postures and bottom lines. We'll take you through all you need to know about this widespread problem and present the most effective ways of keeping shadow IT at a minimum.

What Is Shadow IT?

Shadow IT refers to any unauthorized device, IT service, or app employees use without the knowledge of the company's security department. When the security team is unaware of a certain application or piece of hardware, the organization cannot support the tech or ensure that it's secure.

Employees typically turn to shadow IT because of convenience or when an app offers better functionality than what the company approved for using. While convenient for employees, shadow IT poses several considerable risks for an organization, including:

Security vulnerabilities (misconfigurations, accounts with easy-to-crack passwords, malware-infected devices, etc.).
Compliance violations (e.g., someone keeping sensitive customer data in a personal Dropbox account).
Inefficiencies within the organization (e.g., teams using different tools to accomplish the same task or unoptimized apps using up too much network bandwidth).

Here are a few statistics that show just how prevalent shadow IT is:

Over 80% of employees regularly rely on some form of shadow IT.
Over 50% of workers use at least one unauthorized app.
Almost 81% of IT leaders believe employees introduced rogue cloud assets into the environment.
An average company uses around 1,220 cloud services. Only 7% of them completely comply with security and compliance requirements.
Over 35% of employees feel like they must work around security measures or protocols to perform their duties effectively.
Almost 63% of employees regularly send work-related documents to personal emails.
Around 32% of workers use unapproved communication and collaboration tools.

There are a few reasons why shadow IT got out of control in recent years:

The rise of remote work due to COVID-19 restrictions.
On-demand cloud services that enable anyone with limited technical know-how to deploy advanced systems and platforms.
The increased popularity of DevOps principles that encourage teams to work as quickly as possible.
More reliance on Bring Your Own Device (BYOD) hardware.

Learn how to implement an effective BYOD policy that keeps business assets safe without overly disrupting your team's day-to-day tasks.

Examples of Shadow IT

Below are some of the most common examples of shadow IT:

Using personal devices (smartphones, tablets, laptops, etc.) to access company data or services without explicit IT department approval.
Installing unsanctioned software without the approval of the company, such as third-party tools or social media platforms.
Creating cloud workloads using personal accounts.
Setting up rogue servers or networking infrastructure to support work.
Using personal storage devices (such as USBs or portable hard drives) to store and share company data.
Sharing company data or collaborating with colleagues via social media profiles.
Accessing corporate data or the back end of a website from a BYOD device on a home network or public Wi-Fi.
Secretly deploying a rogue cloud environment for testing purposes.
Using SaaS apps (file-sharing services, collaboration tools, project management software, etc.) without the approval of the InfoSec team.
Using unauthorized instant messaging or chat apps to communicate with coworkers, clients, or vendors (e.g., chatting on Viber when the company requires all communication to go through Skype).
Creating self-developed Excel spreadsheets and using them to store and share company data.
Connecting IoT devices (such as smart speakers or watches) to the corporate network without the knowledge of the security department.
Sharing work files on a personal Dropbox account or sending data to a private email.
Opening a secret Slack channel despite the company wanting its workforce to use Microsoft Teams.
Logging into both personal and business accounts in the same app and using both profiles to manage company assets.
Secretly using unsanctioned workflow or productivity apps (such as Trello or Asana).
Using business devices for online gaming.

While they take on many forms, all examples of shadow IT introduce the same problem—they create new attack vectors outside the view of the security team.

What Are the Cons of Shadow IT?

The use of shadow IT rarely has malicious intent, but the practice often leads to severe consequences, including:

Security gaps: Security staff cannot secure systems and apps they do not know exist. Introducing rogue hardware and software creates vulnerabilities malicious actors could exploit for several types of cyberattacks.
Data exposure: Employees store, share, and access sensitive data via insecure shadow IT devices and apps, increasing the attack surface for data breaches.
Lack of standardization: You increase the chance of incompatibilities whenever teams use different tools and systems to accomplish the same tasks. There's also the increased risk of teams working with unofficial, invalid, or outdated data.
Data leaks: Employees sharing corporate data on unauthorized apps or private devices often leads to data leakage (accidental release of data to an unauthorized recipient).
Higher costs: Shadow assets often increase IT costs by causing unexpected expenses and budget overruns. For example, a personal cloud storage someone scales to serve enterprise-level needs is far less cost-effective than services intended for corporate usage.
Compliance risks: Teams could secretly use technologies or data storage that do not comply with regulatory requirements (such as those imposed by GDPR or HIPAA). Even if employees do so without the company's consent, organizations are still liable for violation fines.
App sprawl: Shadow IT is a leading cause of app sprawl (excessive proliferation of apps). Sprawl occurs when teams purchase and deploy too many programs without proper consideration for value, fit, or functionality.
Performance bottlenecks: Adding extra programs and apps on top of existing systems often results in performance issues.
Risky data silos: Any files stored on unauthorized or personal devices aren't accessible to others in the company. You lose access to that data if the employee leaves the company.

Any data employees store on shadow IT assets will not be a part of your regular backups, which is an issue you must account for in your corporate backup strategy.

Are There Any Positives to Shadow IT?

While the cons by far outweigh its pros, there are some positives to shadow IT. The most notable benefits are:

Teams become more agile when they have the freedom to choose software.
Making ad hoc IT decisions sometimes enables a team to respond to changes and threats with more speed.
The ability to choose preferred apps and devices encourages employees to innovate. Teams experiment with new technologies and tools, which gives the organization a slight competitive edge.
Some shadow IT leeway enables teams to quickly test out new tools that may turn out to be a better fit or more cost-effective than current solutions.
Teams that work with preferred apps are more likely to be invested in their jobs. This morale boost helps improve employee satisfaction and retention rates.

Since most companies see shadow IT as an inevitability, many organizations are now trying to control the practice with security protocols. There are some mandatory precautions if you opt for that route, such as:

Attack surface management (ASM) tools: These platforms continuously monitor all internet-facing assets to identify signs of shadow IT. Once a new asset appears, ASM tools automatically evaluate potential flaws and help eliminate threats.
Cloud asset security broker (CASB): These platforms ensure secure connections between employees and any cloud asset they use (known or unknown). A CASB discovers all shadow cloud services and enforces extra security measures (such as encryption, access control policies, and malware detection).

In the fast-paced business world, giving employees some freedom to solve problems and experiment is advantageous. However, allowing shadow IT to go on uncontrolled is a massive mistake, so let's see how companies keep the practice in check.

How Do You Handle Shadow IT?

Here are the most effective ways of preventing shadow IT:

Create IT policies: Create detailed policies that outline all allowed software, hardware, and services within the organization. Policies must also explain exactly how employees should use authorized tech, as well as state any consequences of violating the rules.
Provide IT support: Ensure all teams have adequate IT support to address their tech needs and issues.
Encourage communication: Encourage an open dialogue between IT and other departments to ensure all teams are happy with their assigned technologies. Open lines of communication lower the chance of anyone secretly using unauthorized tech.
Educate employees: Organize regular awareness training to educate teams about the risks of shadow IT. Ensure everyone understands why you insist on using only approved software and hardware.
Create a quick (but safe) approval process: If someone in your team proposes adding a new tool to operations, the approval process must be quick and secure.
Conduct regular tool audits: Carry out regular audits that track what tools different departments use to perform their tasks.
Boost endpoint security: Improve your endpoint security to prevent employees from installing unapproved apps on their devices (either company-owned or as a part of the BYOD policy).
Monitor network activity: Your security team must monitor network activity for signs of unauthorized solutions and services. Make full use of intrusion detection systems and firewalls to analyze traffic and user actions.
Regular reviews: Periodically review and update your IT policies, approval processes, and security measures. Ensure you're both up to date with the latest technology trends and security threats.
CASB and ASM tools: Regardless of whether you opt to tolerate some amount of shadow IT or not, the aforementioned CASB and ASM tools are a worthwhile investment.

Since a large portion of shadow IT occurs in the cloud, your cloud security policy is a major part of stopping teams from using rogue services.

Keep Unauthorized Apps and Devices at a Minimum

While shadow IT boosts employee productivity and helps drive innovation, uncontrolled use of technology introduces potentially devastating risks. Keep shadow IT at a minimum by educating employees, setting up effective preventive measures, and encouraging teams to be open about their IT needs.

What Is Rate Limiting?

Rate limiting is a simple yet highly effective technique for protecting APIs from unintentional and malicious overuse. Without a rate limit, anyone can bombard a server with requests and cause spikes in traffic that eat up resources, "starve" other users, and make the service unresponsive.

This article is an intro to rate limiting and the importance of restricting the number of requests that reach APIs and services. We explain what rate limits are and how they work, plus cover the different types of algorithms you can use to adopt rate limiting for your use case.

Almost 95% of companies have had an API-related security incident in 2022. Additionally, approximately 31% (around 5 billion) of all malicious transactions targeted APIs, which should place securing this attack vector at the top of an organization's to-do list.

What Is Rate Limiting?

Rate limiting is the practice of restricting the number of requests users can make to a specific API or service. You place a cap on how often users can repeat an action (i.e., attempting to log into an account or send a message) within a certain time frame. If someone reaches their limit, the server begins rejecting additional requests.

Rate limiting is both a cybersecurity precaution and a key part of software quality assurance (QA). Companies use rate limits to:

Prevent a large number of requests from overwhelming a web or application server.
Ensure all users have equal access to the API and that no one consumes too much bandwidth, data storage, or memory.
Stop human users, bots, and applications (anyone or anything with the ability to issue calls to an API) from abusing a web property.
Prevent different kinds of malicious bot activity (namely DoS/DDoS and brute force attacks).

Technically, rate limiting is a form of traffic shaping. The practice lets you control the flow and distribution of traffic to prevent infrastructure overload or failure.

Most systems with a rate limit have caps well above what even a high-volume user could realistically request. The most common example is social media messaging. All social media websites have a cap on the number of direct messages you can send to other users. If someone decides to send a thousand messages to other profiles, rate limiting kicks in and stops the user from sending messages for a certain period.

Learn the most effective ways to prevent DDoS attacks and stay a step ahead of would-be hackers trying to overload your server with fake traffic.

Why Is Rate Limiting Important?

Here's a list of the main reasons why rate limiting is an essential aspect of any healthy service:

Preventing overloads: Too many requests can overwhelm a server, causing it to slow down or even become unresponsive. Limiting the number of requests a server or API processes helps maintain the performance and availability of your service.
Ensuring fairness: Rate limiting prevents any user from monopolizing resources at the expense of others. Placing a cap on allowed requests gives everyone a fair opportunity to use the service.
Managing costs: If there's a cost associated with each request made to the service, rate limiting is essential to controlling expenses and ensuring efficient use of resources.
Usage metering: If a user signs up for a plan that allows, for example, 1000 API requests per hour, rate limiting ensures the client stays within the set cap.
Controlling data flow: Rate limiting enables an admin to control data flows, which is key for APIs that process large volumes of data. For example, you could distribute data evenly between two APIs by limiting the flow into each element.
Protecting against malicious activity: Rate limiting is vital to preventing several types of cyberattacks. The practice is the go-to counter to denial-of-service attacks (flooding the server with requests in an attempt to make it unresponsive), brute force attacks (bots trying to guess login passwords by typing in random characters), and credential stuffing (using a list of compromised user credentials to breach into a system).

Our comprehensive article on the different types of cyberattacks takes you through 16 kinds of attacks your team must be ready to face.

How Does Rate Limiting Work?

To set a rate limit, an admin places a cap on the number of requests users can make to a server or API within a certain time frame. Typically, the rate-limiting mechanism tracks two key factors:

The IP addresses of users sending requests.
How much time elapses between each request.

The main metric for rate limits is the Transactions Per Second (TPS). If a single IP address makes too many requests within a certain period (i.e., goes over its TPS limit), rate limiting stops the server or API from responding. The user gets an error message and is unable to send further requests until the timer resets.

Rate limiting always relies on some form of throttling mechanism that slows down or blocks requests. Admins implement rate limiting on the server or client side, depending on which strategy better fits the use case:

Server-side rate limiting is more effective at preventing overload and stopping malicious activity.
Client-side rate limiting is better at managing costs and ensuring fair use of resources.

Many admins also set rate limits based on usernames. This approach prevents brute force attackers from attempting to log in from multiple IP addresses.

Worried about bots brute forcing your usernames and passwords? Here are 8 simple yet highly effective strategies for preventing brute force attacks.

Types of Rate Limits

Let's look at the different types of rate limits you can use to control access to a server or API. Just remember that you can combine different types into a hybrid strategy. For example, you may limit the number of requests based on both IP addresses and certain time intervals.

Time-Based Rate Limits

Time-based rate limits operate on pre-defined time intervals. For example, a server may limit requests to a certain number per time period (such as 100 per minute).

Time-based rate limits typically apply to all users. You can set these limits to be either fixed (timers count down regardless of when and if users make requests) or sliding (the countdown starts whenever someone makes the first request).

Geographic Rate Limits

Geographic rate limits restrict the number of requests coming from certain regions. These caps are an excellent choice when running location-based campaigns. Admins get to limit the requests from outside the target audience and increase availability in target regions.

These rate limits are also good at preventing suspicious traffic. For example, you could predict that users in a certain region are less active between 11:00 PM and 8:00 AM. You set a lower rate limit for this time, which further constraints any attacker hoping to cause problems with malicious traffic.

User-Based Rate Limits

User-based rate limits control the number of actions individual users can take in a certain time frame. For example, a server may limit the number of login attempts each user can make to 100 per day.

User-based limits are the most common type of rate limiting. Most systems track the user's IP address or API key (or both). If the user exceeds the set rate limit, the app denies any further requests until the per-user counter resets.

Keep in mind that this type of rate limiting requires the system to maintain the usage statistics of each user. Such setup often leads to operational overhead and increases overall IT costs.

Concurrency Rate Limiting

Concurrency rate limits control the number of parallel sessions the system allows in a certain time frame. For example, an app might prevent more than 1000 sessions within a minute.

Server Rate Limits

Server rate limiting helps admins share a workload among different servers. For example, if you run a distributed architecture with five servers, you could use a rate limit to place a cap on each device.

If one of the servers reaches its cap, the device either routes it to another server or drops the request. Such a strategy is vital to achieving high availability and preventing DoS attacks that target a specific server.

API Endpoint-Based Rate Limiting

These rate limits are based on the specific API endpoints users are trying to access. For example, an admin may limit requests to a specific endpoint to 50 per minute, either due to security or overloading concerns.

Learn about endpoint security and see what it takes to keep devices at the network's edge safe from malicious activity.

Rate Limiting Algorithms

Here are the most common algorithms companies rely on to implement rate limiting:

Token bucket: Each time a user makes a request, the system removes a token from the so-called token bucket. Once the bucket is empty, the user cannot make further requests until a refill resets the number of session tokens.
Greedy token bucket: This algorithm allows users to accumulate unused tokens and build up a bigger bucket. Users who do not fully utilize their quota use more tokens (i.e., requests) in the future.
Leaky bucket: Each time someone makes a request, the system adds a token to the user's bucket. If the bucket is full (i.e., users reach the set limit), the system drops all further requests. The leaky bucket is easy to implement on a load balancer and is highly memory-efficient.
Fixed window: This algorithm limits the number of requests users can make within a fixed time window (typically either a minute or an hour). For example, the server may only serve 100 requests between 11:00 and 11:01 AM. At 11:01 am, the window resets.
Rolling window: Instead of using a fixed time window like the previous algorithm, this method relies on a rolling window. The time frame only starts when a user makes a new request. For example, if the first request arrives exactly at 10:15:48 and the rate limit sits at 20 per minute, the server will allow 19 more requests until 10:16:48.
Sliding log: This algorithm requires the system to maintain a time-stamped log (set or table) of requests for every individual user. The system calculates the sum of logs to determine the request rate. If the rate exceeds the threshold rate, the system holds the request; otherwise, the system serves the request.

The main factors to consider when choosing a rate-limiting algorithm are the unique needs of your API and the expected traffic volume. Your method of choice must prevent overload and stop malicious activity but also ensure legitimate users use the service without interruptions.

How To Implement Rate Limiting?

Below is a step-by-step guide to implementing rate limiting (although the exact way you set limits depends on your specific tech stack):

Determine rate limit rules: Decide the specific rate limit you'll use. Determine the type of rate limit (time-based, request-based, etc.), the limit itself (i.e., the number of allowed requests), and the duration of the limit.
Choose a rate limiting algorithm: Choose an algorithm that best fits your requirements. In general, the token bucket is suitable for most user-based rate limits. Likewise, the fixed window is excellent for time-based rate limits.
Decide where to implement the rate limit: Decide whether the team should implement rate limiting on the server or client side (or both).
Implement the rate limit: Next, deploy the chosen rate limiting algorithm. This process usually involves a public module that provides rate limiting functionality, although your team might have to write some custom code.
Test the rate limit: Once set up, the rate limiting mechanism requires extensive testing. Use a mix of manual and automated testing to simulate different traffic conditions. Test the system periodically and adjust the rules as needed to keep performance levels up.

Implementing rate limiting is a simple process for most use cases. For example, if you're using Nginx as a web server and wish to set a rate limit at the server level, you'll use the ngx_http_limit_req_module module. Simply add the following code to the Nginx configuration file to set up rate limits based on the user's IP address:

http {
    limit_req_zone $binary_remote_addr zone=one:10m rate=2r/s;
    ...

server {
    ...
    location /promotion/ {
        limit_req zone=one burst=5;
    }
}

The code above allows no more than 2 requests per second on average, while bursts cannot exceed 5 requests.

A Simple, Yet Highly Effective Defensive Practice

Rate limiting is essential both for the security and quality of your APIs, apps, and websites. Failing to limit the number of requests leaves you open to traffic-based attacks and leads to poor performance (which causes higher bounce rates, problems with customer retention, etc.). Considering how easy it is to implement this precaution, setting a rate limit is a no-brainer decision for most use cases.

Backup Strategy: Ultimate Guide for Data Backup

A data backup strategy, the way organizations back up critical files and restore them in case of an incident, is an integral part of your cybersecurity planning. Without a sound backup strategy, your organization must live with the looming threat of permanent data loss and its all-too-often devastating effects (lost productivity, costly recreation, legal fines, reputation damage, etc.).

This article provides a step-by-step guide to creating well-rounded and cost-effective data backup strategies. Read on to see what you'll have to include in your plan and learn how to ensure critical files are restorable no matter what goes wrong with the original data set.

Learn about backup and disaster recovery (BDR), the idea of unifying data backups and disaster recovery into a single practice to create a more comprehensive protection strategy.

Why Is Data Backup Important?

Here's why you should not overlook the value of up-to-date data backups:

Data recovery: Regular backups act as a safety net in case you face an unforeseen event that damages or deletes data (data center power outage, cyberattack, accidental deletion, natural disaster, hardware failure, and data corruption).
Business continuity: Backups help teams keep operations going without interruption if something happens to your data. Losing important files without a working backup affects the team's ability to operate, deliver services, and maintain business continuity.
Cost savings: The cost of creating and maintaining backups is significantly lower than the price of recreating lost files from scratch. You also avoid paying hefty legal fines for permanently losing customer or employee data.
Compliance: For some companies, regular data backups are necessary to meet compliance requirements. For example, HIPAA and GDPR both require businesses to have up-to-date backups of user data.
Less stress: Performing regular backups provides peace of mind to staff members as they know that files are recoverable in case of an incident. Less pressure on the team boosts morale and leads to better decision-making in times of crisis.

Studies show that 2022 was the first year in which cyberattacks overtook human error as the top cause of data loss (just over 38%). Unfortunately, employees did not start making fewer mistakes—instead, cybercrime is at an all-time high, which only further emphasizes the value of regular data backups.

Types of Data Backup

There are three major backup types: full, differential, and incremental backup. Let's look at the main pros and cons of each backup type.

1. Full Backups

A full backup creates a complete replica of every file in the system. This backup type copies the data set in its entirety without considering whether the team changed some files since the last backup.

Pros of full backups:

A comprehensive snapshot of all your data at a specific point in time.
Minimal chance of a file accidentally "slipping through the cracks" and failing to get backed up.
Restoring data is a straightforward process.
Full backups are self-contained and do not depend on other backups when restoring data.
Admins easily manage version control.

Cons of full backups:

Backups take a long time to complete because they create a copy of every file in the system.
Require a large amount of storage space.
Quickly become redundant as admins copy the same files repeatedly.
Full backups are resource-intensive and require a lot of processing power and memory, which usually affects network performance.

2. Differential Backups

A differential backup only copies the changes that occurred since the last full backup. That way, admins avoid making redundant backups of every file in the data set.

Here's how a differential backup works in practice:

Let's say you perform a full backup of a data set on Sunday.
On Monday, the team modifies several files.
You perform a differential backup on Tuesday, which backs up only altered files and ignores the rest of the data set.
If the team modifies a few more files on Wednesday, the differential backup you perform on Thursday will back up all the files that saw changes since Sunday's full backup (including both Monday and Wednesday updates).

If something goes wrong with the original database, an admin first restores the full backup and then recovers the latest differential one to get the most recent data.

Pros of differential backups:

You only back up changes since the last full backup, which saves significant amounts of storage space.
There's less data redundancy in backups as you're not backing up the same files over and over again.
Faster to perform than full backups.

Cons of differential backups:

Differential backups become large and slow if the team frequently changes the data set.
There's still some redundancy as multiple differential backups between two full backups copy the same files.
Recovery requires you to first restore the last full backup and then the latest differential backups, after which you have to "merge" changed files into the main data set.

3. Incremental Backups

An incremental backup only copies changes since the last backup of any type (unlike differential backups that only copy changes since the previous full backup).

For example, let's say you take a full backup on Monday. On Tuesday, the team adds a few new files to the data set. An incremental backup on Tuesday only backs up the changes made on Tuesday.

If you make additional changes on Wednesday and take another incremental backup, you'll copy only the changes made on Wednesday and ignore everything that happened before Tuesday's incremental backup.

Pros of incremental backups:

The fastest type of backup to perform as it only copies altered data since the last backup.
Ideal if a team makes frequent changes to data or if the company is under pressure to maintain up-to-date backups.
Requires the least storage space of all backup types.

Cons of incremental backups:

The restore process is complex and time-consuming as admins must restore the last full backup first and then each subsequent incremental backup in the correct order.
Not a good choice if the periods between your full backups are long.
Incremental backups rely on the previous backup to be complete and accurate. Some data loss is likely if there's an issue with only one backup.

Data backups are an essential aspect of endpoint security, the practice of keeping your employees' devices (and whatever's stored on them) safe from threats.

Data Backup Strategy

The first step to creating a backup strategy is determining what data you'll be backing up. Remember that you should not have backups of every piece of data in your organization. Such an approach is both too complex and expensive—instead, focus on mission-critical files such as:

Customer and employee data (contact info, purchase history, and billing information).
Financial data (financial statements, invoices, payroll info, and tax records).
Intellectual property (patents, trademarks, and copyrights).
Operational data (inventory, supply chain info, and logistics data).

Once you know what data you'll be backing up, it's time to come up with a detailed plan. Below is a step-by-step guide to creating a data backup strategy.

Step 1: Understand the Data You're Backing Up

Gather all data you plan to back up and group files based on their criticality. Break them up into three categories based on how important it is to restore each data set if something goes wrong:

Existentially-critical for the organization to survive.
Mission-critical for the company to operate.
Performance-critical for the business to thrive.

Each group requires a separate backup strategy. Also, any data that does not belong in any of the three categories will do fine with a biweekly or monthly backup. Perform a risk assessment and business impact analysis to help your team classify data:

The risk assessment lists everything that could negatively affect your ability to conduct business if you lose access to data.
The business impact analysis determines the potential effects on the organization's operations if you lose access to data.

Next, evaluate where you store each data set and how frequently it changes. This analysis gives you a deeper understanding of where and how your data lives. Finally, define RTOs and RPOs for your data:

The recovery time objective (RTO) is the maximum amount of time you can afford to be without access to the data (i.e., how quickly you need to recover the data in case it goes missing).
The recovery point objective (RPO) is the amount of data you can afford to lose in case of an incident (i.e., how frequently you must back up data to avoid losing too much of it).

Our RTO vs. RPO article breaks down the differences between the two metrics and explains their roles in disaster recovery strategies.

Step 2: Determine Backup Frequency and Type

Once you understand the criticality of each data set, it's time to decide how often you need to back up files. The frequency at which you should back up data depends on several factors:

How recent the data must be in case of recovery.
How often data sets change.
The amount of storage space required to back data up.
How much data you can afford to lose in case of a failure (if any).

RPOs and RTOs are huge factors when deciding backup frequency:

A low RPO means you'll have to back up data more frequently to minimize data loss.
A low RTO means you must back up data more frequently to minimize downtime.

Then, choose your preferred backup type. You have three options to choose from:

Full backups.
Differential backups.
Incremental backups.

Keep in mind the pros and cons of each backup type we discussed earlier. While full backups are the most reliable option, they are also more time-consuming and storage-hungry than other backups.

One of the most common schedules is running a full backup every other week and performing incremental backups every day in between.

Step 3: Determine Storage Location

Next, decide where you want to store backups. You can use on-site storage (such as an external hard drive, USBs, tapes, or a dedicated storage server) or off-site cloud backup repositories.

Store your backups in the cloud! Veeam Cloud Connect Backup and Replication is now available on a 7-day FREE trial! Start your trial today and safely store your backups to global locations in the U.S., Europe, and Asia.

START FREE TRIAL

Here are some factors to consider when deciding whether to keep backups on-prem or in the cloud:

Cost: On-site storage requires you to purchase and maintain infrastructure. Cloud storage is typically subscription-based, so it's more affordable if you work on a limited budget.
Management: The on-site approach typically means that your team is responsible for configuring, maintaining, upgrading, and monitoring backups. The cloud option is better if you prefer to offload these tasks to a backup and restore provider.
Security: On-site storage gives you complete control over the security of backups as your team is in charge of setting up, maintaining, and protecting storage devices. The cloud offers less direct control over how you protect backups, but all reputable vendors invest a fortune in cloud computing security.
Accessibility: On-site storage provides immediate access to backups, which is vital if you require the ability to quickly restore data after a failure. On the other hand, cloud storage often has a delay in accessing data and requires a working internet connection.
Scalability: The cloud is far more scalable than on-site storage. You easily adjust your capacity up or down depending on current needs, which is not simple to do with on-site storage.

You'll also have to decide how long you want to keep backups. The retention rate depends on the criticality of data, how frequently you make new backups, and whether files fall under some industry-specific regulation.

Step 4: Establish (and Document) Backup Procedures

Once you know the basics of your data backup strategy, it's time to document them. Documentation should serve as a single source of truth for anything backup-related and a training guide for in-house teams. Document the following information:

Go-to stakeholders and staff members.
Step-by-step instructions for executing and authenticating backups.
Detailed guides to restoring each data set.
Procedures for testing, reviewing, monitoring, and updating backups.
Expected metrics (namely RTOs and RPOs for different data sets).
Instructions on when and how to delete outdated backups.
The cost of the data backup strategy (update this section frequently as prices and data volumes change often).

Once you define a data backup strategy and create the first replica, perform a full restore to a test environment to verify everything works as intended. Check whether there're any signs of missing or corrupt files—your team should perform this precautionary checkup at least once a month.

Remember that your data backup strategy is not set in stone. What works great today may not work as well tomorrow, so review your plan periodically to ensure backups stay effective and in line with business objectives.

What Is a 3-2-1 Backup Strategy and Is It Good?

The 3-2-1 backup strategy is a popular method for backing up data. The strategy requires you to create three copies of data, store two versions on different media, and keep one copy off-site (hence the 3-2-1 name). Here's a breakdown of how this strategy works:

Three copies of data: Multiple data copies ensure you can restore files in case one or even two copies become lost or unavailable.
Two different media: Storing two of the three copies on different media helps protect against media failure.
One copy off-site: Keeping one data backup off-site (either in a remote data center or in the cloud) protects against incidents that could destroy both the original database and any backup stored on-site.

The 3-2-1 backup strategy is a sound option for organizations of all sizes. This approach to backing up data offers the following benefits:

No single points of failure.
Low chance of permanently losing data.
High levels of readiness for most data-threatening incidents.

While the 3-2-1 backup strategy is effective, there are a few downsides to this system that you should keep in mind:

These backups are expensive to implement as most companies must purchase additional hardware and subscribe to a cloud-based storage service.
Most 3-2-1 strategies require a significant amount of time to manage as you're always making at least three copies of data.
There's zero emphases on recovery speed.
The system gets complex if combined with incremental or differential backups.
Users often must invest in additional bandwidth to ensure off-site backups complete in a timely manner.

Check out our backup and restore services to see how we help companies create recovery strategies as effective as any 3-2-1 system yet significantly less complex to manage.

Don't Take Unnecessary Risks With Critical Data

Being caught off guard by a dangerous event such as ransomware or an insider threat without a working data backup is a recipe for disaster. Recreating lost data is expensive and time-consuming (not to mention even impossible in some cases). Instead of risking such scenarios, take the time to plan and implement an effective backup strategy that minimizes the chance of data loss no matter what goes wrong at your company.

What is Endpoint Security

Every endpoint (PC, laptop, smartphone, etc.) that connects to a network is a potential entry point for a hacker. These devices are typically the first attack vector criminals test when trying to hack into a system. If an endpoint turns out to be vulnerable, the intruder breaks into an otherwise secure network without having to "crack" its primary cyber defenses.

This article is an intro to endpoint security that explains how companies protect what many describe as the weakest link in network security. Read on to learn what it takes to keep would-be hackers out of endpoints and ensure these devices do not become a doorway to your assets and data.

Endpoint protection is a subset of the broader network infrastructure security, an area of cybersecurity that focuses on protecting the network's underlying hardware and software.

What is Endpoint Security?

Endpoint security (or endpoint protection) is the practice of keeping endpoint devices safe from external and insider threats. The primary goals of endpoint security are to:

Prevent unauthorized access to assets.
Detect suspicious user behavior.
Stop in-progress attacks.
Detect and isolate threats before they do damage to the network.
Help the team identify and mitigate the root cause(s) of threats.

Any device or system that communicates with the network from outside its firewall is an endpoint. Nowadays, this definition extends far beyond the PCs we use for work — here's a list of all the endpoints modern organizations must secure and account for:

Laptops.
Tablets.
Desktop computers.
Mobile phones.
Internet of Things (IoT) gadgets and sensors (thermostats, biometric scanning devices, security cameras, etc.).
Wearables (i.e., smart watches or medical devices).
Smart printers.
Servers (both on and off-site).
POS devices.
Industrial machines.
Network hardware (routers, switches, etc.).
Virtual machines.
Operational Technology (OT) systems.

The number of internet-enabled devices is at an all-time high, so companies have their hands full when preparing for attacks. Here are some of the most common endpoint security risks a team is likely to face:

Lost or stolen devices.
Phishing attacks (a social engineering strategy that tries to trick the user into sharing sensitive data (such as a password) or clicking on a malware-infected link).
Ransomware (a type of malware that encrypts the victim's data and asks for money in exchange for the decryption key).
An endpoint becoming a part of a DDoS bot.
Malvertising (infected ads that install malware if the user clicks on them).
Drive-by downloads (hidden software downloads that occur without the user's knowledge).
Spyware (malware that tracks user activity).
Installation of unsafe applications.

These risks are only the tip of the iceberg. Check out our article on the different types of cyberattacks to get an in-depth breakdown of the current cybercrime landscape.

Why is Endpoint Security Important?

Any device with access to a network is a potential target for an attack, but some devices are easier to hack than others. For example, a personal phone connected to the office Wi-Fi is significantly less challenging to crack than the main server. While there's less to gain from hacking an endpoint, the phone is still a worthwhile objective as it likely has access to some business data.

Sometimes, going after data accessible to a specific endpoint is not the primary goal of an attack. More skilled hackers know how to compromise an endpoint and then use the device for lateral movement to reach valuable databases or set up an APT threat.

A recent study reveals that almost 70% of successful data breaches originate at an endpoint device. Here are a few other figures that show the criticality of keeping endpoints safe:

In 2022, almost 68% of organizations have experienced at least one endpoint attack that impacted data or IT infrastructure.
Over 48% of organizations are unsatisfied with their current level of endpoint security.
An average organization allows 55% of all endpoints to access some sensitive data.
One in three U.S. employees uses a personal, non-BYOD device to work remotely.
The cost of a successful endpoint attack in the US now sits at $8.94 million (this figure was $7.1 million in 2021).

Security concerns aside, high levels of endpoint protection are often a prerequisite for meeting compliance. Many industries and regions require a business to keep endpoints safe to comply with regulations (especially if devices have access to sensitive user data).

Read about the business world's most common (and strictest) regulations and see what it takes to ensure compliance:

You can also check out our CCPA vs GDPR article for a detailed comparison of the two most prominent data privacy regulations.

What Are the Types of Endpoint Security?

There are three main types of endpoint security: Endpoint Protection Platforms (EPP), Endpoint Detection and Response (EDR), and Extended Detection and Response (XDR).

Endpoint Protection Platform (EPP)

EPPs primarily focus on preventing malware and are comparable to what you'd expect from a reactive antivirus program. These platforms help deal with threats by:

Comparing files against a database of known attack signatures.
Using machine learning to detect suspicious activity on an endpoint.
Enabling the creation of lists that block or allow certain apps, URLs, ports, IP addresses, etc.
Providing sandboxes to test suspicious executables.

Admins deploy an EPP directly on endpoints, but there's always a central platform that analyzes data (either on-prem or in the cloud).

Endpoint Detection and Response (EDR)

An EDR offers the same features as EPPs but also has the capability to respond to active threats in real-time. These platforms enable an admin to:

Set up automatic remediation processes (e.g., isolate a dangerous file or wipe the endpoint's memory if something goes wrong).
Identify indicators of compromise (IoC).
Get real-time alerts on security incidents.

EDRs detect various threats that are invisible to an EPP, such as file-less malware or polymorphic attacks.

Extended Detection and Response (XDR)

An XDR platform offers better protection and deeper risk analysis than an EDR. XDRs provide more visibility and rely heavily on automation to correlate and eliminate threats.

An XDR tool crosses multiple security layers (endpoints, network traffic, etc.) and consolidates data from:

Security information and event management (SIEM) tools.
EPPs and EDRs.
Network analytics.
Identity and access management (IAM) tools.

The main goals of XDR is to reduce incident response times, enable more context during threat inspection, and provide in-depth analysis of affected endpoints to identify the root cause of the threat.

How Does Endpoint Protection Work?

Endpoint security relies on a client/server model. There's a centrally managed server that hosts the primary security program (which analyzes threats and makes decisions) and an accompanying client program on each endpoint (which collects data and sends info to the main server).

There are three different strategies based on where you host the primary security program:

On-premises deployment: In this strategy, the client software runs in an on-site server room.
Software-as-a-service (SaaS) model: In the SaaS model, a cloud provider hosts and manages the client software.
Hybrid model: A hybrid approach mixes both on-prem and cloud solutions.

No matter where you run the primary endpoint security software, the protection principles stay the same. Programs on endpoints gather data and send it to the central platform which checks the files, processes, and systems for suspicious activity. Platforms primarily detect oddities in two ways:

Checking data packets against a database of known attack signatures (excellent at detecting known threats).
Performing behavioral analysis to uncover potentially suspicious activity of users or systems (excellent at identifying new hacking tactics and even some zero-day exploits).

If the platform discovers a threat, it instructs the endpoint to block traffic and isolate the file from the network. Then the security team investigates the threat (or the platform performs a series of predefined mitigation steps). The endpoint does not connect back to the network until the team eliminates the risk.

Consider boosting your endpoint security with Managed Detection and Response (MDR), an outsourced service that proactively identifies and removes IT threats (and does so at a significantly lower price than what an in-house security team would set you back).

What's the Difference Between Antivirus and Endpoint Security?

An antivirus is a type of cybersecurity software that detects and isolates malicious files (malware, viruses, worms, Trojans, etc.). Endpoint security, on the other hand, is a broader term that encompasses a wider range of measures for protecting endpoints and their associated networks from threats (including malicious software).

Antivirus programs are a subset of endpoint security. No endpoint security strategy is complete without an antivirus (firewalls are the other bare-bones necessity). Even the most basic EPP will have some form of antivirus protection.

Here are the most notable differences between antivirus and endpoint security:

Scope: Antivirus software protects one device, whereas endpoint security aims to protect all connected devices across an enterprise network.
Go-to threats: Antivirus programs only stop malware-based attacks, while endpoint security entails protection from a broader set of dangers (data theft, CEO fraud, SQL injections, etc.).
Protection strategy: An antivirus protects a device by comparing traffic against a database of known threats. Endpoint security platforms also rely on a similar database, but these tools also check for advanced vulnerabilities based on behavioral analysis.
Updates: Most traditional antiviruses require manual updates. Modern EPPs and EDRs running in the cloud update automatically, taking the burden off the security team and end-users.
Protection against insider threats: Antiviruses typically offer little to no protection against insider threats (e.g., someone putting sensitive data on a USB drive and stealing valuable files). Endpoint security offers far greater protection from threats like intentional file deletion, unauthorized access, and data leakage.

Continue learning about how companies keep systems safe by checking out our in-depth article on the different types of network security.

Features to Look for in an Endpoint Security Tool

Here is a list of features you should expect to get from a top-tier endpoint security tool:

An antivirus program that detects and removes threats from endpoint devices.
A firewall that filters outgoing and incoming traffic on endpoints.
Intrusion Prevention Systems (IPS) that monitor network traffic for signs of malicious activity and block threats before they do any damage. An IPS is a more advanced version of an Intrusion Detection System (IDS).
Capability to detect suspicious behavior of users, apps, and network services.
Automated incident response plans.
End-to-end data encryption (at rest, in transit, and in use).
App controls that enable you to create "allowlists" and "blocklists," ensuring users install only approved software on endpoints.
Mobile device management (MDM) features for managing and securing mobile devices.
Internet-of-Things security that ensures IoT devices and sensors are free of exploits.
Continuous monitoring capabilities that ensure you're safe around-the-clock.
Device controls that enable you to control which devices can upload or download data.
Data loss protection features that prevent intentional or unintentional data deletion.
Protection from threats that spread via email (anti-malware scans for attachments and phishing detection).
Browser protection that bans certain websites and stops drive-by downloads.
Anti-exfiltration capabilities that block files transmitted via email, collaboration tools, or the Internet.
Real-time reporting and alerting that provide prioritized warnings regarding threats.
Sandboxing features that enable endpoints to test suspicious executables in an isolated environment without access to any sensitive network areas.
Rollbacks to a previous device state (one of the key practices in ransomware prevention).
Threat forensics that help identify the scope and root cause of dangers.

Looking to boost your security levels? Check out our article on the best network security tools on the market and see whether you find a few platforms worth adding to your current tool stack.

Despite Advances, Endpoints Are Still a Go-To Target for Attacks

Modern endpoint security has come a long way from old-school antiviruses and firewalls. Nowadays, platforms provide a far broader set of defenses to counter both known and unknown threats. Despite these advancements, however, endpoints continue to be an enticing target for attacks, so ensure hackers cannot use these devices as an easy-to-crack door into your network.

RTO (Recovery Time Objective) vs RPO (Recovery Point Objective)

While the two metrics may sound alike, Recovery Time Objective (RTO) and Recovery Point Objective (RPO) play entirely different roles in backup and disaster recovery (BDR). Understanding the differences between these metrics (as well as how they work in tandem) is key to surviving revenue-threating incidents without costly downtime or data loss.

This article offers a detailed RTO vs RPO comparison that explains each metric's distinct role in business continuity (BC) planning. Read on to learn what these parameters entail (both in technical and business sense) and see why there's no way to keep business assets safe without a well-defined RTO and RPO.

While they have similar goals, business continuity and disaster recovery are not interchangeable terms. Learn the difference between the two practices in our in-depth business continuity vs disaster recovery comparison.

RTO vs RPO Main Differences

Here's what RTO and RPO stand for:

RTO (Recovery Time Objective) is the time frame within which an asset (product, service, network, etc.) must come back online if it goes down.
RPO (Recovery Point Objective) is the acceptable amount of data (measured by time) a company is willing to lose in case of an incident.

Both metrics are measurements of time and are vital to effective disaster recovery. Both require comprehensive planning and a proactive security mindset, but there are several noteworthy differences between RTOs and RPOs:

RTO concentrates on app and infrastructure recovery, while RPO focuses solely on backup frequency and acceptable data losses.
RTO considers all aspects of the business structure and the entire DR process. RPO only assesses the criticality of data and the cost of replication.
RTO is the more complex process of the two as it involves more moving parts and variables (hot and cold sites, failovers, go-to response teams, etc.).
An RPO relies heavily on automation to back up and restore data, while RTOs involve more manual tasks and a more hands-on approach to recovery.
RPO is easier to calculate as the metric only covers one aspect of the recovery process—data.
Low RPOs are far cheaper than low RTOs due to the significant difference in scope.

Together, RTOs and RPOs enable a business to know how long it can afford to be down and how recent the data will be following the recovery. Most companies prefer bouncing back from disruptions as quickly as possible, but the shorter an RTO or RPO is, the cost of recovery goes up (and vice versa).

The best way to guarantee low RTOs and RPOs without expensive upfront investments is to rely on Disaster-Recovery-as-a-Service (DRaaS). No matter what goes wrong, DRaaS ensures you get back to business as usual in minutes rather than hours or days.

What is RTO

A Recovery Time Objective (RTO) represents the time frame within which an IT resource must fully recover from a disruptive event. For example, a system may have an RTO of 30 minutes. In that case, the incident response team has half an hour to bring everything back up and running following an incident.

The RTO "clock" starts ticking when the affected system goes down and ends when the system is fully operational again. Some RTOs start when the responsible team gets a notification about the incident, an approach more common for non-mission-critical systems.

Any system with a defined RTO must also measure the Recovery Time Actual (RTA). RTA represents the actual duration of the recovery process. RTAs and RTOs are rarely identical, but the goal is to keep the RTA within the expected RTO time frame (RTA ≤ RTO).

If the RTA goes past the RTO mark, you can either:

Revisit the RTO calculation and lower the recovery threshold (an approach that often leads to IT cost reductions).
Update your disaster recovery plan to ensure faster responses in the future.

An RTO is typically the same as the maximum downtime a system can tolerate without impacting business continuity. Every system has a different tolerance level for being offline, so there's no need to have a low RTO for every asset. For example, an HR database does not require the same recovery speed as your primary server or a firewall.

If you rely on managed IT services, the provider defines RTO expectations in the Service Level Agreement (SLA). The same document also defines all availability, response time, and resolution time metrics.

How to Calculate RTO

There's no mathematical formula for calculating an RTO that works for every company or system type. Figuring out an optimal recovery time frame starts with an in-depth risk and business impact analysis (BIA) that examines each asset's unique traits, including:

Consequences of the system going down (monetary, regulative, reputational, etc.).
Overall mission-criticality (i.e., how impactful system downtime would be to other systems and end-users).
The estimated cost of an outage (typically calculated in minutes or hours)
Maximum tolerable period of disruption (MTPD).
Assessed vulnerabilities currently in the system.
The current security measures and features that protect the asset.
Potential threats (power outages, local natural disasters, specific types of cyber attacks, etc.).
The likelihood of the system experiencing problems.
Industry-specific compliance implications.

Once there's an in-depth understanding of the system, the analysis team defines an optimal RTO from an IT perspective. The next step is to consult with the business unit leaders and senior management to determine whether the suggested RTO is viable from a budget standpoint.

In the case of RTOs, faster always means costlier. Any RTO that expects the system to be back online in under an hour requires a steep investment, so do not set low RTOs for every asset. Determining RTOs requires a balancing act between:

Consequences of the system suffering downtime.
The risk of something going wrong with the system.
The price of setting up the recovery process.

More than 72% of companies are unable to meet their RTO expectations. Be realistic when calculating recovery speeds—an impressive RTO that your system or staff cannot meet does not make a difference in times of crisis.

What is RPO

The recovery point objective (RPO) is the maximum amount of data a company is willing to lose during an incident. Teams measure RPOs in hours or minutes since the last working data backup. Once the RPO period passes in a disaster scenario, the quantity of lost data exceeds the maximum allowable threshold.

For example, if a system has an RPO of 3 hours, the team must have a working copy of data not older than 3 hours at all times. In case of a disaster, the affected system can lose up to 3 hours' worth of data without causing long-term issues.

RPOs typically do not apply to archived and historical data. This metric focuses on transactional files and updates that've recently entered a system.

The RPO dictates the frequency a company must create backups to ensure data loss does not exceed the tolerance threshold. The shorter the RPO, the less data is at risk of loss (either permanent or temporary).

Like with RTOs, shorter RPOs require a more significant investment than longer ones. Zero or near-zero RPOs typically require:

High-speed backup tech (such as continuous replication and data mirroring).
High amounts of network bandwidth to transmit data.

These measures are expensive to set up and maintain, so determining RPOs requires the team to find the middle ground between:

The impact of data loss.
The cost of setting up backup and recovery measures.

Any data set with an RPO should also measure the Recovery Point Actual (RPA). This metric represents the exact amount of lost data during an incident, so your RPA must be lower or equal to the set RPO.

If your RPA fails to meet the RPO, you have two options: lower the RPO expectations or improve your data recovery strategy.

How to Calculate RPO

Like with RTOs, there are no go-to formulas for determining an RPO that work for every company. Figuring out RPOs requires an in-depth analysis of each data set. Here are the primary factors:

The financial and operational consequences of losing data.
Likelihood of incidents.
The number of applications that rely on the data set.
The cost of implementing the RPO strategy.
Relevant storage regulations.

Most companies back up their data at a fixed interval (once an hour, a day, a week, etc.). Here are the four most common RPO time frames and a few usual use cases:

Continuous or zero RPOs: Data sets that can't afford losses due to mission-criticality, regulations, or being challenging to recreate. Examples include payment gateway info, patient records, and stock market trading activities.
One to four hours: This time frame is standard for semi-critical business units with limited loss tolerance. Examples are customer chat logs, product dashboards, and password authentication systems.
Four to twelve hours: This RPO is the go-to option for data sets that have little impact on a business if something goes wrong, such as marketing or sales statistics databases.
Between 13 and 24 hours: Longer RPOs are a good fit for non-critical data, such as purchase orders or inventory control files.

Most data sets that do not fall under one of the categories above require weekly backups. You have two options when choosing how to back up your data:

On-site: You store replicas at a different computer or server room in your office. These backups are vulnerable to localized events that impact both primary and secondary storage.
Off-site: Keeping data backups at a secondary facility or a third-party data center removes the danger of losing all storage solutions to a single incident. Most companies that have off-site backups rely on cloud storage.

PhoenixNAP's backup and restore solutions offer state-of-the-art tech that enables you to keep replicas in different geographic regions and meet even the strictest RPOs.

Recovery Time Objective vs Recovery Point Objective

RTO vs RPO: Vital Thresholds for Downtime and Data Loss

Predicting exactly when incidents will occur is impossible, but preparing for unfortunate events is not. Reliable RTOs and RPOs guarantee you control the aftermath of problems and that disruptions do not significantly impact your bottom line. These benefits make setting aside time and resources to prepare RTOs and RPOs a no-brainer decision for most companies.

What is Database Migration and How to Do it Properly

Every business must go through an occasional database migration to optimize costs or enhance service reliability. The problem is that these processes are notoriously difficult—some database migrations take days to complete, and most require some data reformatting or changes in the app's code. There's also the ever-present threat of corrupting data or causing too much service downtime.

This article provides a big-picture view of what a database migration entails and how to create (mostly) painless strategies for moving data between two storage solutions. We also list the most common pitfalls of database migrations to ensure your team is ready to transfer assets without any unpleasant surprises.

What is Database Migration?

Database migration is the process of transferring data and workloads from one or more platforms to a better-suited storage solution. Companies perform database migrations for various reasons—here are a few common ones:

Hoping to reduce IT expenses by moving to a database with better resource usage.
Adopting bigger storage to meet a growing business need.
Upgrading to the latest database version to maintain compliance or improve security.
Pursuing a different database type to lower latency and boost app performance.
Retiring an outdated legacy system to modernize the database.
Merging data from multiple databases into single storage to get a unified view of files.
Performing data repatriation to move away from cloud storage.

Some simpler database migrations involve moving data from one database instance to another storage of the same type (e.g., transferring data from a MySQL database to another MySQL system on a different server). Other migrations, however, are more complex and may involve different types of databases (e.g., moving data from a MySQL database to Cassandra).

A recent study reveals that over 50% of database migrations exceed the predetermined budget or negatively affect the business. Here are the main reasons why database migrations tend to be so challenging:

A well-thought-out database migration requires various complex steps (data audits, database schema conversions (if the team is changing engines), functional and performance tuning, post-migration testing, etc.).
Companies often migrate databases that host mission-critical data or apps, which requires careful coordination of downtime and data loss prevention measures.
Migrations involve a great deal of time and team effort, from initial strategizing and preparations to the actual rehosting and post-migration testing.
A database migration often requires the team to reformat the current data to prepare files for the new system. Related apps and services typically need some tweaks too.

Read about different database types and see whether one of them offers a better-fitting set of features than your current storage.

Types of Database Migrations

There are two main types of database migrations: big bang and trickle migrations.

Big bang database migrations

A big bang migration moves all data and switches to the new system in a single operation. This migration strategy typically has four steps:

Design phase: The team defines the migration scope, analyzes data samples, and sets a schedule (and a budget).
Development and testing phase: The team prepares for the upcoming migration and runs the necessary testing.
The big bang: The team shuts down the current database and migrates to a new environment. The more data there is, the longer the process takes to complete.
User acceptance testing (UAT): The team verifies the migration results to check if everything works correctly.

This type of database migration always involves some availability issues, and an error often requires the team to repeat the entire process. However, the big bang approach is simple as it happens in a time-boxed (albeit exhaustive) event.

Big bang migrations are the go-to option when the team can define the exact scope from the outset or when other projects dictate the deadlines.

Trickle database migrations

A trickle migration is a more agile-like approach to moving a database. The team breaks down the transfer into sub-migrations, each with its own:

Scope.
Goals.
Schedule.
Transfer deadline.

The team confirms the success of each sub-migration individually, which enables a company to re-work only the failed sections in case of an error. However, the drawback of this approach is that the migration takes more time than a big bang. The team must also run two systems simultaneously, which requires extra resources and effort.

The trickle approach is a common choice when the team can logically split the migration into several stages or when the project scope is difficult to define.

Interested in hosting a database on on-site hardware? Our database server price article explains exactly how much you'll have to set aside for such a setup.

Database Migration Benefits

Here's a list of the main benefits of performing a database migration:

Cut IT expenses: Using an old or outdated database adds unnecessary costs to your overhead. Moving to a new storage system lowers infrastructure expenses and enables the team to spend less time maintaining the database.
Pave the way for cutting-edge tech: Keeping up with the latest tech trends is difficult enough without worrying about compatibility with an outdated database. Retiring a legacy system in favor of a more modern database enables the company to more easily stay up to date with the latest IT opportunities.
Better performance: Moving to a newer, better-fitting database leads to faster response times, which improves your app's performance and ability to scale. The company's overall time-to-market also gets a boost.
Free up employee time: Modern database systems are significantly more hands-off than legacy storage and require less troubleshooting. A database migration frees up time for your staff to work on projects that directly impact the bottom line.
Decrease data redundancy: Outdated databases often suffer from syncing mistakes and duplicate data. Migration is an opportunity to filter through files and remove data redundancies, which leads to better storage space use, a lower likelihood of error, and less chance for data integrity issues.
Centralize vital info: A database migration groups all scattered mission-critical and valuable data in a new database. Keeping everything in single storage leads to better accessibility (especially if you adopt a cloud database) and enables next-level analytics for more informed business decisions.
Boost security: Databases are the go-to target for cyberattacks like SQL injections or packet sniffing, and criminals always prefer going after targets with outdated database security. Performing a migration means updating the database with the most recent security patches that prevent the latest data breach tactics.

Looking for a storage system worth migrating to? PhoenixNAP's database servers enable you to host your assets on workload-optimized hardware that's easy to deploy and completely fits your storage needs.

Database Migration Challenges

Here's a list of the most common challenges companies encounter during a database migration:

Data loss: Every database migration comes with the risk of data loss. That's why testing is vital—the team must look for data loss or corruption potential during the planning stage and verify whether post-migration data is present and intact. Data backups are also a must.
Identifying an ideal database system: A migration makes little sense if you see no improvements from the project. Consider all the options on the market and know how to pick a database type (whether paid or open source) that is worth the migration effort.
Precise predictions: One of the biggest challenges of database migration is making the process predictable. You want to avoid surprises when you are twenty terabytes deep in the migration project, so spend as much time in the planning phase as possible.
Defining a scope: Companies with disparate and siloed databases in different departments or locations often struggle with defining a precise scope of the upcoming migration. There's always the chance of leaving out some data that belongs in the new database.
Necessary software changes: Converting all schemas and normalizing data formats is a common challenge during migrations. Teams also typically must make changes to the app code, which further complicates the project.
Post-migration security: Once data is in a new environment, the team must ensure that the new database is as secure as possible. You need an experienced team to check if all the security measures are in place (such as at-rest encryption and proper IDSes) and that there are no potentially exploitable vulnerabilities.
Poor data filtering: Teams often bring unnecessary data to a new system, which wastes resources, prolongs the migration, and creates redundancy problems.

If these problems seem too challenging for your in-house team, consider relying on Database-as-a-Service (DBaaS). DBaaS is a subscription-based service in which the provider manages the database and delivers your storage as a private cloud service, so you offload the "trickiest" migration-related tasks to a third party.

How to Do a Database Migration?

Every database migration is a unique project, but all of them go through a similar multi-step process—let's look at how companies plan a database migration.

Step 1: Pre-Migration

The first step is to form a database migration team. At the very least, you require an expert for the database engine (two of those if the target database has a different engine) and a network specialist well-versed in your servers, ports, and firewall rules. A cybersecurity expert is also a worthwhile addition to the team.

Once you assemble enough talent, the team should define the scope of the upcoming database migration. The team must determine the following:

The goal(s) of the migration (e.g., scale the storage, move to a new type of database, reduce data complexity, improve the performance, etc.).
The resources the migration team requires to do their job.
The deadline for the upcoming project.
Basic parameters (e.g., object types, source objects in scope, connection parameters, etc.).

The migration team must also make early decisions concerning potential migration tools and plan for testing procedures, plus create a high-view framework for the entire process.

Step 2: In-Depth Database Analysis

Once the team knows the migration scope and goals, staff members must analyze the current database. Here's what the migration team must answer:

What is the size of the database?
What's the state of the stored data?
How many schemas and tables do we have?
Do the tables have LOBs (Large Objects)?
How large are the tables?
What are our transaction boundaries?
Are there any engine-specific data types?
How "hot" (i.e., busy) is the database? What are its dependencies?
What kind of users, roles, and permissions does the database support?
Is there any compacted data? If not, can you compact some data to speed up the migration?
How can the migration team access the database (firewalls, tunnels, VPNs, etc.)?
Will there be enough bandwidth to move all the data?
Can apps and services that rely on the database afford downtime? If yes, how much?
Does the company require the current database to stay alive after the migration?
What are the desired HA metrics?
Are you transferring all the data in the current database? Does it all belong in the same place?
Will the team have to make some changes to the app code?
Does the database require some refactoring?
Can we adopt any security improvements not present in the current database?
Does the big bang or the trickle strategy make more sense?

This phase is also an ideal time to check the existing database for duplicate values, inconsistencies, and incorrect info. Avoid bringing these issues into the new system.

Once the team thoroughly understands the current database, it's time to determine the best option for the target system. The team creates a birds-eye view of how the database migration will unfold for each worthwhile database type. Then, the decision maker picks the target system.

Step 3: A Step-By-Step Migration Plan

Now that the team knows the database migration requirements and what the desired system should look like, it's time to create a detailed, step-by-step migration plan. The team assesses the most efficient way to transfer data and workloads.

This step is also the right time to:

Define a precise migration schedule.
Plan how to reduce downtime during data transfer (if the database traffic is very high, it might be unrealistic to plan a live migration).
Create backups of all involved data.
Plan for database schema conversions if you are performing a heterogeneous migration (i.e., a migration between different database engines).
Determine contingency plans in case something goes wrong during the migration.
Perform threat modeling for the target database to ensure it's secure by design.

Database schema conversions are often too resource-intensive and time-consuming to perform manually. Most companies opt for a tool to expedite the process.

Some teams opt to test the migration build at this point. Start with a small subset of data, profile it, and convert its schema. This process ensures all mappings, transformations, and quality rules work before you go all-in on the migration process.

Step 4: Database Migration

The team starts the migration process. If the previous steps were successful, this stage goes without any issues (delays, budget overruns, migration failures, etc.).

Most companies perform a database migration at a time they can afford service availability issues, such as on weekends, at night, or on a public holiday. Despite these precautions, most companies nowadays try to outright eliminate service interruptions with database migration tools that offer data synchronization or the Change Data Capture (CDC) functionality.

Step 5: Post-Migration Checkup

Once the database migration ends, the team must analyze the new environment for:

Missing or corrupt data.
Inconsistencies, duplicate values, or incorrect info.
Performance-related issues.
Security vulnerabilities.
Issues with connections to apps and services.
The validity of all permissions and roles.

The team then fine-tunes the new database to ensure optimal performance levels, sets up monitoring, and brings the new database to production. The team's decision-maker evaluates whether the new system meets the pre-migration goals.

Depending on the migration plan, this final step may also include the deletion of the original database.

PhoenixNAP offers cost-efficient cloud object storage solutions ideal for Sensitive Data Archiving, Content Distribution and File Sharing, Data Protection, and for Distributing Large Video Files. It's S3-compatible, highly scalable, and can store petabytes of digital content without experiencing performance degradation.

Never Rush into a Database Migration

Database migrations are not something anyone looks forward to, but a slow-and-steady approach to transferring storage takes most of the risk and headaches out of the project. You also remove the pressure off the team the more you prepare, so ensure every migration goes through thorough planning before you go after a more fitting storage solution.

16 Types of Cyber Attacks

In 2021, there were an average of 270 cyber attacks per company, which is a 31% increase from 2020. That figure is not going down in 2022 (if anything, it's more likely to go up), so preparing for cyber threats must be at the top of your to-do list. So, what are the different types of cyber attacks you should be ready to face?

This article examines the most common types of cyber attacks you are most likely to encounter in the current cybercrime landscape. We offer an overview of each threat type, explain how victims fall prey to these tactics, and provide tips for ensuring you are not an easy target for would-be hackers.

What Is a Cyber Attack?

A cyber attack is a malicious attempt by an unauthorized third party to breach an IT system. Attacks vary in sophistication and tactics, but every effort to "break into" a system has one of the following goals:

Steal valuable files (personal identifiable information, passwords, financial records, etc.) and ask for a ransom under the threat of data leakage.
Collect valuable data and sell it to the highest bidder (typically on the Dark Web).
Disable computers or disrupt the victim's network (often to form a launch point for other attacks or get a short competitive edge).
Expose business secrets (such as a patent or code).
Destroy systems and delete data as a form of "hacktivism."
Steal personal data and commit identity theft (typically with the idea of pulling off an unauthorized money transfer).

A successful cyber attack has a long line of negative effects, including:

Financial losses (a single successful attack costs companies an average of $200,000).
Data breaches.
Permanent data loss or corruption.
Loss of user trust.
Bad press.
Potential legal fines and lawsuits, both common if you lost customer data during an attack.

Companies are increasingly investing more in security as criminals get more creative and aggressive with their tactics. Recent reports reveal that 69% of US-based firms are expanding their cybersecurity budgets in 2022 (over 85% expect allocated budgets to increase by up to 50%). The current top areas of investment are:

Cyber insurance.
Digital forensics.
Incident response.
Security awareness training.

Learn the difference between an attack vector and surface, two overlapping security concepts you must firmly understand to make reliable preparations for malicious activity.

Types of Cyber Security Attacks

A criminal rarely decides to re-invent the wheel when trying to hack a way into a network. Instead, attackers draw upon tried-and-tested techniques they know are highly effective. Let's take a close look at the most common types of cyber attacks a third party might use to breach your company.

1. Malware-Based Attacks (Ransomware, Trojans, Viruses, etc.)

Malware is malicious software that disrupts or steals data from a computer, network, or server. The malware must install on a target device to become active, after which a malicious script moves past the security measures and performs one (or more) of the following actions:

Deny access to a critical system or data.
Steal files.
Damage data integrity.
Spy on user activity.
Disrupt or even render the system inoperable.
Hijack control of the target device (or multiple systems on the same network).

While some malware exploits system vulnerabilities (for example, an issue with UPnP), these programs typically breach a system through human error, such as when the victim:

Clicks on a dangerous link.
Opens an infected email attachment.
Plugs in a corrupted USB or portable hard drive.
Visits an infected website that runs a drive-by download (unintentional download of malicious code onto the visitor's device).

Malware is one of the most common types of cyber attacks and has multiple variations. Let's look at all the most prominent ones.

Spyware

Spyware is a type of malware that spies on the infected device and sends info to the hacker. Most attackers use this tactic to silently spy on user data and browsing habits.

If the target accesses valuable data on a spyware-infected device (e.g., logging into a bank account), the criminal gathers sensitive info without the victim knowing something's wrong.

Keyloggers

Keyloggers are similar to spyware, except that this type of malware spies on what you type into your keyboard. That info enables a criminal to gather valuable data and later use it for blackmail or identity theft.

Viruses

A computer virus is a malicious program capable of replicating itself by across programs on the target device. If you activate a virus-infected file, the malicious software self-replicates across the device, slowing down performance or destroying data.

Worms

A worm is a standalone malware that replicates itself across different computers. Worms move around via a network, relying on security failures to spread and steal data, set up backdoors, or corrupt files.

Unlike a virus that requires a host computer or operating system, a worm operates alone and does not attach to a host file.

Trojans

Trojans "hide" inside a seemingly legit piece of software (hence the Greek mythology-inspired name). If you install a trojan-infected program, the malware installs on your device and runs malicious code in the background.

Unlike a virus or a worm, a trojan does not replicate itself. The most common goal of a trojan is to establish a silent backdoor within the system that enables remote access.

Adware

Adware is malware that displays marketing content on a target device, such as banners or pop-ups when you visit a website. Some adware also monitors user behavior online, which enables the malicious program to "serve" better-targeted ads.

While adware may seem relatively innocent compared to other malware, many criminals use this tactic to display ads hiding files with malicious code.

Fileless Malware

Fileless malware does not rely on executable files to infect devices or directly impact user data. Instead, this type of malware goes after files native to the operating system (like Microsoft Office macros, PowerShell, WMI, and similar system tools).

Fileless malware is difficult to detect as there are no executables, which are the go-to scanning target for network security tools. Recent studies indicate that the fileless approach is up to 10 times more successful than traditional malware.

Ransomware

Ransomware is a type of malware that encrypts files on a target system. Once the program encrypts data, the hacker demands a ransom (usually requested in cryptos) in exchange for the decryption key.

If the victim declines to pay the ransom, the criminal destroys the decryption key, which means there's (usually) no way to restore data. However, many who opt to meet the demands never receive the promised key. Ransomware code also often corrupts data beyond repair during the infection process, which means the key you receive from the criminal is sometimes useless.

Ransomware is a threat to both individual users and organizations. More tech-savvy criminals prepare malicious packages that attack multiple computers or go after a central server essential to business operations.

Want to learn more about ransomware? Check out these articles:

Our ransomware protection enables you to use various cloud-based solutions to ensure you never end up in a situation where paying a ransom is the only way to get your data back.

2. Phishing Attacks

A phishing attack happens when someone tries to trick a target with a fraudulent email, text (called SMS phishing or "smishing"), or phone call (called voice phishing or "vishing"). These social engineering messages appear to be coming from someone official (like a colleague, bank, a third-party supplier, etc.), but the imposter is actually trying to extract sensitive info from the recipient.

Some criminals do not ask for info directly. A hacker might try to get the victim to click on a link or open an email-attached file that:

Downloads and installs malware on the device.
Leads to a phishing website (typically a fake login page) that steals data if you type in credentials.

Phishing is among the most popular types of cyber attacks. Simple to pull off and highly reliable, recent reports reveal that phishing tactics were a part of 36% of data breaches in 2021.

Many phishing attacks go after as many targets as possible, but some focus on a specific team or person. Let's take a closer look at these more targeted tactics.

Spear Phishing Attacks

Spear phishing goes after a specific individual. The attacker uses personal info about the target (gathered on social media, bought on the Dark Web, or collected via other phishing attacks) to make a more credible message tailored to that person.

Email is by far the most common attack vector for spear phishing. If criminals decide to use an email, they have two choices:

Hack someone's email and reach out to the target from a real account.
Use email spoofing to make a new address that is almost identical to the email they're trying to impersonate.

Hackers usually time spear-phishing emails to make a more compelling message. For example, a criminal may wait for the target to go away on a business trip or make a new hire, and create a strategy centered around those unique circumstances.

Angler Phishing Attacks

An Angler attack happens when a phishing imposter targets someone on social media and attempts to steal their credentials outside a corporate network. There are no strict firewall rules or custom IDSes to stop spam messages, which is why this relatively new phishing tactic has had much success in recent years. People also tend to be more off guard on social media than when viewing a message on an official email address.

Whaling Attacks

Whale phishing happens when an attacker goes after a high-profile employee, such as the CEO, COO, or CFO. The idea is to target someone who has the authorization to make major money transfers.

While harder to pull off than trying to trick a lower-ranking employee, whale phishing is the most profitable form of phishing. Profits often reach millions of dollars, so C-level executives must always be on guard for such tactics.

Phishing is a typical first step to CEO fraud. These scams are now a $26-billion-a-year industry, so check out our article on CEO fraud for an in-depth look at how to counter this threat.

3. Password Attacks

Passwords are the most common method of authenticating users when accessing a computer system, which makes them a go-to target for cyber attacks. Stealing someone's credentials enables a hacker to gain entry to data and systems without having to fight through cybersecurity measures.

Recent studies reveal that 20% of data breaches start with a compromised credential. Criminals rely on a variety of methods to get their hands on an individual's passphrase, including using:

Social engineering.
Hacking a password database or a company's password management platform.
Spying on an unencrypted network transmission.
Guessing the password (usually with a bot).
Paying one of the employees to share their password.

Let's explore the most common password-based types of cyber attacks.

Brute-Force Attack

A brute-force attack relies on a program that systematically goes through all the possible combinations of characters to guess a password. The easier the password is, the quicker the program does its job.

This simple method is time-consuming, which is why hackers always use a bot to crack the credentials. Here are the most popular programs attackers rely on to brute-force a passphrase:

Aircrack.
Cain.
Abel.
John the Ripper.
Hashcat.

Hackers often use basic info about the target to narrow the guessing process, "feeding" the bot with personal data (such as job titles, school names, birthdays, family and pet names, etc.). The program then tests combinations of that data to speed up the deciphering process.

Preventing a brute-force attack does not boil down to using unique passwords. A top-tier program can crack a seven-character password in under 30 seconds. Using lengthy, alphanumerical passwords is the most reliable way of preventing brute-force attacks.

Dictionary Attack

A dictionary attack is a strategy in which a hacker uses a list of common passphrases to gain access to the target's computer or network. Most hackers purchase previously cracked passwords in a bundle on the Dark Web, but some dictionary attacks rely solely on common words and phrases.

Password Spraying

Password spraying is a strategy in which a hacker attempts to use the same password across as many accounts as possible. For example, a bot might crawl across the Internet and try to log into every profile with a "password1" credential.

While not too reliable a tactic at first glance, spraying takes on a new light when you consider over 3.5 million U.S. citizens use "123456" as a password.

Our guide to strong passwords explains a multitude of simple ways to create passwords that are easy to remember and impossible to crack.

4. Man-in-the-Middle Attacks

A man-in-the-middle attack (MitM) occurs when a hacker intercepts in-transit data moving between two network points. An attacker hijacks the session between a client and host, which creates an opportunity to view or edit data. A more common name for the MitM is an eavesdropping attack.

The main problem with MitM attacks is that this breach is very challenging to detect. The victim thinks the info is traveling to a legitimate destination (which it does), but there are often no indications that data made a "pitstop" along the way.

There are two common points of entry for a MitM attack:

Unsecured public Wi-Fi that does not have sufficient network security.
Pre-installed malware that works in the background of the sender's or the recipient's system (or the network as a whole).

For example, let's say you're using the Wi-Fi at a local coffee shop and decide to check your bank account balance. You log in and send info to a bank's server, but a hacker intercepts data and captures your username and password. There's no VPN to protect info, so the hacker gathers everything needed to log into your account and drain all funds.

Want to learn more about the MitM threat? Our article on man-in-the-middle attacks goes through everything your security team needs to know about this strategy.

5. SQL Injection Attacks

An SQL injection enables a hacker to "trick" a website into revealing info stored within its SQL database (login data, passwords, account info, etc.).

Injections are a bit more technical than an average brute-force attack or a phishing strategy, but even a novice hacker knows how to pull these attacks off. The attacker types in predefined SQL commands into a data-entry box (such as a login field). Once injected, commands exploit a weakness in database design and can:

Read sensitive data.
Modify or permanently delete stored files.
Trigger executive functions (like causing a system shutdown or changing user permissions).

Our article on SQL injections explains precisely how these attacks work and presents the most effective ways to prevent injection attempts.

6. DoS and DDoS Attacks

Denial of Service (DOS) and Distributed Denial of Service (DDoS) are cyber attacks that aim to overwhelm a system, server, or network with fake requests. The attackers spam the target until they exhaust all resources or bandwidth, rendering the system unable to fulfill legitimate requests.

Here's the difference between DOS and DDoS:

A DOS occurs when a hacker uses false requests or traffic to overwhelm a system until it fails or goes down.
A DDoS is the same type of attack, except the hacker relies on multiple malware-infected devices to crash the system with more speed. IoT devices are a common choice for hackers building these "bot armies."

The most common types of DoS and DDoS attacks are:

Teardrop attack.
Smurf attack.
Botnets.
The TCP SYN flood attack.
Ping-of-death attack.

The goal of DOS and DDoS is not to steal data but to slow down operations. Sometimes, a hacker uses a DDoS attack to distract the security team and create a window of opportunity to perform other malicious activities.

Learn about the most effective methods of preventing DDoS attacks and see how the pros ensure hackers cannot overwhelm a system with illegitimate requests.

7. Advanced Persistent Threat (APT)

An APT is a cyber attack in which an intruder maintains a long-term presence within a system without the victim's knowledge. The goal of these attacks varies, but the most common objectives are to:

Steal large amounts of business data.
Establish a source of corporate espionage.
Sabotage infrastructure.
Cause a long-term service outage.
Perform a total website or app takeover.

An APT is more complex than other types of cyber attacks. Criminals often form a full-time team to maintain a months-long presence within the target system. These attacks rarely rely on automation as criminals develop custom programs and tactics for breaching a specific tech stack.

Our article on APT attacks offers an in-depth look at this potentially business-ending threat.

8. Zero-Day Exploits

A zero-day exploit is a security flaw within a piece of software that exists without the admin's knowledge. For example, a company might release a new version of an app with a yet unidentified weakness a hacker can exploit.

Once the team discovers the flaw, they have "zero days" to fix the issue as hackers are likely already working on exploits.

A zero-day exploit is an umbrella term that covers any malicious activity that relies on a still unpatched system weakness. Companies must be wary of zero-day vulnerabilities whenever they update apps or services, so invest in proactive flaw detection and agile threat management.

Learn more about zero-day exploits and see the most effective ways your company should plan for these kinds of vulnerabilities.

9. Watering Hole Attacks

A watering hole attack is a strategy in which a hacker infects a website or sets up a malicious copy of a page a specific user group is likely to visit. This strategy goes after a particular group of end users, so attackers always profile their targets to determine what websites they like to use.

Once the target interacts with the malware-infested website, the intruder gets an opportunity to perform malicious activities (steal login details, inject malware, gain access to the network infrastructure, set up remote controls, etc.).

10. Cryptojacking

Cryptojacking is a cyber attack that enables a hacker to secretly use a computer's processing power to mine for cryptocurrencies (most commonly Bitcoin or Ethereum). Most infections occur when the target:

Visits an infected website.
Opens a malicious link.
Clicks on a malware-infected ad.

Cryptojacking severely slows down the system, but it also causes other vulnerabilities. The malicious program often tempers with firewall settings, which creates more space for other threats.

Cases of cryptojacking nearly quadrupled from 2020 to 2021. Recent reports suggest that one in 500 Alexa sites hosts mining malware.

11. URL Manipulation

URL manipulation (or URL rewriting) happens when an attacker changes the parameters in a URL address to redirect the victim to a different website. This tactic typically happens via a malicious script and leads the victim to a phishing or a malware-infected page.

URL manipulation is not URL poisoning (also known as location poisoning). Poisoning an URL means tracking Web visiting behavior by adding an ID number to the URL line when a user goes to a particular site. Hackers then use the ID to track the visitor's browsing history.

12. DNS-Based Attacks

Domain Name System (DNS) protocol often has exploits that enable a hacker to attempt a cyber attack. Let us look at the two most common ones: DNS tunneling and spoofing.

DNS Tunneling

DNS tunneling uses the protocol to tunnel malware and data through a client-server model while bypassing the firewall and other security measures. Once a malicious program enters the system, it latches onto the server and gives the hacker remote access.

Inbound DNS traffic carries commands to the malware, while outbound traffic enables a hacker to steal data or respond to malware requests (change code, install new access points, etc.).

DNS Spoofing (or "Poisoning")

DNS spoofing enables an attacker to send traffic to a fake (or "spoofed") website and gather data from unwitting visitors. These websites are an identical replica of the legitimate site (typically a copy of a login page for a bank or a social media account) that send info directly to hackers once you type in the credentials.

Hackers also use DNS spoofing to sabotage a business by redirecting visitors to a poor-quality page, often with mature or obscene content. Some companies use this tactic as an underhanded method of taking cheap shots at a competitor's reputation.

Learn about the DNS security best practices and see the best proactive ways to keep your DNS-powered systems healthy.

13. Cross-Site Scripting (XSS)

A cross-site scripting (XSS) attack exploits vulnerable websites and enables a criminal to set up malicious executables on web pages and apps. A hacker injects a payload with malicious JavaScript into a website database which executes as a part of the HTML body when someone requests to open a page in their browser.

When the malicious script executes, the hacker bypasses access controls and hijacks the account. Tech-savvy hackers also use XSS to exploit and create additional security flaws, such as laying the groundwork for malware, taking screenshots, or collecting network data.

15. Rootkits

Rootkits are malicious programs that give an intruder unauthorized admin-level access to a computer or other software. A criminal often uses a rootkit to:

Remotely access the target computer.
Edit system files and data.
Install keyloggers and other malware.
Exfiltrate data without the victim knowing about the breach.

Rootkits are notoriously hard to detect as they "hide" deep within the operating system. Top-tier programs also impact anti-virus settings, making the detection process even more challenging. Most rootkit infections spread through email attachments and drive-by downloads on unsafe websites.

16. Session Hijacking

Session hijacking is an advanced form of a MITM attack in which an imposter takes over a session between a client and the server instead of only spying on the communication. The hacker steals the client's IP address, and the server continues the session because it has already formed a trusted connection with the device.

Once intruders hijack a session, they are free to do anything within the permissions of the victim's account. For example, if a criminal hijacks a session while an admin is accessing a company's database, the attacker can view, edit, or destroy files.

Most security teams focus on external threats when preparing for cyber attacks. In actuality, an insider could do just as much if not more damage than a third-party hacker—learn how to prepare for insider threats and see how smart companies deal with dangers from within the organization.

How to Prevent Cyber Attacks?

Let's look at the most effective ways to prevent the different types of cyber attacks discussed above:

Use strong, alphanumeric passwords that are unique for every account.
Change passwords every few weeks.
Do not include everyday phrases, personal info, or simple number sequences in credentials.
Disable password hints on your apps and websites.
Keep all apps, browsers, OSes, and devices up to date with the latest patches.
Rely on an anti-virus protection tool for threat detection.
Boost network security with strict access controls, firewalls, segmentation rules, traffic analysis, and instruction prevention systems (IPS).
Perform regular network security audits.
Never click on links or attachments in an email from an unknown sender.
Scrutinize emails for loopholes and grammatical errors, especially when confronted with an unsolicited message.
Use VPN when accessing the corporate network outside of the office.
Stay clear of public Wi-Fi networks.
Perform daily data backups.
Organize regular employee awareness training.
Use account lockout and two-factor authentication to prevent password attacks.
Ensure employees know how to keep their BYOD devices safe.
Never download or install anything unless you're interacting with a verified source.
Enforce zero-trust security policies.
Keep data safe with at-rest encryption, in-transit encryption, and confidential computing (protecting data during processing). Also, ensure your key management has no exploitable flaws.
Know how to recognize warning signs (network slowdown, website crashes, etc.).
Form a Cyber Incident Response Team (CIRT) that prepares response strategies, disaster recovery, and cyber kill chains.
Limit the info your company shares on its official website and social media.
Use an ad blocker when browsing the Internet.
Create a cloud security policy to ensure your use of cloud computing does not lead to weaknesses.
Organize penetration tests to see how systems and staff respond to realistic simulations of different types of cyber attacks.

Do you rely on in-house hosting? Then your security plan must also include hardware protection—refer to our article on server room design to learn how companies keep on-site infrastructure safe.

The Best Way to Counter Different Types of Cyber Attacks Is to Understand How They Work

Is the goal of this article to make you paranoid? No, but we are trying to make you aware of the different types of cyber attacks you will likely encounter at some point. Once you know how an average hacker thinks, creating an effective protection strategy becomes easier. Use this article to stay a crucial step ahead of would-be criminals looking to make a quick buck off your company.