HYCU CEO: With New Ransomware Recovery Readiness Score, The Focus Is On When The ‘Bad Guys Are Already In The House’

‘We’ve got to stop telling people that they can be foolproof against a ransomware attack. Instead, we need to let people know you’re going to get hit and [attackers are] going to get in the door. But when they get in, we want to make sure that you never have to pay the bad guys any kind of ransom,’ says HYCU CEO Simon Taylor.

Assume A Ransomware Attack Succeeds, What’s Next?

Ransomware attacks are common headlines today, particularly in the wake of the attacks on solution providers and MSPs via Kaseya, Accenture and others. The focus on reducing or eliminating the impact from ransomware attacks, or any cybersecurity attack, traditionally has been on keeping attackers out of a business’ IT infrastructure. But as history has shown, attackers still get through. For that reason, storage vendors are increasingly adopting anti-ransomware protection to protect business data even if an attack is successful.

HYCU, the Boston-based developer of multi-cloud data protection technology, recently went a step further together with a handful of security-focused vendors and channel partners to develop the ransomware recovery readiness score, or R-Score, as a free way for businesses to anonymously understand their ability to recover from an attack and what steps they can take to improve their readiness.

“When we looked at all the tools out there, we realized that everything is designed around stopping the bad guys from getting in the door,” HYCU CEO Simon Taylor told CRN. “But really nobody’s come up with a very simple way of evaluating what’s going to happen to your business when they get in.”

Taylor, in a wide-ranging conversation with CRN, also discussed his company’s financials and plans for the rest of 2021. Here’s a look at what HYCU is up to and how it wants to help mitigate the impact of ransomware attacks.

How would you describe HYCU? What's a good definition of what you do?
We’re now at 2,700 customers, and I believe that we are actually the world’s fastest- growing, multi-cloud Backup-as-a-Service company. And I think the key differentiator for us is we are natively integrated across all the cloud platforms, on-prem, and in public clouds. We automate the process of data migration and Disaster Recovery as a Service. But the simplicity that we bring to bear around backup and recovery is second to none. So one of the things we’ve spent an enormous amount of time, effort and resources in terms of development is in the consumerization of backup and recovery.
We don’t think enterprise data protection has to be complicated. We [think], if Salesforce could simplify CRM to the point where anyone anywhere could use it, IT folks deserve the same level of simplicity. And we’ve invested an enormous amount to make that a reality. And I think it’s really paid off for our customer base around the world. We grew [revenue] 450 percent last year, we’ll grow about 300 percent this year. We’re now in 78 countries across the world. And our sales force has grown, but we haven’t added thousands of people. The sales are coming from the fact that, as people look to move to the cloud, they want simplicity. They don’t want to add complexity just to ensure that they have great data protection. So what we do is bring together simplicity and enterprise data protection in a true service delivery model that I think customers really like.

HYCU recently introduced the R-Score, or ransomware recovery readiness score. Tell us about it.

It’s effectively a credit score that assesses your ransomware recovery capabilities. [We wanted to offer] a public service to really help people to do better in terms of being able to prepare for a ransomware attack. And when we looked at all the tools out there, we realized that everything is designed around stopping the bad guys from getting in the door. But really nobody’s come up with a very simple way of evaluating what’s going to happen to your business when they get in. There are lots of tools and metrics and measurement kind of things that look at can I stop you from getting in? But once you get into my data, we want it to say, how ready are you to recover the data so you don’t need to pay the bad guys? And so we came up with this idea of generating almost a credit score for your business. You simply go online and answer a series of questions. It doesn’t just give you a score. It gives you a whole remediation plan so that you can improve your score and get better.

Is it a vendor-agnostic tool?
It’s completely vendor-agnostic. In fact, it’s not a product, it’s a public service, meaning that we’re not offering it on the HYCU website. We’ve actually purchased [the domain] www.getrscore.org. And we’ve started to work with a variety of other partners from the entire spectrum of the security industry. So this isn’t just a HYCU service. This is a true public service offering that’s brought to you by industry leaders across security and data protection. So as of right now, Carahsoft, SADA Systems, FireEye Mandiant, and HYCU are the founding members of the R-Score collective.

Will other vendors get involved?

We’re going to have others for sure. Right out of the gate, it’s just the ones that I named. We started talking to vendors about the fact that there has to be something done about all of the ransomware attacks, and we have to stop pretending that it’s not happening. I mean, it’s happening every 11 seconds. And so we started speaking to all these different companies and saying, ’We’ve got to stop telling people that they can be foolproof against a ransomware attack.’ Instead, we need to let people know you’re going to get hit and [attackers are] going to get in the door. But when they get in, we want to make sure that you never have to pay the bad guys any kind of ransom.

The R-Score assessment is free, right?

When we started to see how exciting this was for people and how many partners wanted to join, there was a lot of discussion around, ’Well, should we commercialize this? Should we monetize it?’ And I’m really proud of the team because we came down very hard on the side of this is not a commercial venture. Having an R-Score is designed to protect the marketplace. We don’t charge for it. We don’t even gate it. That’s the way these things usually work, right? Someone offers a ’free’ service. And then you show up to the website and you got to give them 300 pieces of personal information. We said, ’Absolutely not. We’re never going to expose the marketplace and their vulnerabilities to the bad guys. And so we don’t want to know who you are.’ We want you to fill this out. And we literally ask you on the site to print out your results or note them down, which sounds crazy, right? In almost every other case, people say, well, ’I’ll just email you the results.’ But we don’t want the vulnerabilities to be matched with the email addresses. We want this completely anonymous so that customers feel very safe taking the test, getting their R-Score, and then using those recommendations that we provide so that they can strengthen their data protection apparatus. And what’s so exciting about it is it’s honest, it’s ethical, and it’s really designed just to help the marketplace in dealing with the scourge of ransomware.

At one point you said that with the right backups, customers will never have an issue with ransomware. Can businesses truly be safe from ransomware attacks?
We believe everybody is going to be hit with a ransomware attack. … But what people usually say is, ’I’m going to use these tools so that I don’t get hit.’ And we believe that’s a faulty premise. We believe that, no matter what tools you use, at some point somebody is going to slip through your guard. One email is going to get inside and something’s going to happen where you may get hit by a ransomware attack. When you do, the question is how prepared are you? And you’re never 100 percent prepared. Nothing is foolproof. We know that. On planet earth, unfortunately, nothing is guaranteed. What we can do is provide people with guidance so that the likelihood of them being able to recover their data once they’re attacked improves. And I think while the focus of the industry has been on stopping the bad guys from getting into the gate, we want to focus on when they’re already in the house. How do we stop them from getting into the vault? And I think that’s been the major premise here.

I would absolutely never want to make a claim that using any sort of tool is going to prevent you from getting hit by ransomware. In fact, I’m saying the opposite. I’m saying everyone should be prepared, because everyone’s going to get hit at some point. And when you do, you just want to make sure that you’re doing everything possible so that you don’t ever have to pay the bad guys to get your data back. We want to set things up so the likelihood is you’ll be able to go in and just recover your data.

Is HYCU 100 percent channel?

It is. ... One of the major evolutions of our business has been the launch of HYCU’s CSP [Cloud Service Provider] program. We’re now finding that over 50 percent of our customers are actually coming out of CSPs and MSPs. And so one of the things we’re starting to do is build out an end-to-end MSP and CSP program under the leadership of our new CRO Justin Endres, our SVP of global sales. Justin was the CRO at AlienVault and SolarWinds, companies that really understand MSP and CSP and service provider sales motions. And one of the thrilling things for me has been bringing Justin on board and working with him as he starts to execute against our MSP and CSP strategy.

Is HYCU profitable or cash-flow-positive yet?

We don’t really talk about our profitability publicly, but I would say that we run a very lean and mean model. I would say that we are probably one of the most profitable companies in our space given our size. But we don’t talk about our profitability and we don’t provide numbers about that, like everybody else.

How much funding has HYCU brought in?
With Bain Capital Ventures, $87.5 million was our last round. That is our total funding. HYCU took a very different approach than most of the folks in this industry. We didn’t come at this and say, ’Hey, we’re going to jump on the hamster wheel and just start raising money right off the bat.’ What we said is, ’Let’s find a way to fund ourselves. Let’s build out our business. Let’s go and attract real customers.’ So by the time we actually raised money, we had over 1,000 individual logos, named logos, in the company. ...

The nice thing about this approach is, we didn’t need to follow the shiny object. We were really able to follow the customer requests, to build the business based on what the customers were telling us they really needed. In many cases there were things that investors might say, ’Wow, that’s a really a hot sexy space to be in.’ But our customers were saying, ’That’s all sizzle and no steak. We want the steak. How are you going to make it easier for us to manage the multi-cloud data center, or the multi-cloud data estate,’ as I call it. And the amazing thing about this is it actually led us to the development of what we call the inverted platform, which is where we designed purpose-built backup and recovery services for each individual cloud and then just stitched them together with a virtual appliance that we call HYCU Protege.

One of the trends we’ve noticed recently is storage resellers masquerading as backup vendors. You know, folks buying AWS in bulk and then selling it to the industry. We say, ’No. Data protection needs to be truly agnostic.’ And the only way it becomes truly agnostic is if we are not beholden to one storage vendor or another. So everything we do is bring your own storage. Everything we do is true SaaS, and everything we do is natively integrated into the platforms we support.

What can we expect to see from HYCU for the rest of 2021?

Our big two technical releases this year so far from an R&D perspective were backup and recovery for Office 365, as well as the world’s first truly native Kubernetes support in a data protection product. And so our integration with [Google Kubernetes Engine], as well as container support for Azure, etc., are some of the most native integrations you’ll find in the data protection space. So that’s been terrific. When I think about how we expand HYCU Protege and support for customers, there’s breadth and there’s depth. We can either provide additional support for platforms, whether it’s other clouds or other SaaS services, or we can go deeper on the individual clouds. I don’t want to give the game away right here, but what I will say is, you can expect to see additional breadth and depth coming from HYCU before the end of this calendar year.