By Mohamad Rizk, Senior Regional Director – Middle East & CIS at Veeam Software
While once upon a time, it may have been an afterthought, data protection is now an everyday priority for businesses. Beyond regulations like GDPR and the soon-to-arrive NIS2, the average global cost of a data breach is $4.45M. The financial impact can be even worse if production data is compromised – either from a breach or internal error – leading to downtime. For enterprises, downtime costs over $1 million per hour, sometimes reaching as much as $5 million per hour in some cases.
With 37% of servers experiencing at least one unexpected outage in 2023, it’s a constant struggle. Despite this, more education is needed, as too many misconceptions can leave businesses unprepared. Here are three data protection myths that need expelling in 2024.
Cloud providers back up your data
Businesses are well accustomed to storing data and workloads on the cloud. Case in point – cloud security breaches have surpassed those occurring on-premises servers. This isn’t a comment on one being more secure than the other but shows the shift in the balance of power, or data, for the modern organization.
Despite this, there’s still a widespread misunderstanding of the cloud’s shared responsibility model. A 2023 study found that 43% of IT Data Managers incorrectly believe that cloud providers are responsible for protecting and recovering data in the cloud. This is simply not the case. While cloud providers ensure a certain level of resilience and redundancy for the data they host, their primary responsibility is to maintain the availability and integrity of their infrastructure.
This misconception stems from people believing cloud providers care for everything once you migrate. You used to hear the analogy that on-premises is like cooking at home while the cloud is like dining out. This is misleading. It’s closer to hiring out a fully equipped kitchen—you should expect the stove to work (and be safe), but if you burn the food, it’s up to you.
Data backup and disaster recovery are often shared responsibilities. The cloud provider offers the tools and capabilities, but it’s up to the customer to configure and manage backups according to their needs. If you want to offload those responsibilities to a third party, you can do so with Backup-as-a-Service (BaaS) and Platform-as-a-service (PaaS), but they don’t come as standard.
How paying ransoms actually works
Ransomware remains the top threat for data breaches and system outages. The Veeam Data Protection Trends Report 2024 found that three out of four organizations suffered at least one ransomware attack last year, with a quarter being attacked more than four times. Recovering from ransomware is an unfortunate reality of modern business, yet far too many organizations end up paying the demands. A survey of ransomware victims found that 81% of organizations paid the ransom while only 54% were able to recover their data and 27% could still not recover their data.
However, only some people understand this process, particularly outside of security or IT specialists. A few things can happen after transferring funds into Bitcoin and sending the payment to the attackers. What often happens at first is nothing. Ransomware isn’t like opening a Netflix account. You don’t get seamless, instant access to what you’ve paid for – you have to wait. In the more unfortunate cases, that wait lasts forever, and no decryption keys are ever supplied. More likely, the keys will eventually be given, but it’s worth noting that even this is often in vain. According to the same survey, one in four victims who paid were still left unable to recover their data.
The main misconception around this isn’t that paying ransoms is risk-free, but how long it takes to recover, even if it does work. It’s not point-and-click; decryption is a fairly manual task, with decryption keys unlocking only a small number of files at once. You’re not unlocking one giant padlock around your warehouse. You’re unlocking each thing inside. Some groups will even charge you more for additional keys to make the process faster! It’s no wonder that, on average, recovery from a ransomware attack takes just over three weeks.
Using backups after a ransomware incident
Experts in ransomware resilience across the industry have made great efforts to argue against ransomware payments and educate organizations on how data backup and system recovery is a far safer, more reliable, and ethical way to recover from ransomware attacks. While practically every organization takes backup seriously these days (doubly so now regulations such as the EU’s NIS2 make it a legal requirement for many), many are less prepared than they think when it comes to using this backup to recover from an event like ransomware.
There are a few common trip-ups when it comes to ransomware attack recovery. The first is the backup being targeted and compromised during the incident. Attackers can affect backup repositories in three out of four attacks. The way around this? Have multiple backups, have immutable (unchangeable) backups, and keep a version offline. Another roadblock organizations run is not having an environment ready to recover data. Organizations sometimes don’t realise until it’s too late that the production environment that houses workloads, whether a cloud or on-premises, is often unavailable for some time. It’s either compromised or ‘cordoned off’ as an active crime scene. If your kitchen has burnt down, you can’t replace it until the building itself has been checked and secured. So, you need a backup environment to recover your backup data to during an outage. If this is a cloud, make sure your team is technically comfortable with how that specific cloud works – you don’t want to be refactoring data or learning new cloud specs in the middle of an outage.
Ensuring data protection and data resilience is never-ending. You constantly have to adapt to new threats and technologies. This means we must continually educate ourselves or the specialists responsible and wider stakeholders such as senior leadership, finance, and compliance. Widespread misconceptions can make an organization vulnerable or slower to respond to the business’s data protection needs. Knowledge is power, and ignorance is bliss until things start going wrong.