By Dave Russell, Senior Vice President, Head of Strategy at Veeam
For years, many organizations have been guilty of putting data resilience on the back burner. Over time, however, the rising tide of threat levels, regulations, and best practices has lifted all boats. Resilience is now firmly on the radar.
Time for a rethink
Awareness is only half the battle; preparedness is another matter. Now that industry benchmarks have improved so that organizations have a better idea of what to look for, they are waking up to an uncomfortable fact – they aren’t as prepared as they ought to be. The Veeam report on data resilience among larger enterprises in collaboration with McKinsey found that key aspects of cyber resilience – even old-hat fundamentals like ‘People and Processes – were regularly self-reported as significantly lacking.
How did we get here? And how can organizations shore up these shortcomings? For C-suite decision-makers, resilience perhaps isn’t the most exciting or business-critical concern. Historically, it was often lumped in with general cybersecurity and assumed that it was already in place. Unfortunately, like most contingencies, the true value of data resilience can’t be appreciated until things go wrong. Aside from the CISO, chief execs would often treat backup and recovery processes like you would an airbag. Forget it’s in place at all, until you’re involved in an incident, and then suddenly you’re thanking your lucky stars you had it in place.
With law enforcement cracking down on some of the most prominent groups, including the likes of BlackCat and LockBit, there might have been an assumption that cyberattacks as a whole are trending down. But the reality couldn’t be further from the truth. In the last year alone, 69% of companies faced an attack at one point or another, yet 74% still fell short of data resilience best practices. The threat is only evolving, with smaller groups and so-called ‘lone wolf’ attackers stepping into the gap. And with a new subsection of attackers comes a new set of methods, with the faster data exfiltration attack methods on the rise.
The writing’s on the wall
The same Veeam report, in collaboration with McKinsey revealed that 74% of participating enterprises lacked the maturity needed to recover quickly and confidently from a disruption. While cyber resilience gaps are often a case of ‘not realising before it was too late’, in this case, many of these deficiencies were self-reported. But if organizations are aware, why haven’t they plugged these gaps?
For some, it could be down to the simple fact that they’ve only just realized. The recent wave of EU-focused regulations, including notably NIS2 and DORA, has spotlighted the issue by requiring organizations to up their resilience across the board. In the build-up to their compliance deadlines over the last year, organizations had to critically assess their full data resilience, many for the first time, revealing a number of previously unknown blind spots.
But no matter how they realized their gaps, organizations did not fall behind overnight. For many, it’s happened incrementally with their data resilience standards not keeping up as new technologies and applications have been adopted. With most organizations implementing AI at will to stay ahead of the competition and optimize business processes, the impact on their data profiles has gone largely unnoticed. The sheer amount of data needed and generated by these applications has resulted in sprawling data profiles that fall far outside existing data resilience measures.
Pair this with an underdeveloped understanding of modern data resilience, and you’ve got a recipe for disaster. It’s often a case of ‘you don’t know what you don’t know’. As a result, many organizations have been benchmarking themselves against the wrong yardsticks. Take your standard tabletop exercise, sure, it’s better than nothing, but data resilience can’t be measured on paper. In theory, their processes might work, but in reality, it’s a whole other story.
Taking a step in the right direction
So, what’s next? Rather than waiting for an incident to come along and put them to the test, organizations need to get comfortable with being uncomfortable. That means proactively uncovering and addressing gaps, however uneasy it might make them feel.
The first step for any organization with below-par data resilience should be to gather a clear picture of your data profile. What you have, where it’s stored, and why you do or don’t need it. With this, you can reduce at least some of your data sprawl by filtering out any obsolete, redundant, or trivial data to focus on securing the data you actually need. Then, get to work securing it.
But the work doesn’t stop there. Once you’ve got your shiny, new data resilience measures in place, it’s time to stress test them. And not just once. Data resilience measures need to be consistently and comprehensively tested to push them to their very limits, much like in the real thing – cyber-attackers won’t just stop when your systems start to creak a little. And they won’t wait until the perfect time.
Go through scenarios where key stakeholders are on annual leave, or where security teams are occupied with something else entirely, to expose all of the potential gaps in your measures. It might seem excessive, but otherwise, the first you’ll hear about these vulnerabilities will be during or following a real attack.
It’s a significant piece of work to undertake, but data resilience is worth every penny. According to the Veeam report, in collaboration with McKinsey, companies with advanced data resilience capabilities have 10% higher annual revenue growth than those lagging.
That’s not to say that improved data resilience will magically boost these figures for you, but bringing up your data resilience standards will inevitably have a knock-on effect on processes across the board. At the very least, you can be sure that cyberthreats will only grow more complex, and that data footprints won’t be getting smaller any time soon. It’s an issue that every organization will have to face, so jump in the deep end now before you get pushed beyond your limits by a cyber-attack.
