Data protection regulations aren’t enough to safeguard your data
Check out all the on-demand sessions from the Intelligent Security Summit here.
Data protection regulations have undoubtedly had a positive impact on the ways organizations protect sensitive customer data. From the worldwide Payment Card Industry Data Security Standard (PCI-DSS) to the EU’s General Data Protection Regulation (GDPR), such regulations provide an important framework to ensure that organizations increase their data protection practices and strengthen their security posture.
But achieving compliance won’t deter cyber criminals and keep data secure. With more than 236 million ransomware attacks taking place in the first half of 2022 — and the number of attacks continuing to rise — data protection is one of the biggest concerns for organizations 2023.
This is so much so that 79% of IT leaders see a worrying ‘Protection Gap’ between tolerable data loss and how IT is protecting their data. This means that complying with regulations is no longer enough to safeguard data. Instead, organizations need to implement a robust modern data protection strategy.
Some see regulations as a tick-box exercise
While the global PCI-DSS aims to enhance security for consumers by providing guidelines for any organization that accepts, stores, processes or transmits credit card information, GDPR imposes tough security obligations for organizations that operate within — or conduct business with — EU firms and collect data related to individuals in the EU. However, GDPR will soon be replaced in the UK by the Data Protection and Digital Information Bill, an updated piece of legislation that will impact every organization operating in the UK and handling personal data.
Intelligent Security Summit On-Demand
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.
These regulations provide a critical framework to protect sensitive customer data and mandate that a certain level of security measures are in place. But the challenge is that some organizations subject to ‘light-touch’ regulations may see them as largely a tick-box exercise and just do the minimal requirements. Such an approach will short-change them, depriving them of operational improvements or business won that true compliance can deliver.
Organizational resilience, however, must be more than just a regulatory framework or ISO standard deep. Instead, it must embrace every facet of a company from the board down and be supported by policies that permeate the business to create a culture of compliance. Organizations must also bolster their security posture with an additional data protection strategy. Because achieving compliance is no longer enough to protect your data from cyberattacks.
Emerging data protection gap
Ransomware is the biggest global cyber threat facing organizations today, and attacks are rising. In fact, 76% of UK and Ireland organizations admitted to falling prey to at least one ransomware attack in the past year. And as a result, 65% now use cloud services as part of their data protection strategy.
More concerning, though, is the fact that the majority of organizations disclosed gaps between their data dependency, backup frequency, service level agreements and ability to return to productive business following a cyberattack. This means that many can be left vulnerable when they experience a further attack. Given that we now live in the age of not ‘if’, or ‘when’, but ‘how many times’ an organization can expect to be attacked, this is a precarious position to be in.
While data protection budgets have been increasing to improve system availability and faster disaster recovery, they’re still not rising fast enough to keep up with accelerating workloads and surging threats. Decelerating an organization’s digital transformation strategy would theoretically give data protection strategies a chance to catch up, but as many firms turn to crisis-driven innovation to survive the economic downturn, applications and workloads are expected to continue to scale.
If data protection budgets don’t rise alongside this, the gap will only grow wider. Paring back budgets on the very projects that could accelerate growth, improve agility and mobility and delivery a competitive edge would be counterproductive. A better way is to evolve the nature of data protection so that it safeguards existing and future ecosystems.
Attackers increasingly target backup repositories
Organizations are also losing the battle when it comes to defending against ransomware attacks with hackers increasingly targeting backup repositories and holding that data to ransom.
While 88% of ransomware attacks attempted to infect backup repositories to disable victims’ abilities to recover without paying the ransom, 75% of those attempts were successful. Furthermore, one in three organizations say that most or all of their backup repositories have been impacted as part of a ransomware attack. However, 22% of organizations think they could have recovered without paying any ransom if they had sufficient data protection in place.
So, instead of being reactive, organizations need to be far more proactive when it comes to data protection.
Technologies for survival
While it’s becoming increasingly common for ‘production’ to outpace ‘protection,’ the growing gap between what organizations expect and what IT is expected to deliver is worrying. Then, if you add in the fact that ransomware is almost a guaranteed threat that every organization must prepare for, we are headed for a data protection emergency.
But what’s more concerning is the effectiveness with which attackers proactively destroy their victim’s data backup repositories. Currently, 84% of organizations rely on backup logs or media readability to assure recoverability, meaning that only 16% routinely test by restoring and testing functionality. To protect their data, organizations need a secure, immutable backup in place as a last line of defense. And while IT departments are under pressure to cut costs, data protection budgets should never be reduced.
By investing wisely and taking a modern approach to data protection, organizations not only gain an advantage over attackers but increase business resiliency, giving them an edge over competitors.
Safeguard your future
As the threat landscape accelerates, organizations must adopt a two-pronged approach when it comes to data protection. Complying with regulations and ensuring that they permeate an entire organization is important, but ensuring that sufficient data protection measures are in place is critical.
IT and data protection teams, therefore, have a big task ahead of them to ensure that they close the gap between technology and how well it is backed up and protected. After all, safeguarding your sensitive data plays a significant part in safeguarding your future.
Dan Middleton is VP for UK and Ireland at Veeam.
Welcome to the VentureBeat community!
DataDecisionMakers is where experts, including the technical people doing data work, can share data-related insights and innovation.
If you want to read about cutting-edge ideas and up-to-date information, best practices, and the future of data and data tech, join us at DataDecisionMakers.
You might even consider contributing an article of your own!