Data: an Achilles heel or a business asset?

Veeam Software is a Business Reporter client

New research suggests most businesses fell victim to a cyber-attack in 2022, with over half reporting multiple incidents over the course of the year. The ransomware business model exacts a high cost on companies, and organisations must take data security and protection more seriously. But there are important factors to consider when choosing a provider.

What picture does The Veeam Data Protection Trends Report 2023 paint of the threats that organisations currently face?

One of the most striking findings of the report was the fact that 76 per cent of UK and Ireland (UK&I) organisations experienced at least one ransomware attack in 2022, an increase from 68 per cent in 2021. Almost three-quarters (73 per cent) of all businesses reporting an attack experienced more than one incident, while 39 per cent of those businesses had their entire production data set encrypted or destroyed. Compounding this misery, only 55 per cent of that data was recoverable.

Attacks are undoubtedly on the rise. It’s not a matter of when companies will be affected but a question of how often. Attackers are now well organised – effectively operating as black-market businesses – and can make virtually infinite attempts to target organisations.

Where they exist, it’s incumbent on chief information security officers (CISOs) and their IT teams to be relentless in their efforts to improve their corporate defences, and make sure they are prepared for any cyber-attack. Where no CISO or equivalent role or expertise exists, this gap must be addressed. In a complex, interconnected world, vendors and third parties must also be included in this chain of cyber-resilience.

There are obvious steps businesses can take to reduce their exposures to cyber-threats, including the use of anti-virus, anti-spyware and intrusion detection tools. But in addition to these preventative measures, businesses also need to place more focus on the processes and plans they have in place in the event of an attack.

Further breaking down the numbers above revealed that the typical amount of data that was recoverable by the organisations whose data was destroyed or encrypted by cyber-attacks in 2022 was a paltry 35 per cent. Even paying a ransom, a problematic “solution” for many reasons, does not guarantee getting information back, while many organisations found out the hard way that cloud providers do not typically store backups of cloud-hosted data. So, what to do?

This is where the last line of defence against ransomware comes in – fast recovery from secure, immutable backups. Companies quite literally live or die by their ability to recover all of their data fast and get back to business.

Recency and quality of their backups is a basic essential, but the instant and automatic ability to restore and recover is what separates good from great. We’ve all read about well known brands that have experienced downtime due to an attack because they haven’t recovered instantly. Companies that are attacked but are back up and running within a few minutes rarely make the headlines. The secure backup will be an integral part of a wider business resilience, rapid recovery continuity and strategy. It gives firms the confidence they can fend off cyber-attacks and have a robust data recovery source at their disposal.

Working with the right partner here is vital. Today’s businesses are complex, integrated and reliant upon data running across myriad environments from physical to cloud native and everything in between. The protection and backup of their data needs to be as flexible and agile as the companies themselves. This is behind the survey revelation that 54 per cent of organisations in the UK&I expect to change their backup solutions provider in 2023, with 32 per cent citing that improving the reliability and success of backups is their main motivation.

As businesses emerged from the pandemic, their focus on modernising data protection in line with modern data production ecosystems made sense, especially given the additional challenges 2022 brought. Little wonder that UK&I budgets are set to increase by an average of 8.4 per cent.

There are a couple of important things to consider, and both are often overlooked. The first is how to exit any partnership at the end of the contract or in the event the service is no longer fit for the business’s needs.

If a third party backs up data – or owns a tool that’s used to protect it – then getting data access after the relationship ends can be difficult and/or costly. A clear exit plan means the company can cease the relationship but always have the ability to recover its data. Avoid vendor lock-in at every level, whether it is your SaaS provider, hardware provider or data protection provider.

The second consideration is that businesses need to be aware that they cannot abdicate their responsibilities when implementing SaaS solutions. They remain the data owner, so ensuring data protection belongs to them, not the SaaS provider. SaaS providers should have suitable protection in place for their side of the bargain.

If an incident were to occur that resulted in the loss of data from malicious activity, the accountability is on the customer not the SaaS provider. Organisations need to understand the small print around contract terms: many providers have a shared responsibility model, which states customers remain accountable and responsible for their own data.

Finally, it’s important to have a clear understanding of the total cost of ownership (TCO) involved in working with a public cloud provider (or any third party), there can be many unknown costs and too many variables to accurately calculate. Assume your data will grow faster than you expect, and be aware that commercials can change over time. Make sure you have an exit plan that still gives you access to your data.

One trend that is continuing is the use of the cloud to run both applications and data protection itself. This is both an opportunity and a risk. Organisations are having to work with and manage an ever-growing set of platforms, each with different requirements. As identified above, as these evolve, so too must their protection. Tools that were built for a previous era don’t necessarily lend themselves to modern workloads and environments.

Modern data protection solutions must be able to operate across all three architectures of physical, virtual and cloud. Companies should also plan for workloads to be mobile across clouds and ecosystems (even going back to an on-premises model). The data protection strategy must be driven by business need and evolve to accommodate this. Data protection is getting “cloudier”, with 70 per cent of UK&I businesses expecting to adopt cloud services as part of their solutions by 2025.

The first thing is that the reputational damage – on top of the financial cost – of an incident can be significant to your business and will take a long time to recover from. Just think of the effect the loss of confidence or trust of customers, investors or stakeholders can have.

Having resilience through data security, recoverability and freedom across your IT environment also brings significant business opportunities. Modern data protection means companies can make the most of their digital transformation programmes and adopt new ways of working for competitive advantage.

Data should enable businesses and drive them forward, not hold them back. Veeam helps them achieve this by giving firms the peace of mind that their apps and data are protected and available, not just to keep their businesses running but to free them up to focus on what matters to them.

We essentially provide a single platform – the Veeam Data Platform – to protect and manage all workloads, whether those are cloud, virtual, physical, SaaS or Kubernetes workloads, enabling organisations to break free from legacy backup arrangements.

We talk a lot about data freedom, which is the ability to move out of one environment and into another. We’re hardware, cloud and platform-agnostic. With over 450,000 customers worldwide, we have an unrivalled expertise in “speaking”, understanding and moving data from or across any platform. We help organisations avoid vendor lock-in, and that data freedom extends to our own customers too.

Our experience means we can help ensure businesses recover from a major incident without any loss of data, regardless of ecosystem. If a data centre goes down, for instance, and you need to access backed-up applications stored elsewhere, restoring that could take some time.

As part of continuity planning, businesses will have established the recovery time objective (RTO) for their key data – in other words, how quickly the business needs that data to come back when disruption, downtime or disaster occurs. Once RTOs are defined, a timely, efficient recovery must happen. Veeam’s orchestrator tool automates this process from, and to, any platform immediately.

To further counter cyber-threats, we also offer data indestructibility. This is a multi-layered approach to data storage and restoration, which includes the use of an isolated, secure environment to restore backups, which can eliminate viruses or ransomware that have been inadvertently backed up in applications. Thus only clean, safe data is released back into production.

To find out more about how Veeam can help secure your business’s IT environment, visit go.veeam.com

The Veeam Data Protection Trends Report 2023  was produced by an independent research firm on behalf of Veeam. It drew on responses from 4,200 unbiased IT leaders and implementers, including 349 people based in the UK and Ireland. All figures in this document relate to the UK and Ireland markets specifically.

Secure backup is based on the 3-2-1-1-0 rule - 2 copies of data on 2 different media, with 1 copy being offsite, 1 copy offline, air-gapped or immutable and 0 verified errors.