Steve Blow at Zerto, a Hewlett Packard Enterprise company, argues that regulation needs to be supported by appropriate cyber security actions including continuous back ups
Despite the recent momentum that has gathered behind the development of new, more powerful data protection laws and regulations, organisations and individuals currently face greater risks than ever.
There are now over 130 countries around the world that have enacted data privacy laws. Among the most high profile are, of course, GDPR and the California Consumer Privacy Act (CCPA), which arrived over three years ago with the aim of transforming the way organisations collect, manage, use and secure personal data.
Yet, while businesses across the world face huge fines for data breaches or poor practices, unfortunately, cybercriminals aren’t bound by anything apart from their own objectives. Even though the use of data is more regulated than at any time in history and penalties are being levied at accelerating rates, businesses are still facing record levels of ransomware attacks.
Despite the huge amounts of publicity around ransomware, there remains a clear need to build better data protection strategies. The Harvard Business Review recently reported that the demands made by attackers are now as high as tens of millions of dollars. That’s reflected in the worldwide cost of ransomware, which is predicted to exceed $265 billion by 2031. These figures can be hard to process, but to give it some kind of context, the GDP of Portugal – an EU member with a population of over 10 million people – is $219 billion.
While many organisations have turned to insurance to provide a safety net against the risk of a successful ransomware attack, the increasing cost of payouts is bringing the viability of cover into question. For instance, the FT recently reported that insurers were getting much tougher with customers, while in August 2021, the Biden Administration backed away from the idea of banning ransomware payments after consultations with industry experts.
So, with lawmakers and regulations only providing part of the answer to today’s global data protection crisis, where does that leave the millions of organisations around the world who should now be thinking about when they will be targeted rather than if?
Let’s backup for a second
From a technology standpoint, organisations on the receiving end of an attack can face a range of scenarios. The inescapable problem many encounters is that they have no means to quickly recover their systems and data. With files encrypted and normal operations completely disrupted, they are forced to undertake often lengthy and expensive remediation exercises or deal with ransomware demands directly, often with the help of an insurance payout.
In practical terms, an organisation and its IT team might feel their existing backup processes provide sufficient protection, but it’s only the realisation that the latest snapshot is anything from a day to a month old (or even older) that they appreciate the depth of the problem. For many of today’s data-centric businesses, losing even 24 hours of data can be catastrophic. It’s perhaps not so surprising, therefore, that businesses choose to pay ransom demands, particularly when their data loss stretches back days or even weeks.
This is a long standing problem. In many organisations today, their backup and recovery strategy was designed for a time when ransomware wasn’t an issue to keep business leaders awake at night. As a result, these businesses are not geared up for a quick response because they also rely on legacy data protection technologies that were designed decades ago and that can only recall data from periodic snapshots when it needs to be recovered.
As a strategy for organisations operating in the 24/7 digital economy, this is a million miles from where they need to be. Instead, the continuous pace of business needs an approach to data protection that stays up-to-date with every changing detail in real time.
Continuous data protection
This approach, known as Continuous Data Protection (CDP), works by constantly tracking and capturing each data modification. By storing each piece of user-created data locally or at a target repository, CDP uses an incremental process that continuously replicates data to a journal file.
When data needs to be recovered, IT teams are not subject to the potentially devastating gaps in protection associated with legacy approaches. Instead, they can restore data on a much more recent and granular level – to any point in time up to when systems went offline. It’s the data protection equivalent of rewinding a video clip so the viewer can pick up where they left off.
CDP provides a foundation for recovery; giving an organisation immediate access to its data following a successful attack and facilitating business as usual operations while other remediation efforts are underway. It also provides extensive granularity to support forensics, for example allowing security teams to spin up a separate copy of the encrypted files, eliminating the risk of reintroducing dormant malware from the backup.The role of CDP doesn’t end at the need for instant recovery.
As more organisations embrace the advantages of cloud infrastructure, for instance, applications are being moved from their traditional on-premises execution venues to multi-cloud. Research from IDC, for instance, suggests that 70% of CIOs now have a cloud-based strategy for application deployment. This approach needs an equally flexible, ‘cloud-native’ data protection layer so data and applications remain available even if cloud services are disrupted.
What’s more, CDP is also being used for other requirements where the traditional approach to backup is falling behind current needs. Take long-term retention (LTR), which is used to store data for much longer periods of time – often years. Often as a result of regulatory requirements, LTR data isn’t necessarily required on a daily basis so can be stored on more cost effective hardware. Examples of data requiring LTR include financial information data like P45s and expenses, which must be stored by law for six years but are not required for daily activities.
This pragmatic and cost-effective approach to data protection can play an important role for organisations that have diverse backup and recovery requirements. What all these scenarios have in common, however, is that modern business simply can’t afford to deal with the consequences of data loss.
In this complex technology ecosystem, where the opportunities for business success can be severely limited by falling foul of data protection regulations, a ransomware attack or any number of other risks, organisations that proactively take control of their own data protection are much better placed to succeed.
While tougher laws and regulations have played an important role in highlighting the need to improve data protection standards across the board, building an approach that directly addresses contemporary challenges for every organisation is more important than ever.
Steve Blow is EMEA Sales Engineering Manager at Zerto, a Hewlett Packard Enterprise company
Main image courtesy of iStockPhoto.com