How important is effective backup for ensuring data security?

How important is effective backup for ensuring data security?

Acronis, a global leader in cyber protection, has released its annual Cyber Protection Week Global Report 2022. The report which surveyed over 6,200 IT users and IT managers from small businesses to enterprises across 22 countries – including the United Arab Emirates (UAE) – exposes some of the most critical shortcomings appearing in cyber protection practices today, examines why they’re appearing and offers guidance on how they can be fixed.

One of the key findings last year was that 80% of organisations ran as many as 10 solutions simultaneously for data protection and cybersecurity — yet more than half of them suffered downtime because of data loss. According to the report findings, the UAE performed dismally with 18% of the organisations claiming to use between 11-15 different solutions, while a further 8% of companies use over 15 solutions simultaneously. Clearly, more solutions do not translate into more protection.

This year, we see that trend getting worse: while 78% of organisations globally run as many as 10 different solutions, 76% of organisations experienced downtime due to data loss — a 25% increase from 2021. This downtime stemmed from a number of sources, including system crashes (52%), human error (42%), cyberattacks (36%) and insider attacks (20%).

As a result, 61% of global organisations’ IT teams now report a preference for integrated solutions that replace their complicated stacks of cybersecurity and data protection tools with a single, unified console.

“As the entire world is increasingly at risk from different types of attacks, accelerating to universal all-in-one solutions is the only way to achieve truly complete cyber protection. And that’s precisely the problem Acronis has set out to solve,” said Candid Wuest, Acronis VP of Cyber Protection Research. “Attackers don’t discriminate when it comes to means or targets, so strong and reliable security is no longer an option, it’s a necessity.”

Overconfidence as a trend: IT teams are overselling their readiness

The report also unearthed another worrying trend that is responsible for cyberdefences lowering and increasing IT security budgets:

  • 71% and 70% of Saudi Arabia and the UAE companies respectively are looking to replace their complicated stacks of cybersecurity and data protection tools with a single, unified console.
  • 70% of organisations’ IT managers claim to have automated patch management. However, based on any reliable industry research, only a handful of companies follow the 72-hour ‘golden time’ for patch management.
  • 82% also claim to have ransomware protection and remediation, yet successful attacks occur weekly and the size of ransom demands grows each year.
  • 20% claimed to be testing backup restoration weekly. Again, not consistent with any other industry-issued data.

It seems that IT managers are trying to appear better prepared than they are; but that is, in turn, misleading their managers, boards of directors, industry analysts and customers.

However, if the overwhelming majority of IT managers indeed have these solutions, they aren’t using them right: they have simply stocked their IT stacks with all of the recommended cybersecurity technologies — spending more money in vain.

The report findings prove that organisations are spending more on IT security this year, but when compared to their overall IT budget, it becomes clear – organisations are still treating cyber protection as a ‘nice-to-have’, not as a ‘must-have’.

We received commentary from three industry experts on the subject of operating with effective backup processes to ensure data security.

Adrian Moir, Technology Evangelist and Principal Engineer at Quest

Organisations need to focus on three different areas in relation to backup: proactiveness acquired through immutability and access control, shared cloud security responsibilities and cost optimisation as data volumes skyrocket.

Recovering data from a backup after a ransomware attack is the cure to the problem, but prevention will always be better than a cure. Data must be secured from both a data and an access point of view, which can be done through MFA, obfuscating data sets, encryption of data sets, immutable data and more. With plenty of solution options out there, organisations should choose to provide the level of immutability and access control needed to proactively stop ransomware attacks before they happen.

Most businesses assume their data security is totally in the hands of their cloud providers, which can lead to unfortunate situations when data is not backed up. This is why organisations must follow the shared responsibility model, which discourages the ‘out of sight, out of mind’ attitude and reduces the risk of lost data. Unfortunately, those following the model struggle with backups, because data is stored in slow object Blob storage and the system is designed for the endpoint user — not the IT admin’s backup experience. Going forward, we expect to see new approaches to APIs that provide faster data restoration and give cloud customers more control and speed over their backups.

Data is growing at a rapid, exponential pace, so much so that some businesses can’t afford to protect everything. To reduce a negative impact on revenue and reputation, organisations must make informed decisions about which data systems are essential for running backups. Understanding your data set and then intelligently planning for when things go wrong allows organisations to recover prioritised data faster and optimise how and where money is being spent. By focusing on these three areas, organisations can ensure that they have an effective backup process to improve their data resilience across the organisation.

Oliver Cronk, Chief Architect, EMEA at Tanium

I see many cases where backups are not being carried out effectively, if at all. From my experience, around 80% of organisations either haven’t backed up their data or don’t do it regularly enough. This is alarming because if these companies experience a data breach, the impact could be hugely damaging. Backups are often the last line of defence against cyberattacks, if you can’t recover systems then backups offer a crucial lifeline.

The main reason I see for backup programs being neglected is cost. Financial and staff resources are required in order for regular, comprehensive backups to be completed and sometimes IT leaders will choose to focus these resources on other areas. The crucial tasks that need this investment include identifying where the most critical data is stored and making sure it is always included in backups. It’s also important that backed up data is regularly tested to check that it can be fully accessed without any problems. I rarely see this testing being carried out, so it’s definitely an area for improvement. 

Another reason that backing up can be overlooked is a misconception that it’s purely a data centre issue, but it must also be treated as a part of a well-rounded security strategy. Every organisation should have an initiative to improve and maintain cyber hygiene, in my view backing up should be part of this. The vast majority of data breaches that I see start with an avoidable incident that an improved level of cyber hygiene could help prevent. Even if a network does still become compromised, a good level of cyber hygiene can help minimise the impact. For example, if a ransomware attack encrypts an organisation’s data, it is in a much stronger position if data has been backed up. 

Business leaders should be asking important questions such as; in the event of a breach, is all of your critical data backed up and have you checked if it can be easily accessed? Are we including backing up as part of our cyber hygiene efforts and security strategy? If IT teams understand the importance of these areas and take ownership of them then they may prevent the organisation’s reputation from being severely damaged and a large sum of money being lost.

Filip Verloy, Technical Evangelist EMEA, Noname Security

Collaboration tools, which are commonly used in startups, and tools relied upon for an individual’s own personal note-taking (such as Notion, Obsidian, etc.) tend to process a lot of data. Despite much of this data being sensitive, it is not always clearly understood where that data is ultimately stored and how it is secured. Businesses should know exactly who owns it and who is responsible for it in terms of backup and recovery, to prevent data loss or exfiltration.

Startups tend to prefer speed over process, which can lead to additional security exposure if not well managed. Businesses should ensure they cover the basics in terms of security. It is better to invest more time upfront, than risk losing all your data due to sloppy processes. For most modern businesses, data is their lifeblood so it makes sense to prioritise putting security measures in place to protect it.

Today, data is increasingly exchanged via Application Programming Interfaces (APIs). Often, traditional security tools don’t have full visibility, nor a clear understanding, of the inner workings of these API services. As a result, protecting PII information becomes harder as the boundaries of responsibility become more opaque. Protecting APIs should be an integral part of any business’ strategy for managing compliance and securing data.

My advice to smaller businesses with limited resources and budget would be to limit the scope of tools they intend to support and make sure they understand the SLO/SLAs of these tools when it comes to getting data back. For example, are they responsible for the data in Office 365, or is Microsoft?

Finally, when using cloud-based services, businesses should ensure they understand the governing regulations when it comes to data access (for example, CLOUD Act) but also their own responsibilities around data protection and privacy regulation, such as GDPR.

Click below to share this article

Browse our latest issue

Intelligent CISO

View Magazine Archive