Once considered a secondary concern, data protection has now become a daily imperative for businesses. Beyond compliance with regulations such as GDPR and the upcoming NIS2, the average global cost of a data breach stands at $4.45 million. The financial repercussions can be even more severe if production data is compromised, whether through a breach or internal error, leading to downtime. For businesses, downtime can cost over $1 million per hour, sometimes escalating to $5 million per hour in extreme cases. With 37% of servers expected to experience at least one unexpected outage in 2023, the challenge is ongoing. Despite this, there is a pressing need for more education, as many misconceptions leave businesses ill-prepared. Here are three data protection myths that must be debunked in 2024.
There is a common belief that cloud providers automatically back up your data. Businesses have increasingly adopted cloud storage for their data and workloads, with cloud security breaches now outnumbering those on-premises. This shift does not indicate a security difference between the two, but rather a change in the balance of data control for modern organizations. However, a 2023 study revealed that 43% of IT Data Managers mistakenly believe that cloud providers are solely responsible for protecting and recovering data in the cloud. This is incorrect. While cloud providers ensure a certain level of resilience and redundancy, their main focus is on maintaining the availability and integrity of their infrastructure. This misconception arises from the belief that cloud providers manage everything post-migration. It's akin to renting a fully equipped kitchen—you expect the appliances to function safely, but any mishaps with the food are your responsibility. Data backup and disaster recovery are typically shared responsibilities. Cloud providers offer tools and capabilities, but it is the customer's duty to configure and manage backups according to their needs. If offloading these responsibilities is desired, options like Backup-as-a-Service (BaaS) and Platform-as-a-Service (PaaS) are available, but they are not standard.
Ransomware continues to be the leading threat for data breaches and system outages. The Veeam Data Protection Trends Report 2024 indicates that three out of four organizations faced at least one ransomware attack last year, with a quarter experiencing more than four attacks. Despite this, many organizations end up paying the ransom demands. A survey of ransomware victims found that 81% paid the ransom, yet only 54% managed to recover their data, and 27% still could not recover. Many people misunderstand the process of paying ransoms, especially those outside of security or IT. After transferring funds and sending payment to the attackers, there is often a delay before any action occurs. In some cases, decryption keys are never provided, and even when they are, recovery can be futile. According to the survey, one in four victims who paid were still unable to recover their data. The main misconception is not about the risk-free nature of paying ransoms, but the lengthy recovery process, even if successful. Decryption is a manual process, with keys unlocking only a few files at a time. It's not a simple matter of unlocking a single large padlock; it's more like unlocking individual items within. Some groups even charge extra for additional keys to expedite the process. On average, recovery from a ransomware attack takes just over three weeks.
Industry experts strongly advocate against paying ransomware demands and emphasize the importance of data backup and system recovery as a safer, more reliable, and ethical method to recover from attacks. While most organizations now take backups seriously, many are unprepared for using these backups in the event of a ransomware attack. Common pitfalls include backups being compromised during the incident. To mitigate this, having multiple, immutable backups and keeping a version offline is crucial. Another challenge is the lack of a prepared recovery environment. The production environment, whether cloud or on-premises, may be unavailable for an extended period, either due to compromise or being treated as an active crime scene. A backup environment is necessary for recovering data during an outage. If this environment is cloud-based, ensure your team is proficient with the specific cloud's operations—refactoring data or learning new specifications during an outage is not ideal. Ensuring data protection and resilience is an ongoing process, requiring constant adaptation to new threats and technologies. Continuous education for specialists and stakeholders such as senior leadership, finance, and compliance is essential. Misconceptions can leave an organization vulnerable or slow to respond to its data protection needs. Knowledge is indeed power, but ignorance is only bliss until issues arise.