Top

Data protection: three myths to dispel

Data protection: In the contemporary business environment, data security is no longer an optional extra but a priority necessity. The advent of stringently enforced regulations such as the GDPR and the upcoming NIS2 emphasizes companies’ responsibility to manage and protect sensitive information. However, the cost of a data breach goes far beyond fines and penalties: we are talking about a significant economic impact, estimated at an average of $4.45 million globally.

The financial impact can be even worse if production data is compromised from a breach or internal error, resulting in downtime. For businesses, downtime costs more than $1 million per hour and, in some cases, reaches $5 million per hour. With 37 per cent of servers experiencing at least one unplanned outage in 2023, this is now a constant struggle. However, more education is needed, as too many misconceptions can leave companies unprepared. Here are three myths about data protection that need to be debunked in 2024.

Cloud providers backup data

Businesses have become accustomed to storing data and workloads in the cloud. A common myth is that cloud providers automatically take care of data backup and recovery. The reality is different: while they provide infrastructure resiliency and redundancy, the primary responsibility for data backup remains with the user. This misunderstanding stems from the belief that cloud providers take care of everything once the migration is done. A study conducted mei last month by Arcserve Global Research found that 43 per cent of IT managers mistakenly believe that cloud providers are responsible for securing data in the cloud. Understanding the cloud’s shared responsibility model is critical: while the provider manages the infrastructure, it is up to the business to configure and manage backups as needed.

Data backup and disaster recovery are often shared responsibilities. The cloud provider offers the tools and capabilities, but it is up to the customer to configure and manage the backups according to their own needs. If you want to offload these responsibilities to a third party, you can do so with Backup-as-a-Service (BaaS) and Platform-as-a-service (PaaS), but these are not standard practices.

How ransomware payment works

Ransomware continues to be a major cybersecurity threat. Despite this, many are unaware of the implications of paying the ransom. The Veeam Data Protection Trends Report 2024 found that three out of four organizations experienced at least one ransomware attack last year, and a quarter were attacked more than four times. Eighty-one per cent of affected organizations paid the ransom, but only 54 per cent were able to recover their data, and a worrying 27 per cent achieved no recovery.

What happens after transferring funds in Bitcoin and sending payments to attackers? At first, often, nothing happens; you must wait. In the most unfortunate cases, the wait lasts forever, and no decryption keys are ever provided. It is more likely that keys will eventually be provided, but it is worth noting that even this is no guarantee that the data will be returned. The basic misconception is because it is not so much the risk involved in paying the ransom, but how long it takes to recover the data. On average, recovery from a ransomware attack can take just over three weeks.

Data protection: three myths to dispel
Data protection: three myths to dispel

Using backups after a ransomware attack

When it comes time to restore from a ransomware attack, there are a few mistakes to avoid. The first is that the backup may have been targeted and compromised during the incident. In fact, in three out of four attacks, attackers may target backup repositories. However, adopting backups is essential to mitigate the effects of a ransomware attack. However, many underestimate the need to have multiple, immutable backups kept offline to prevent unwanted access by attackers. It is equally crucial to have an environment ready for data recovery to avoid prolonged downtime during an incident.

Educate to protect

Protecting corporate data requires a proactive and knowledgeable approach. Misinformation must be combated by constantly educating IT professionals and decision-makers on the importance of effective security strategies. Adapting to new threats and technologies is essential to maintaining operational resilience. Risks can be effectively mitigated, and business continuity can be ensured through thorough understanding and proper preparation. Investing in ongoing training and adopting robust cybersecurity practices are critical steps to protect not only corporate data but also the reputation and trust of customers.

Antonino Caffo has been involved in journalism, particularly technology, for fifteen years. He is interested in topics related to the world of IT security but also consumer electronics. Antonino writes for the most important Italian generalist and trade publications. You can see him, sometimes, on television explaining how technology works, which is not as trivial for everyone as it seems.