What you’re doing to protect your data isn’t working

You just clicked on the link in an email from your cousin. Or, at least you thought it came from your cousin. In the instant you realize your cousin would not refer to you as “Dear Mr. Jeff,” panic sets in—too late. Your screen is displaying a message to remit a payment of bitcoins, your hard drive has kicked into high gear as the malware encrypts all your data, and you are praying it doesn’t spread to the company network.

It’s become increasingly common to see headlines of cyberattacks like this scenario. Sometimes it’s a ransomware attack on a hospital, holding patient data hostage. Other times, it’s an email phishing scandal where a single employee took down their entire organization with one wrong click. Not matter the scenario, these incidents often put sensitive information at risk.

Cybersecurity incidents aren’t the only threats to data loss though. Given the recent slew of hurricanes this past year, natural disasters are also top-of-mind for many. But what are companies doing to mitigate these risks?

The state of current practices

When ransomware strikes, you could pay the ransom. But what if the encryption keys do not work and your data is still locked away? You could restore your data. You do have clean backup copies of your data, don’t you?

In a Bluelock-commissioned survey, 73% of executives claimed high confidence in their DR plans, while only 45% of IT personnel felt this way. In other words, most company leadership tends to feel overconfident in their data protection plans, while those implementing and managing the solutions aren’t confident plans will work when needed. The reason for this disconnect could vary from anything like under-education to a miscommunication between leadership and IT.

While leadership may have a better grasp of the true cost of downtime and the impacts of data loss on customers and business livelihood, IT has a better understanding of the technology realm and the time it takes in keeping systems running. This is why it’s concerning when the personnel charged with protecting datasets have less confidence than leadership does in the ability to keep systems online. I’ve heard several IT professionals tell me over the years, “We’ve tried to tell our organization about the risk, but they don’t listen.” Conversely, I have also heard business leaders tell me, “I thought we were covered. I didn’t understand the risk we were assuming.”

How long will it take you to restore from backups? Days? Weeks? Longer?

In another survey Bluelock commissioned, 51% of respondents said they considered ransomware the number one threat to their companies—and yet only 41% were prioritizing restorative measures (backups, replication, etc.), the tasks that contribute to the recovery of this type of event.

While there tends to be a heavy focus on preventative measures (scanning, firewalls, etc.), this doesn’t always leave an organization fully prepared for a disaster incident. The cyber threat landscape especially has evolved from “If” to “When” to “When again,” so leadership and IT must recognize that no solution will be 100% effective in preventing an event.   

Successful protection begins with understanding

To address the confidence gap that exists between IT and executive leadership, there’s a much-needed dialogue that needs to occur in understanding the current state of IT systems and the impacts those systems have on overall business.

IT must learn the language of the business. We can’t talk to the executives in terms of bits, bytes, servers and networks. We must talk about reputational risk, impact to our customers, and missing financial targets.

IT departments that decry a lack of time to speak with other departments and leadership of their IT stance must make the time. Overburdened IT teams will only come at a cost to your business when an event occurs, since personnel will not have had the bandwidth or resources to give your DR plan its due attention. If you explain what this lack of attention might mean in lay terms to executive leadership, they should see the hazard lights.

Successful data protection begins by knowing where your business is, where you want to be, and mapping out a plan that takes you there. Start by viewing your IT disaster recovery (DR) plan as inextricably interconnected to your company’s business continuity. If technology operations go down, the rest of your organization will not be able to continue work, and therefore not be competitive, profitable or successful.

How do you protect data correctly?

True resiliency demands a holistic approach to cybersecurity and data protection: a balancing of preventative and restorative measures. Because prevention to ward off downtime is no longer a realistic expectation for end-to-end resiliency, you must have a plan in place to recover your IT systems at a moment’s notice. This requires a robust IT disaster recovery (DR) program with both cloud-based backups and replication solutions for varied levels of availability.

The National Institute for Standards & Technology (NIST) defines the data protection landscape into five major areas: Identification, Protection, Detection, Reaction, and Restoration. Viewing your IT resiliency strategy in these stages is a great beginning point to categorize improvements to your existing IT resiliency.

For the restoration aspects, check to be sure how quickly certain applications must come back online, tiering your datasets by their priority to the business, to ensure adequate and timely attention during a disaster. Examine service level agreements (SLAs) for any outsourced DR tasks with a critical eye, since keeping your vendor accountable and leadership in the loop with accurate expectations is key. Read this CSO article on the four types of SLAs.

Combining the parts for full coverage

A balanced approach is the key to success. Review each area of your business for misaligned investments with your risk strategies. There may be areas where you are underinvested, and there may be areas where you have overinvested. Prioritize the work that’s needed to close these gaps, as this will contribute to a better strategy for overall continuity.