Protecting critical systems, applications and data for an organization is a huge responsibility. Not only do these systems need architected and protected, but also designed and maintained for resilience and recovery. To make a tough job even tougher, leaders and clients have big expectations when it comes to minimizing data loss and downtime. The challenges of data protection are very real. And not properly identifying them can give you more hurdles and obstacles when it comes to dealing with those challenges.
Defining data protection
Data protection involves keeping data safe from damage, unauthorized access and loss, and has guardrails in place to recover the data if it becomes inaccessible or unusable.
Typically, overall data protection should involve multiple IT security practices including data backup and disaster recovery, business continuity planning, identity management, data privacy, ransomware prevention, endpoint security and compliance.
The consequences of inadequate data protection
An inadequate data protection strategy leaves your organization vulnerable to attack and can result in some serious consequences if left alone.
- Financial: Breaches and downtime can lead to significant financial issues. A recent survey found that one hour of downtime can cost as much as $301,000 or more.
- Legal: Inadequate data protection can lead to legal and compliance trouble, as organizations must adhere to regulations to maintain a level of security for information systems and data.
- Reputation: News of a breach can and will disrupt an organization’s reputation and brand.
- Operational disruptions: Breaches will often lead to operational disruptions that stall staff and their activities.
So what are the main data protection issues to be aware of, and what can organizations do to combat these challenges?
Corporate culture
A thoroughly underestimated data protection issue is that cybersecurity is not taken seriously across an organization’s corporate culture. Many businesses underestimate the potential risk of a breach, and don’t prioritize security. Smaller businesses especially may think that they would never be targeted for a cyberattack, but then are caught unprepared when a breach happens.
Though every organization will have to evaluate its individual risk profiles, part of that risk profile comes through in an organization’s corporate culture. If security and recovery are not made a priority in the corporate culture, that will become evident when it comes to an organization’s security posture.
Addressing the challenge of data protection and corporate culture
Executives set the priorities and budget line items for any business. Part of the challenge of making data protection a priority is getting the buy-in of senior leadership to commit budget and initiatives to enhance data protection capabilities. If senior executives, board members and other decision-makers commit to a preventative approach to cybersecurity, the easier it will be to make data protection a priority for employees, contractors and customers.
Additionally, every organization’s risk tolerance is going to look different. When leaders are looking at projects and priorities for the year, those risk tolerances must be considered. For example, it may not seem like a priority to optimize backups. However, when those backups are optimized, less data needs to be backed up and archived which—in turn—decreases costs.
Increased data volumes
Organizations are creating data at a faster pace than ever before. Recent survey respondents noted that on average, data volumes are growing by 63 percent per month in their organizations. While that data has value and may have the ability to potentially accelerate an organization’s operations, all that data needs to be managed, protected and backed up in some capacity. For many organizations, handling the sheer volume of data their organizations are generating is an ongoing issue.
Addressing the challenge of data protection with increased data volumes
There are a few different ways organizations can go about addressing the challenge of protecting an ever-increasing amount of data.
Part of that lies in accurately classifying organizational data. Are you backing up data that doesn’t need to be backed up, like test machines, swapfiles or operating systems? By identifying what truly needs backed up and protected, organizations aren’t spending additional resources to back up data that is not needed.
Retention policies should also be evaluated. While some data is required to be retained for legal purposes, organizations should consider what data needs to be kept and for how long it needs to be retained.
Ever-growing data volumes also mean that organizations need to maintain a balance between their available backup space and the amount of data to backup. Doubling data volumes without upsizing backup storage space is a real barrier to keeping data protected.
Incomplete backup and disaster recovery strategy
Though backups are a crucial part of recovery, they sometimes aren’t prioritized as a necessity. Getting a business back up and running after an attack is tough enough. Building a disaster recovery strategy while recovering from the aftermath of an attack will inevitably prolong outages.
Addressing the challenge of an incomplete backup and disaster recovery strategy
Preparation and a thorough backup and disaster recovery strategy are crucial elements of data protection. Though it may seem simple to just say “make sure you have a complete backup and disaster recovery strategy,” the realities of getting one in place can be complex.
Most backup strategies always involve a trade-off between having data backed up and accessible and an organization’s budget. Sure, everything could get backed up in a 3-2-1 strategy, but the cost of doing that isn’t always feasible. Every organization will have to determine their own backup priorities, and make decisions based on what is attainable.
A typical backup and disaster recovery plan must be able to address the following questions across an organization.
- What risks are addressed in the organization’s data backup strategy, and do we know what the weakest links are?
- What data is mission-critical, what data is static, and is there any data we can eliminate from backing up?
- If recovery is needed, what is the expected timeline of getting data and applications back up and running? What is a service-level agreement that the team can agree upon?
- What technical capabilities are already in place, and are there any additional tools that should be added to make sure the organization has full backup and recovery coverage?
- Is the organization prioritizing offsite backups to help ensure continuity in the face of a major disaster?
- Is the backup plan documented so that recovery can happen quickly?
- Does the organization test its backup and recovery strategy to ensure everything recovers as expected in an outage?
Addressing the challenge of an incomplete backup and disaster recovery strategy can be an iterative—but absolutely necessary—process.
Security threats
Organizations are facing increased security threats across multiple facets of their IT infrastructure. The estimated cost of ransomware attacks is estimated to reach $265 billion by 2031. Insider threats are an ongoing challenge, and it’s reported that 67 percent of companies experience more than 20 insider threats each year. AI and machine learning have already made inroads on vulnerabilities, and the sprawling attack surface of an organization’s IT landscape makes the threat of attacks an increasingly real possibility.
Addressing security threats
Though organizations will have little to no control over the next attack vector a bad actor will use, the best offense is often a solid defense. For any organization, that means taking a holistic look at its IT infrastructure and attack surfaces to patch and mitigate internal and external threats. This can include looking at an organization’s identity and asset management lifecycle, device configurations, endpoint deployment and patching processes, data architectures, and backup management. This analysis can reveal weak points.
From there, every organization will need to assess the potential risk of these weak points, and figure out how to best address them with the bandwidth and budget on hand.
Compliance
No matter what industry an organization is in, maintaining compliance is a crucial initiative and challenge for data protection. Regulations and penalties around improperly protecting Personally Identifiable Information (PII), intellectual property and other sensitive data make maintaining compliance basic table-stakes for organizations. Most laws and regulations in all countries related to data protection are aimed at protecting the privacy and rights of citizens. However, they introduce additional complexity to your operations, and vary based on region. For example, the amount of time to keep data on hand, the right to be forgotten and the right to anonymity.
Addressing compliance challenges when it comes to data protection
Compliance is a bare minimum requirement. Fortifying defenses and preparing against attacks begins with a thorough understanding of what organizational data is out there. Effective data governance can allow organizations to identify and prioritize risk reduction. Beyond that, an inadequately structured backup strategy may expose organizations to further compliance risk.
Protect all your systems, applications and data.
Addressing compliance challenges starts with organizations asking tough questions:
- Define: What sensitive data does your organization have, and how is it stored?
- Discover: Where does this data live? What places does this data flow to?
- Defend: How can this data be defended? Encryption? Immutable backups? A 3-2-1 backup strategy? Access policies? Hardening endpoints?
Untrained staff
Organizations will spend hundreds of thousands of dollars on technology for data protection and security, but often miss that people are the weakest link in any security posture. Some of the biggest breaches occur simply because of a rogue email attachment. Overlooking the human element of vulnerabilities and not educating staff means organizations will miss a key defense against potential attacks.
Addressing the challenge of staff training
Regular security and compliance training can help mitigate potential threats. When team members can recognize potential phishing attempts and incorporate good security practices into their daily activities, organizations reduce the likelihood of human error leading to breaches and can strengthen their overall security posture.
Conclusion
Safeguarding an organization’s systems is a monumental responsibility that requires serious planning and a commitment to execution. Failing to address these data protection challenges can expose the organization to damaging legal, financial, reputational and operational consequences. By proactively addressing each of these challenges, organizations can mitigate risks and further fortify their security posture.