Businesses are clear that they are facing a constant and increasingly complex battle to continue protecting their data.
By Carlos Ortiz
According to Veeam's 2024 Data Protection Trends Report, this year 92% of organizations will increase their data protection spending to achieve data resilience amid the ongoing threat of ransomware attacks and other vulnerabilities. This is extremely timely, as according to the same report, 76% of organizations acknowledge having a protection breach, and 37% of servers experienced at least one unexpected outage last year.
However, in addition to technological investment, a crucial element in this fight is education. There are too many misconceptions that can catch businesses off guard, which is why at Veeam we want to emphasize the top 3 data protection myths that we need to recognize to avoid falling for them.
Myth 1: Cloud providers back up your data
Companies, accustomed to storing data and workloads in the cloud, know that security breaches in this environment have surpassed those that take place on on-premise servers (this does not mean that one is more secure than the other, but rather shows the change in the balance of power, or data, of the modern organization). Despite this, there remains a widespread misunderstanding about the cloud shared responsibility model.
A 2023 study found that 43% of IT data managers believe, incorrectly, that cloud providers take care of everything once data has been migrated, and that they are responsible for protecting and recovering all information contained in the cloud. However, this is simply not so; Data backup and disaster recovery are often shared responsibilities. The cloud provider offers the tools and capabilities, but it's up to the customer to configure and manage backups based on their needs. If you want to hand those responsibilities off to a third party, you can do so with Backup-as-a-Service (BaaS) and Platform-as-a-Service (PaaS), but they don't come as standard.
Myth 2: When suffering a ransomware attack, paying the ransom is the solution
Ransomware is the top threat to data breaches and system outages: according to the Data Protection Trends Report mentioned above, 3 out of 4 organizations suffered at least one such attack last year, and a quarter of the total were attacked more than four times. Having to recover from ransomware is an unfortunate reality for modern businesses; although too many organizations (81%, according to Veeam's 2024 Ransomware Trends Report) end up paying the lawsuits, and only 54% managed to recover their data.
The main mistake is not to think that paying a ransom is risk-free, but to dismiss the time it takes to recover the data, even if the payment works. It's not a point-and-click matter – decryption is a fairly manual task, and decryption keys unlock only a small number of files at a time. Some groups even charge extra for additional keys to streamline the process! Not surprisingly, on average, it takes just over three weeks to recover from a ransomware attack (as mentioned in the aforementioned Ransomware Trends Report).
Myth 3: Using backups after a ransomware incident
Industry experts in ransomware resistance have gone to great lengths, not only to evangelize against paying the ransom, but also to educate organizations on how data backup and recovery represent a much safer, more reliable, and ethical way to get ahead of ransomware attacks. While virtually all organizations today take backups seriously (more so now, that regulations such as the EU's NIS2 make it a legal requirement for many), some are less prepared than they think when it comes to using these backups to recover from ransomware.
One of the most common issues in ransomware attack recovery is when the backup is attacked and compromised during the incident: attackers can affect backup repositories in 3 out of 4 attacks. The solution? Have multiple backups, have immutable backups, and maintain an offline version.
Another obstacle that organizations face is not having a ready environment to recover data. Sometimes, they realize too late that the production environment that houses the workloads, whether in the cloud or on-premises, has not been available for some time, but is compromised or "cordoned off" as an active crime scene. A backup environment is needed to recover backup data during an outage. If it's a cloud, make sure your team is technically comfortable with how that particular cloud works, as you don't want to have to refactor data or learn new cloud specifications in the middle of an outage.
Ensuring data protection and resilience is endless; It requires constant adaptation to new threats and technologies. This means that we must continually educate ourselves, responsible specialists, and broader stakeholders (such as senior management and Finance and Compliance teams). Widespread misconceptions can make an organization vulnerable or slower to respond to the organization's data protection needs. Knowledge is power and ignorance is bliss until things start to go wrong.
*Carlos Ortiz, Country Manager of Veeam Mexico
