Debunking the top myths about ransomware and data storage
Johnny Karam, Vice President Emerging Markets at Veritas, looks at some of the most common misconceptions about ransomware, compliance and data storage
As children we are taught to practice caution to ensure our safety and security are not compromised. Now that most of our daily activity is online, businesses need to take the same level of precaution that we did as children, albeit in a more sophisticated and digital manner.
There have long been a number of myths, or preconceptions adopted by the IT industry that have led to poor data practices, leaving them wide open to a myriad of issues.
Although our rapidly advancing technology continues to help protect businesses against ransomware, it would be naïve to assume that ransomware is not simultaneously keeping up. The cost of ransomware is on the rise, and estimates state that global costs will reach $20 billion by next year; an increase from their predicted damages of $11.5 billion in 2019 and $8 billion in 2018. In the last year alone, 49% of organisations surveyed in the UAE had witnessed a ransomware attack.
We’re also seeing an exponential increase in ransomware payments. According to one company, ransomware encryption fees went up 33% in the last quarter alone and are now on average around $110k. Travelex is even reported to have paid hackers a huge $2.3m in an attempt to recover from an attack in January which was instrumental in eventually forcing the company into administration.
We’re seeing the same threats that organisations have faced for years, now evolving with tactics that capitalise on world events to facilitate their effectiveness. The increase in remote working due to the global pandemic is one example of this; significantly amplifying the risks businesses face from these threats, and making the need for effective cyber resilience essential.
It is likely that cyber resilience strategies are lacking key elements, with some organisations not having a strategy at all – Security leaders need to invest in strategies that build resilience, while moving at the same pace as digital transformation.
When it comes to protection, raising user awareness across the whole business is of paramount importance. Arming employees with the knowledge they need to practice secure email and browsing habits can prevent many ransomware attacks from succeeding. Protection also involves backing up data securely, reliably and automatically. The strongest position to be in is one where you can just walk away from attackers because you have another clean and safe copy – backup and recovery solutions can give you this.
Protection is only one element of a comprehensive data strategy, something that has always been a necessity is compliance – an area where many have struggled to distinguish myth from fact.
Despite months of publicity surrounding the General Data Protection Regulation (GDPR), including the potential benefits of compliance, very few organisations were actually ready for the designated deadline, with many of the view that this would merely be an arbitrary law with little consequence. This led to many businesses scrambling to catch up, both before and after the implementation date.
One of the most common myths surrounding GDPR is that it only applies to companies that store or processes personal information about EU citizens within EU states. This view doesn’t go anywhere near far enough, however. Even if your business is GDPR compliant, you must ensure suppliers and contractors are also GDPR compliant – regardless of where they sit in the world.
Many ended up falling into this trap, which had led to overconfidence, poor risk assessments, wasted effort and ultimately noncompliance. It’s easy to forget that the new regulations are a unique opportunity for businesses to improve data protection practices and help to prevent cybercrime.
In the Middle East, the recent DIFC Data Protection Law, Law No. 5 of 2020 (DIFC DP Law) came into force on 1 July 2020 and, as of 1 October 2020, is now being enforced. The new DPL 2020 law will actively benefit companies in a range of ways. Not only will it ensure companies have to manage data more effectively to achieve compliance, it will also increase companywide efficiency, provide competitive advantage, and protection against malware attacks.
Compliance is most effective when organisations enter into the spirit of regulations, rather than trying to paper over the cracks in their systems in order to abide by the letter of the law. To truly engage with compliance, businesses need to implement good data management practices.
Another question to consider is, where is all the data actually stored? For most, the answer to this is in mega data centres. Hordes and hordes of data are stored in such facilities – where organisations adopt an ‘out of sight, out of mind’ approach. A large portion of this is actually considered as ‘dark data’ – data which is acquired through various day-to-day operations but not categorised for use to derive insights or for decision making. People also think that data centres are just ‘safe’ storage facilities – however maintaining the upkeep of the data in these centres has come into sharp focus in recent months. For instance, on average 52 percent of all data stored by organisations worldwide is ‘dark’ as those responsible for managing it don’t have any idea about its content or value.
Here in the UAE, dark data stood at around 47%, according to the 2019 Veritas Middle East Databerg Report. More recently, updated findings for 2020 revealed that 75% of the data stored by the surveyed organisations in the UAE is dark and ROT (Redundant, Outdated, Trivial information) – 42% being dark and 33% being ROT.
The associated belief is that this dark data is no longer required, so it has little value and therefore little impact on operations. What organisations need to remember is that they themselves are 100% responsible for all of it, whether it lives on premises, or has been outsourced via a third-party cloud provider. It’s important to remember that all data that is deemed worthy to keep hold of has tremendous value, if not to the organisation – then at the very least to hackers.
Much has been said about the financial cost of dark data, but the environmental cost has, so far, often been overlooked. In April this year Veritas estimated that 5.8 million tonnes of CO2 will be unnecessarily pumped into the atmosphere as a result of powering the storage of dark data this year alone. While, on average, 52 percent of all data stored by organisations worldwide is ‘dark’, analysts predict that the amount of data that the world will be storing will grow to 175ZB by 2025. This implies that, unless people change their habits, there will be 91ZB of dark data in five years’ time – over four times the volume we have today, with all the energy associated with powering the infrastructure in which the data lives. By simply managing and clearing out our dark data, we will be helping the planet.
When a more structured and responsible approach to data management is taken, there are countless potential rewards. Organisations that take a holistic view of their data can expect to see improved employee productivity, lower costs, more satisfied customers and increased compliance. When the correct approach is taken, data management stops being a cost to the business, and transforms into an asset that creates both value and unveils better business opportunities.
It’s time for organisations to understand that big data is a big responsibility. Properly managed data has the potential to make or break a business, providing benefits that begin with knowing where their data is located to utilising their data in a way that builds competitive advantage. With data being at the heart of every business, it’s time we start treating it and managing it with the weight that it deserves – and there’s no better time to do so than now.