January 2024

The Evolving Imperative: Data Protection in Always-On and Connected Enterprises

The 4:00 a.m. call:

"Good morning, Chairwoman Jones – this is CEO Jack Smith speaking. I do apologize for the incredibly early call but …, well, we've been hacked, and it's bad!"

The reality comes with strings attached…

According to NCC Group’s monthly Cyber Threat Intelligence Report, North America and Europe observed most of all ransomware attacks in November 2023. There was a 29% increase of overall attacks from October to November.

For the always-on and connected business world of today, data protection is a cornerstone of a comprehensive Information & Cybersecurity strategy. Data protection is firmly rooted as a central discipline towards which most companies and organizations pivot.

Legislation such as GDPR (General Data Protection Regulation), NIS2 (The Network and Information Security Directive) as well as DORA (Digital Operational Resilience Act) on the European Union level aimed at regulated financial institutions, and additional recent enactments, underscore the legal mandates for safeguarding sensitive information and thus critical data.

It is fair to assert that the evolving regulatory frameworks have reshaped how companies and organizations strive to approach data privacy and in general data protection, emphasizing confidentiality, integrity, availability, transparency, accountability, and unambiguous measures and workflows to protect personal data.

At the same time, the responsibilities of executives and chairwomen and -men, when it comes to competently and confidently steering the efforts to manage ever-increasing concerns over data security are expanding as they now bear a heightened personal responsibility and liability in the event of data breaches.

Data Protection is not a feature …

A richness of technology options will not minimize the importance of the human factor in terms of hardening the plethora of attack surfaces out there today.

It is well-known that resiliency and backup data environments are increasingly targeted to deprive the targeted organization of the ability to restore their operation. And yes, the ability to swiftly restore business operations is as crucial as is preventing the breach itself.

It is equally well documented that a targeted company can have been compromised for a considerable period of time prior to detection. Research from OpenText suggests that 49% of ransomware victims are unaware of the breach for more than 24 hours. Often the IT production systems have been breached first, and subsequently the failover systems and the backup data environment are compromised.

Balancing Technology, People, Protocol and Discipline

Mitigating these risks demands a robust cybersecurity framework encompassing the IT production systems, resiliency/failover systems as well as the backup data environment.

But how do you make sure that in the event of one system/environment being compromised it cannot lead to potentially compromising the other?

Before even considering technology, one should make sure that an uncompromising separation-of-duties governance framework (or even architecture) is established, which subsequently is enforced by people, protocol, and discipline.

An uncompromising separation-of-duties governance framework must secure:

That your IT staff only has access to your IT production environment (not to the backup data environment).
That no administrative credentials whatsoever are shared in-between your IT production environment and the backup data environment.
That the IT production environment and the backup data environment are never situated at the same physical location.

If this cannot be confirmed, then exposures are likely present.

Such an uncompromising separation-of-duties governance framework is neither a trivial undertaking to establish nor to maintain. Consequently, the more prudent approach is likely to transition to Data Protection as a Service from a partner capable of documenting credentials ensuring that neither your business-critical information/data nor your business as a whole will be compromised via corrupting your backup data.

Data Protection and the evolving role of leadership …

The confluence of developing legislation and the accelerating growth of data breaches squarely put data protection in the hands of executives, chairwomen and -men.