It’s Not Paranoia If They Really Are Out to Get You

Part 6 in a series of posts about Data Protection as a Service… (Also posted on Cobalt Iron’s blog)

Mike Matchett, Small World Big Data

Ask any IT professional about enterprise data security and you can feel the tension in the room rise even before anyone starts speaking. Security is a tense topic, and for good reason. Good data security is hard. Total security today is nigh impossible.

According to the Online Trust Alliance (OTA), cybersecurity incidents targeting businesses nearly doubled from 82,000 in 2016 to 159,700 in 2017. Since the majority of cyber incidents are never reported, OTA believes the actual number in 2017 could easily have exceeded 350,000.1 Some attacks, such as ransomware, have increased by 2000% since 2015.2

In any large enterprise we can never be 100% certain that some portion of our precious corporate data can’t be hacked, corrupted or lost in some nefarious way. I’m not saying anyone is lax, lazy, or incompetent. I am saying that every day there are new emerging threats, the corporate attack surface is multiplying, and our “sensitive” data footprint is both growing and spreading.

It’s Not Paranoia If They Really Are Out to Get You

Yes Virginia, there really are evil no-good hackers! If you are any kind of company, online or not, you and your data are a big fat target!

We now have viruses that once they worm into your organization might not trip any alarms until it’s too late to prevent damage. Ransomware might slowly encrypt (or just delete/corrupt) your primary data stores. I could go on at some length about increasingly distributed attack surfaces and multiplying online touch points (e.g. kiosks, end user apps, employee mobility, IoT devices, etc.). I’ll just say that we are well beyond the time that a solid firewall was the only defense necessary. We absolutely need a more intensive “defense in depth” approach by implementing security at all levels today.

If this isn’t sounding like a fear-based approach to motivating large security improvements yet, let me pile on a bit more! Consider the modern consequences of a major data breach – your reputation will just be the first casualty. You might lose major (many or most?) customers and clients. If you fall seriously afoul of industry compliance regulations, you can be directly penalized (your fault for being hacked) up to and including losing your whole business.

Even if you don’t lose any customer data or violate privacy regulations, once your systems have been penetrated you will still need to recover to a known good state. As long as we have a trusted, protected copy of our key data kept safe, then when things do go wrong (and they will) we can quickly repair and recover.

Keeping Up is a Company Full of Jobs

So how many security experts does it take to plug all the gaps, patch all the holes, implement all the new security paradigms, and keep up with all the new threats? Even if we just look at the core defense of our data protection scheme, which must now be as close to 100% protected as possible, we have to regularly (and often immediately) patch aging backup software, ensure complete encryption of all our backup data streams and images (and don’t forget key management), automate and audit every last touch and touchpoint so we can verify systems integrity, isolate and verify data integrity (repeatedly), and of course actually and reliably backup all of our key data to start with.

Apparently, we’d need a lot of highly trained people to do this right!

For most backup products on the market today cyber security requires additional products designed to fortify the backup and cut off access to potentially vulnerable areas. The architecture may include new air-gapped landscapes run by the security team requiring the training of a new group of IT professionals, increasing the number of people involved in the process, and of course driving up costs as well.

However, I’d propose that the biggest data security risks stem from having lots of “people“ in the middle of key data protection processes. Whether through naiveté, apathy, error, or evil intent, anytime and anywhere people are involved in data protection processes there are inherent vulnerabilities.

Can we get rid of all our people? Of course not! But we can implement data protection schemes that take people out of the critical data protection equation as much as possible.

Managed Data Protection as a Service

If it takes a company of data protection experts to provide the best and most secure data protection solution possible, then so be it. But likely your company is already doing something other than being 100% internally focused on secure data protection. Is secure data protection expertise something you can just subscribe to?

Yes. You only need to find a great data protection service provider to work with – one that has a world-class security solution and a company of experts behind it. For example, Cobalt Iron offers ADP CyberShield™ which includes security features to protect your key data architected into the core data protection product. Built-in features include fully human-less backup automation inaccessible to enterprise interference, full encryption schemes, WORM policies, air-gapped and isolated landscapes for validation and recovery, and more.
If we apply the law of parsimony, also known as Occam’s Razor, then “simpler solutions are more likely to be correct than complex ones.3” In the case of protecting your backup data, a solution with security built in by design will be stronger and less expensive than ones that require plugging the holes after the fact. The security for your backup solution should not be an add on.

1. https://otalliance.org/news-events/press-releases/online-trust-alliance-reports-doubling-cyber-incidents-2017-0

2. https://economia.icaew.com/en/news/december-2017/ransomware-attacks-increase-2000-since-2015

3. https://en.wikipedia.org/wiki/Occam%27s_razor