Why Are Most Companies Falling Short on Data Resilience?

69% of companies faced a cyberattack last year, yet 74% lack data resilience best practices. Discover why and how to secure your growing data.

Many organizations have been guilty of putting data resilience on the back burner for years. Over time, however, the rising tide of threat levels, regulations, and best practices has lifted all boats. Resilience is now firmly on the radar. 

Time for a rethink 

Awareness is only half the battle; preparedness is another matter. Now that industry benchmarks have improved so that organizations have a better idea of what to look for, they are waking up to an uncomfortable fact—they aren’t as prepared as they ought to be. In collaboration with McKinsey, the Veeam report on data resilience among larger enterprises found that key aspects of cyber resilience—even old-hat fundamentals like ‘People and Processes’—were regularly self-reported as significantly lacking. 

How did we get here? And how can organizations shore up these shortcomings? For C-suite decision-makers, resilience isn’t the most exciting or business-critical concern. Historically, it was often lumped in with general cybersecurity and assumed to be already in place. Unfortunately, like most contingencies, the actual value of data resilience can’t be appreciated until things go wrong. Aside from the CISO, chief executives often treat backup and recovery processes as if they were an airbag. Forget it’s in place until you’re involved in an incident, and then suddenly you’re thanking your lucky stars who had it in place. 

With law enforcement cracking down on some of the most prominent groups, including BlackCat and LockBit, there might have been an assumption that cyberattacks are trending down. But the reality couldn’t be further from the truth. In the last year alone, 69% of companies faced an attack at one point or another, yet 74% still fell short of data resilience best practices. The threat is only evolving, with smaller groups and so-called ‘lone wolf’ attackers stepping into the gap. With a new subsection of attackers comes a new set of methods, with faster data exfiltration attack methods on the rise. 

Also Read: How is GenAI Reshaping Cyber Threats and Defenses?

The writing’s on the wall 

The same Veeam report, in collaboration with McKinsey, revealed that 74% of participating enterprises lacked the maturity to recover quickly and confidently from a disruption. While cyber resilience gaps are often a case of ‘not realising before it was too late’, many of these deficiencies were self-reported in this case. But if organizations are aware, why haven’t they plugged these gaps? 

For some, it could be down to the simple fact that they’ve only just realized. The recent wave of EU-focused regulations, including notably NIS2 and DORA, has spotlighted the issue by requiring organizations to up their resilience across the board. In the build-up to their compliance deadlines over the last year, organizations had to assess their full data resilience critically, many for the first time, revealing a number of previously unknown blind spots.

However, no matter how they realized their gaps, organizations did not fall behind overnight. For many, it’s happened incrementally with their data resilience standards not keeping up as new technologies and applications have been adopted. With most organizations implementing AI at will to stay ahead of the competition and optimize business processes, the impact on their data profiles has gone largely unnoticed. The sheer amount of data needed and generated by these applications has resulted in sprawling data profiles that fall far outside existing data resilience measures. 

Pair this with an underdeveloped understanding of modern data resilience; you’ve got a recipe for disaster. It’s often a case of ‘you don’t know what you don’t know’. As a result, many organizations have been benchmarking themselves against the wrong yardsticks. Take your standard tabletop exercise, sure, it’s better than nothing, but data resilience can’t be measured on paper. In theory, their processes might work, but it’s a whole other story. 

Taking a step in the right direction 

So, what’s next? Rather than waiting for an incident to come along and put them to the test, organizations need to get comfortable with being uncomfortable. That means proactively uncovering and addressing gaps, however uncomfortable they might feel. 

The first step for any organization with below-par data resilience should be to gather a clear picture of its data profile—what it has, where it’s stored, and why it is needed or not. With this, you can reduce at least some of its data sprawl by filtering out any obsolete, redundant, or trivial data to focus on securing the data you actually need. Then, get to work securing it. 

But the work doesn’t stop there. Once you’ve got your shiny, new data resilience measures, it’s time to stress test them. And not just once. Data resilience measures need to be consistently and comprehensively tested to push them to their limits, much like in the real thing – cyber-attackers won’t stop when your systems start to creak a little. And they won’t wait until the perfect time. 

Also Read: ANS: Foundational Framework for Secure AI Agents?

To expose potential gaps in your measures, simulate scenarios where key stakeholders are on annual leave or security teams are occupied with something else entirely. It might seem excessive, but otherwise, the first you’ll hear about these vulnerabilities will be during or following a real attack. 

It’s a significant undertaking, but data resilience is worth every penny. According to the Veeam report, companies with advanced data resilience capabilities in collaboration with McKinsey have 10% higher annual revenue growth than those lagging. 

That’s not to say that improved data resilience will magically boost these figures for you, but bringing up your data resilience standards will inevitably knock on processes across the board. At the very least, you can be sure that cyberthreats will only grow more complex, and that data footprints won’t get smaller any time soon. It’s an issue that every organization will have to face, so jump in the deep end now before you get pushed beyond your limits by a cyber-attack.